Updated: Monday, October 20, 2014
Does Apple Pay debut usher in new era of banking?
T oday, Apple Inc. went live with its much anticipated mobile wallet scheme, Apple Pay, in conjunction with the launch of an update to its mobile operating system, iOS 8.1. The tech giant's near field communication (NFC) -enabled mobile payment solution has been praised for its seamless consumer experience, its Touch ID biometric authentication technology, and its in-app functionality, which could render the traditional POS obsolete. But is the end game for Apple Pay that it allows Apple to become its own digital bank?
That is the contention of an Oct. 2, 2014, Deloitte Digital blog post titled "From tech giant to digital bank?" In the post, Deloitte wrote, "Banks, carriers and credit card companies have been struggling to find a solid model for mobile payments over [the] years. Apple Pay could close the puzzle as they have every ingredient to make Apple Pay the new standard for consumer payments."
At the heart of this contention is the deal Apple struck with card issuing banks. The agreement, which has not been made publicly available, rewards Apple with a lower per-transaction processing rate because of the widely believed robustness of the data security measures, such as tokenized payment data and biometric authentication, incorporated into Apple Pay transactions.
Deloitte said Apple will receive 0.15 percent of all transactions made with Apple Pay. "0.15 percent may seem a very small share, but it has great potential with an existing $390 billion [in the United States] in retail transactions and still an enormous number of replaceable offline payments," the blog said. "As Apple will take care of your transactions it can also become a risk for consumer banks as consumers will more and more loose [sic] contact and loyalty with their bank. When Apple Pay really takes off, it could be handling all your current online as well as offline payments and basically become your new digital bank!"
No 'Apple Bank' in foreseeable future
Brandes Elitch, Director of Partner Acquisitions CrossCheck Inc. and frequent contributor to The Green Sheet, does not see the logic of Deloitte's position. "The only way that Apple could 'handle all your current online' payments would be if Apple displaced First Data, or Paymentech, or Heartland, and became the merchant’s processor directly," Elitch said. "And this would be a very dramatic move indeed."
Elitch noted that Apple seems content at the present time to leverage the traditional merchant processing business model and infrastructure already in place. "The merchant has an acquirer that underwrites the merchant and processes the transaction, on the MC and Visa rails, crediting the merchant and debiting the consumer’s issuing bank," Elitch said. "Apple does nothing to change that, except charge a toll to the processor for using their fraud management software."
Elitch stated that consumers will still be using their bank-issued and network-branded credit and debit cards to facilitate Apple Pay transactions, and interchange from those transactions will still flow to the various players on the payments value chain. "How can Apple become the consumer’s bank?" Elitch said. "Are they going to open demand deposit accounts and offer FDIC insurance, and offer ancillary services that consumers need to accompany their DDA? All payments begin and end in the DDA, which is at a bank, a government regulated and inspected bank."
Apple Pay still a game changer
Whether or not Apple Pay ultimately results in the "Apple Bank," Rick Oglesby, Senior Analyst/Consultant at Double Diamond Consulting, believes Apple Pay is a game changer, especially for in-app payments, as opposed to in-store NFC-enabled payments. "Once Apple Pay becomes second nature to consumers for in-app payments, that behavior could extend to in-person purchases," Oglesby said. "But lots of NFC infrastructure needs to be installed, and lots of consumer behavioral changes need to take place before that happens. I expect in-store adoption to be gradual."
Apple Pay may eventually be the mobile payment model that renders the traditional POS obsolete, but not so fast. "We are a long way from registers becoming obsolete, but opportunities to convert in-store sales to in-app checkout solutions is growing, and Apple Pay will facilitate that growth, along with Passbook, BLE and beacons," Oglesby said. "However we can expect many cards to be in-market for a very long time, and therefore traditional checkout solutions aren’t going away any time soon."
Payments industry stalwarts were quick to announce their Apple Pay integrations to coincide with its launch and availability in 220,000 retail locations across the United States. Harbortouch unveiled the Apple Pay-enabled Perkwave app for its pay-at-the-table capability in restaurant settings.
“Pay-at-the-table is a critical component of the new EMV requirements," said Harbortouch Chief Executive Officer Jared Isaacman. "However, the only pay-at-the-table solutions currently on the market require costly equipment for the merchant and require customers to change their ingrained behavior. Now, the Perkwave app delivers a far better solution for our restaurant clients."
Isaacman believes Apple Pay will succeed where other mobile wallets have failed. “The app leverages a familiar technology – mobile phones – to limit the consumer pushback that many other solutions have faced," he said. "With Apple’s proven track record of shaping trends on a global scale, Apple Pay is likely to be the first mobile payment solution to gain mainstream adoption. Perkwave helps facilitate this shift by enabling millions of iPhone users to use Apple Pay in a setting where it might not otherwise have been utilized."
Additionally, First Data Corp. launched its Apple Pay-supported Payeezy in-app payment solution. First Data said Payeezy affords merchants and their app developers the ability to build Apple Pay-based iOS apps. "Developers begin by visiting Payeezy.com, downloading the software development kit (SDK) and supporting documentation needed to build the app," First Data stated. "This SDK also provides the tools to be able to accept Apple Pay in their iOS apps."
EMV gets a boost from Obama
Friday, October 17, 2014
O n Oct. 17, 2014, President Barack Obama signed an executive order directing that the federal government lead by example and implement chip and PIN technology for government-managed credit and debit card programs. In a speech at the Consumer Financial Protection Bureau, Obama laid out the BuySecure Initiative, which, in part, will mandate chip and PIN as the security standard for such programs as Direct Express, the prepaid debit card program that electronically distributes government benefits to recipients.
The initiative will undoubtedly provide more momentum for card issuers and merchants to transition their hardware and software to the Europay/MasterCard/Visa (EMV) chip and PIN protocol.
The initiative calls for the federal government to embark on an "enterprise-wide transition to more secure credit, debit, and other payment cards, as well as the retail payment terminals at government locations like the passport office, VA canteens, and national parks." The move is meant to increase data security for consumers by transitioning away from mag stripe technology on payment cards to chip and PIN technology, which is widely believed to be the more robust security protocol.
But the transition is also meant to spur the adoption of chip and PIN in the private sector. "The goal is not just to ensure the security of doing retail business with the government, but also, through this increased demand, to help drive the market towards swifter adoption of stronger security standards," said the White House in a statement. "Institutions like the United States Postal Service have already made this transition across tens of thousands of retail facilities across the country."
The transition is expected to begin on Jan. 1, 2015, with the goal of issuing over 1 million new chip and PIN cards by the end of 2015.
Additionally, the initiative involves upgrading the POS terminals at government agencies to accept EMV chip and PIN cards. The Department of the Treasury will oversee this part of the initiative, as it is in charge of the federal payment collection system.
All in support
Both sides of the U.S. commercial marketplace, as represented by The National Retail Federation and the Electronic Transactions Association, support BuySecure. In a statement, ETA Chief Executive Officer Jason Oxman approved of the government's announcement.
"EMV implementation is a vital step in addressing counterfeit card fraud, the single largest source of card fraud in the USA," Oxman said. "Although chip cards would not have stopped recent high-profile retail breaches, they are part of an overall secure technology deployment that includes tokenization and end-to-end encryption. … ETA applauds the administration’s support for a uniform national data breach notification standard and for greater information sharing on cyber threats."
Meanwhile, NRF President and CEO Matthew Shay said, "We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things.
"As the world’s largest retail trade association, NRF continues to work with our members and other stakeholders on practical and comprehensive solutions that are less about process and more about progress toward how we collaboratively prevent and combat this criminal activity. From insisting on PIN and chip cards to facilitating greater information sharing among retailers and others sectors, we are committed to finding the right answers with the latest technologies to stop these cyber thieves."
The Retail Industry Leaders Association also supports Obama's initiative. "Retailers applaud the president's action to advance card security," said RILA President Sandy Kennedy. "Today's announcement should serve as a catalyst for widespread adoption of chip and PIN card security."
Onward with EMV
Obama also commended card issuers and large retailers for making the transition to EMV. Obama spotlighted actions taken by several national retailers and service providers:
- The American Express Co. will launch a $10 million program in January 2015 to assist small businesses in upgrading their POS systems to EMV.
- The Home Depot U.S.A. Inc. is transitioning 85,000 POS terminals to support EMV in stores and has enhanced encryption of payment data at its U.S. stores.
- Target Corp. completed installation of chip and PIN readers in all of its 1,801 stores; in early 2015, Target stores will begin accepting all chip-enabled cards and reissue over 20 million Target-branded chip and PIN-enabled credit and debit cards.
- Visa Inc. will invest more than $20 million to educate consumers and merchants on chip and other secure technologies, while also embarking on a national public service campaign in 20 cities.
- The Walgreen Co. upgraded its POS terminals to chip and PIN in 8,200 stores, and will begin accepting chip and PIN-based cards in early 2015.
- Wal-Mart Stores Inc. will have activated new chip and PIN readers in nearly 5,000 Walmart and Sam’s Club U.S. stores by Nov. 1, 2014.
Lessons from the JPMorgan breach
Wednesday, October 15, 2014
T he evolution of the recent JPMorgan Chase & Co. data breach that compromised tens of millions of customer details raises more questions than answers. As a follow-up to the news story posted online on Oct. 10, The Green Sheet asked the data security experts quoted in that article for their opinions on what can be done to bolster the data security infrastructure, given the increasing frequency and sophistication of cyberattacks.
The Green Sheet: It seems like the current defensive strategies are not working well enough, since the number and size of breaches seems to be growing. So what is the solution?
Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks: It’s significant to see that the attackers who broke in and stole some customer data from JPMC have been detected on the networks of other major payment companies. That said, there’s no public information yet to indicate these other locations suffered breaches – it’s quite likely that most suffered only some unwanted reconnaissance.
Attackers have an important capability, thanks to the way the Internet works: they can "twist doorknobs" on a global scale, using quite basic automation tools. That is, given one concept for a possible exploit, they can rapidly search across the attack surface of many organizations, to see if the technique causes any doors to spring open. In many cases, attackers don’t even need to look for specific targets – they can simply start searching widely, and see what pops up in their dragnet. The fact that many organizations can see the "doorknob twisting" coming from specific locations is just an illustration of the ease with which attackers can move laterally, from target to target, exploiting any weak points found.
"The necessary response for defenders is to automate the mapping, assessment, and reduction of the attack surface of the organization. No business today can have zero attackable surface – if you interact with customers, then bad actors can find a way to exploit that. But each increase in attack surface is an increase in risk, and one more door that might accidentally be left unlocked. Attackers have no difficulty searching exhaustively for weak points; defenders need to do the same, starting by mapping out and assessing their total network attack surface."
Michele Borovac, Vice President at HyTrust: Companies must assume that attackers are already inside their networks. Like the military, security best practices always incorporate "defense in depth." To both prevent and curtail these kinds of attacks, organizations need to take a look at where their sensitive data resides, and secure it from the inside out. As recent attacks have proven, administrator accounts are ripe targets, and organizations that have virtualized their data centers should pay careful attention to virtualization admins. These accounts typically have very broad powers with little controls in place to track what they can and can’t do. To build defense in depth:
- Implement two factor authentication for all admins: Even if a hacker gets a username/password for an admin through phishing or accessing credentials through an authorized third party, they will not be able to access admin accounts without the secondary token.
- Automate authorization: Put controls in place that ensure admins can only manage what they need to, and automate workflows for secondary approval for any sensitive operations.
- Encrypt your data: Encryption is the best way to ensure data is only accessible to those authorized to see it. Just make sure your system supports policy-based, enterprise ready key management – you don’t want to protect all your data with a weak password.
Martin Walter, Senior Director at RedSeal Networks: Network segmentation seems to be the holy grail of the industry to counter the majority of these sophisticated attacks. Though segmenting these networks effectively remains a dream, without automated systems that support the design of a segmented network and proper access policy validation.
Business struggle to keep up with business needs and keeping their IT agile to serve the business. With that the network is so dynamic – and has to be – that a major re-architecture such as network segmentation puts a lot of risk on the business if not properly planned. Not even mentioning the different influences and influencers who architected the network in the first place and moved on (i.e. "too many architects spoiled your network").
Proper planning is only possible if you truly understand every aspect of your network, from routing to single ACLs [access control lists] allowing exactly one business application to talk to another. Without automated applications that give you this visibility and intelligence, from big picture down to individual ACLs, enterprise will never be able to perform this type of re-architecture without putting significant risk on the business processes the network needs to support. Hence, if you try to just "figure it out yourself," network segmentation will remain a dream as it will never be successful.
GS: Given the sophistication of the attack vector(s) that fraudsters employ today, how much confidence do you have in JPMorgan's claim that the hack did not include the compromise of customers' financial credentials, like credit card and Social Security numbers?
Adam Kujawa, Head of Malware Intelligence, Malwarebytes Labs (the research arm of Malwarebytes): There is honestly no reason for a company to lie about something like that unless they are going to withhold the entire truth. If the attackers were able to grab more than just the personally identifiable information that they got (i.e. credit cards, Social Security numbers, etc.) then it would only be a matter of time before JPMC customers would start seeing things like purchases they didn’t make or other identify theft type activities. At which time, they could point the finger at JPMC who told them previously that only names, addresses, e-mails, and phone numbers were stolen and call them out on their lie.
Sophistication of attacks aside, the organizations that we put faith in when it comes to our personal information and finances do employ at least some security measures, in order to keep the easy attacks out and hopefully prevent serious attacks. JPMC most likely has far greater security on the servers containing credit card and Social Security numbers than they do on their basic customer interface or whichever system the attackers were able to extract the data from.
JPMorgan breach gets complicated
Friday, October 10, 2014
F irst it was reported that the recent JPMorgan Chase & Co. data breach was limited to JPMorgan. Then it came out that the breach may have targeted a few other big banks. Now it is being widely reported that the hack may have targeted 13 other financial institutions (FIs) as well, including Citigroup Inc., HSBC Bank USA N.A. and E*Trade Financial Corp. The source of the attack is apparently still unknown.
In the case of the JPMorgan breach, customer information pertaining to 76 million households and 7 million small businesses was compromised, according to an 8-K filing the bank made to the U.S. Securities and Exchange Commission on Oct. 2, 2014. JPMorgan claimed that the data compromise, which reportedly began the previous June and only came to light in July, was limited to names, addresses, phone numbers, and email addresses, and did not include financial account details, such as Social Security and credit card numbers, or the user IDs and passwords that would provide online access to those details.
On the Chase.com website, JPMorgan provided cardholders with further information about the breach, noting that the compromise affected its online banking portals, Chase.com and JPMorganOnline, as well as its mobile apps, ChaseMobile and JPMorgan Mobile. The fraudsters also compromised "internal Chase data used in connection with providing or offering services, such as the Chase line of business the user is affiliated with," JPMorgan said.
The bank is not offering its customers credit/identity theft monitoring because of its claim that no financial information was breached. Both the FBI and the U.S. Secret Service are investigating the incident.
Growing in sophistication
Most of the recent big breaches have occurred at national retailers like Target Corp. and Home Depot Inc. But the JPMorgan breach, with its tentacles extending to other FIs, highlights a troubling aspect of the data breach threat landscape – that even the largest and most technologically sophisticated financial services firms are not immune.
Michele Borovac, Vice President at cloud-control company HyTrust, is not surprised by the size and scope of the breach. "Data is the new currency, and clever thieves have figured out how to breach the perimeter security measures most companies have relied on," she said. "These breaches continue to show similarities to those experienced by Target and Home Depot: hackers gain access to privileged administrator accounts and then can continue on as 'authorized' users, allowing them to bypass traditional detection systems and gain unfettered access to data."
Hackers are able to gain access to networks by doing their research. "Typically, targeted attacks take a multipronged approach where the attackers go after numerous points of entry," said Adam Kujawa, Head of Malware Intelligence at the research arm of the anti-malware firm Malwarebytes. "For example, they will gain intelligence on the physical and digital presence of the target’s servers and any kind of entry way through a direct or indirect route."
Hackers then conduct intelligence gathering activities to target individual servers or unwilling accomplices to finagle their way into systems. Kujawa said fraudsters may dupe a company contractor to infect a system with malware loaded onto a USB thumb drive.
"At the same time, they may take a different approach in going after employees by utilizing social engineering tactics to either infect the employee’s personal systems or by convincing the employee that the attacker is actually an official of the targeted company," Kujawa added. "This can result in the employee giving up credentials or even unwillingly infecting the target network with backdoor malware to give the attacker a way in."
According to Martin Walter, Senior Director at cybersecurity firm RedSeal Networks, another problem facing the retail and financial services industries is that hackers have time and money to plan and execute attacks, while IT departments are always on the defensive. "This confronts customers with a catch 22 situation in which the IT department has to be agile and quickly respond to demands of the changing business landscape, but at the same time, maintain airtight network security in a growingly complex IT infrastructure," he said.
As the JPMorgan breach and related incidents showcase, fraudsters are also able to replicate successful attacks. "As the recent broadside of attacks across multiple financial companies shows, attackers find one weapon, then quickly re-use it, target after target, looking for anyone who has left that specific defensive gap," said Dr. Mike Lloyd, Chief Technology Officer at RedSeal Networks. "This forces defenders to coordinate – both externally, sharing information between erstwhile competitors, and even internally, since any weakness anywhere in the organization can be found and exploited in minutes."
Walter believes the solution to the data breach onslaught involves network segmentation to limit fraudsters' wiggle room if they do get inside a system. Borovic added a piece of advice that seems oddly fitting for the increasingly complicated task of securing systems – that businesses should assume that they have already been breached.
"To defend themselves, companies need to realize the attackers are already inside their networks, and introduce new strategies to control, authorize and contain the breadth of what a privileged insider can do," Borovic said.
Is Apple Pay secure enough?
Tuesday, October 7, 2014
I t seems nearly unanimous that the payments industry is behind Apple Inc.'s mobile payments platform, Apple Pay. That confidence largely rests on the security apparatus Apple erects around mobile payments conducted with the newly launched Apple 6, Apple 6 Plus and the first generation Apple Watch. But is that confidence warranted? Matanda Doss, Chief Executive Officer at gateway operator 5th Dimension Logistics LLC, is not so sure.
Doss told The Green Sheet that Apple Pay's combination of near field communication (NFC) technology, transaction tokenization procedures, data storage on the secure element embedded in mobile devices, and Touch ID biometric authentication makes for a secure system, but only up to a point. Doss said no security system is infallible and that when the cornerstone of Apple Pay involves highly sensitive and personal fingerprint data, the price of user convenience may be too high.
"The reason hackers hack is for the value of the information that they can collect," Doss said. "Credit cards are hacked a lot more than library cards because of the resale value. And so at the point that you start digitizing your biometrics, they become something very valuable in terms of hacking. And you'll see lots of energy spent on trying to get that digitized information."
Touch ID vulnerability
Doss pointed out that Touch ID on the iPhone 6 has already proven to be hackable. The brute-force method shown in a YouTube video involves confusing the software through use of a fake fingerprint on the sensor but hardly seems like a practical way for fraudsters to steal data. And yet, when biometric data is involved, the stakes are raised substantially.
"If I stole your credit card today, you would make a call and that card would be invalidated going forward forever," Doss said. "That's not true with your biometric data. If I get ahold of your fingerprint, who are you going to call? And how are you going to stop that from being used a year from now or five years from now as biometrics become more and more pervasive in the market?"
Stolen biometric data could be used not only to drain bank accounts but to forge passports in high-powered identity theft schemes. "Creating a fake ID, a fake passport, and crossing a border, all of a sudden now you have a biometric match with a counterfeit passport ID and you're moving across borders unbeknownst to our government," Doss said. "So that's the scary part."
Doss noted that the security on Apple devices is greater than on rival Android devices and that Apple's closed ecosystem makes it harder for fraudsters to infiltrate Apple's marketplace with malware. However, Doss still questions whether Apple's security is enough to ultimately protect biometric data.
"How successful have hackers been in getting into desktop computers with malware, viruses and things like that?" Doss said. "Your phone is no different. As a fact, my phone is my computer most of the time.
"And so that information being stored on the device is just as fertile ground for hacking as your home PC of your work PC. And it's just a matter of time before someone puts their mind to it to put some sort of virus or malware on a phone that then would start pulling that data and sending it places that you don't want it to go."
Cart before the horse?
Doss believes that Apple may have leapt too soon into biometric-based payments authentication. The tech giant might have been under shareholder pressure to reclaim the mantle of innovation that has slipped from Apple in recent years, according to Doss.
"I think it's a calculated risk by them," Doss said. "Android and Google have done a good job of pushing the envelope. And for someone who used to be a leader, Apple finds itself sometimes playing catch-up."
Every September, Apple releases new hardware and software, and to great fanfare. But the downside to this timetable is that it may have put the proverbial cart before the horse when it comes to biometric authentication.
"I think that very well could be," Doss said. "You don't see Android going there yet. And the question is why. They certainly have the capability. They had NFC before Apple did. And you just haven't seen Android go in that direction and they're better than 50 percent of the mobile market. So why haven't they gone there?"
Exploiting that moment in time
As the CEO of a payment gateway that focuses on security and fraud prevention, Doss understands the fraudsters' mindset and how they search networks and systems for "a moment in time where there's a point of exposure – that's what hackers would be looking to exploit."
In the case of Apple Pay, Doss can think of multiple scenarios hackers will try, if they haven't already. One attack would involve malware that would "skim" the biometric data when Touch ID is activated. Another attack vector could focus on that miniscule amount of time before Touch ID encrypts data, if such a moment exists.
"The moment you touch your phone with your fingerprint, what if they are stealing the information before it is ever encrypted?" Doss said. "What if they were stealing information just as it is being entered into the phone before it hits the encrypted chip [embedded in the phone]?"
Doss compared such an attack to the security weakness exposed in Square Inc.'s dongle-based card reader. "[The data] wasn't encrypted going through the audio jack," he said. Square subsequently fixed the problem. "The way they solved the problem was to encrypt at the magnetic head before it ever went through the audio jack," Doss noted, and added an eyebrow-raising caveat: "You can't encrypt at the head when you're doing a Touch ID [transaction]."
Doss said 5th Dimension will offer Apple Pay functionality. However, he will not personally conduct mobile, contactless, in-store transactions using Apple Pay because he realizes his biometric data would be irretrievable if it were ever stolen. "I use Touch ID on my phone to access my phone," he said. "But going into the NFC payment world with it is not something I want to do."
View prior breaking news