The Green Sheet Online Edition
April 25, 2011 • Issue 11:04:02
Circumvent cyber theft through education
As the payments industry strives to ensure the safety of consumer payment information and negate the potential for fraud, criminals are hard at work devising new and more powerful exploits aimed at gathering that valuable cardholder data. The new breed of fraudsters, armed with an impressive array of web-based tools, is cause for alarm.
While the Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application (PA) DSS have helped make data more secure, these methodologies, policies and procedures alone will not be able to help in all possible and emerging scenarios. As technology improves data security, fraudsters will adapt to the advances and inevitably introduce new attack vectors that will create new vulnerabilities in security systems.
So the question is, what can be done to counter future threats and keep data safe? Well, it seems the answer is both the oldest known and least technological defense: education.
The public's need to know
The year is 2011, and the evolving payments landscape demands technologies such as Bluetooth 802.15, which is used in mobile payment hardware; radio frequency identification (RFID), used in credit and debit cards; wireless 802.11, used in mobile ATMs; and embedded operating systems, also used in ATMs.
The same landscape demands that those wishing to gain access to sensitive data use equal or superior technology, including high-speed field programmable gate array chips, which are used to crack encryption algorithms; flash storage devices, used to reprogram ATMs; RFID sniffers, used to lift account information off of cards; and even decoy installations, which include fake ATMs, fake readers and their ilk.
While it is astounding to realize how many ways to both steal and protect sensitive data exist, it is even more astonishing to know how little is being done in the way of public education to help avoid problems in the first place.
Examples of common vulnerabilities that could be negated by more effective consumer, and even merchant, education include:
- RFID-enabled credit cards should not be carried in conventional wallets and purses without special blocking sleeves, as unshielded cards are easily read by sniff devices from short distances.
- Bluetooth-enabled devices should not be left in the typical default mode (available for public discovery) once confidential information is loaded to them.
Both of these common security failures offer attack vectors that are popular with criminals. This is a direct result of users not being sufficiently educated on exactly how to properly protect themselves when using those technologies.
To further understand this, consider the following: bankcard fraud will cost more than $1.5 billion again in 2011, and it will be up to issuers and cardholders to foot the bill. Most of the information used to generate that prodigious dollar figure will be obtained secretly - and without detection - on unsecured networks.
Equally detrimental to security is that the general population doesn't even understand why it is a bad idea to drop a credit card purchase receipt into the nearest waste bin without ripping it to shreds first. Again, education can help here.
Education as countermeasure
Now, let's take a look at the potential industry effects, as well as simple solutions, to these types of emerging threats using the concept of education as a countermeasure.
It is well known that public perception can be shaped and largely controlled through marketing. It is also a fact that using marketing as a perception control mechanism has its limitations. Public perception can be shifted by anyone with enough knowledge to exploit the Internet or other forms of mass communication.
Currently, the payments industry enjoys a public perception similar to that of the public utility industry, which is seen as an integrated part of the overall infrastructure that enables us to live modern lives. Everyone knows that you need public utilities and that they come with some associated cost.
However; when an entity described as a "public utility" is found or perceived to be disadvantageous to the public, it may have to deal with the resulting adjustments to the general public perception.
There has recently been a shift in the public perception of several "public utilities," such as financial institutions, as a result of the global financial crisis and the discoveries that have come to light following investigations into its root causes. The public has made adjustments to its perception and has changed (at least for now) its behavior related to the affected industries.
A good example of this is how many people have decided to let their adjustable mortgages lapse, walk away from the associated properties and not worry about the resulting lowered credit scores. On top of that, many young people no longer trust the lending industry.
The vulnerability of payments
It is obvious that if people do not trust an industry to keep them safe (even from themselves), they may choose alternate lifestyles that do not involve that industry.
While that may sound like something that could not affect the payments industry, understand that just such a shift in perception could stifle our business from every angle. A shift in public opinion can spread like wildfire because of global connectivity and social networking.
As you read this, the following thought should have crossed your mind: the PCI Security Standards Council has done a fantastic job with the PCI DSS, PA DSS and PIN Transaction Security DSS and everything else to help us operate as securely as possible, but it is usually the end user that is the root of security problems.
If you had that thought, you were right. But now think about this: End users will not blame themselves if the RFID card they have in their pocket gets skimmed. They will blame the issuer, then the technology and then, if things have gone really bad, the industry.
The payments industry's collective reputation can't be put into the hands of hackers who operate from the corners of coffeehouses, shopping malls, schools and even sporting events. We need to make it very hard for that type of crook to operate, and the way to do this is to educate potential victims.
The effectiveness of simple solutions
A mandated minimum level of data security education for every card-carrying patron could include provisions for short, recorded security tips to play when a user calls an interactive voice response system to activate a card. The messages would not need to be exhaustive, just informative.
This type of simple solution could save time and money in the long run, as well as help to boost and strengthen consumer confidence without the industry having to resort to expensive media barrages to force-feed information.
After all, reaching people at the precise right time with pertinent information is always more effective than bombardment. An example of this would be "Close cover before striking," which appears on most matchbooks. It is helpful reminder at just the right time.
By training customers properly, you are performing high-level customer service, and you will directly benefit over time. The payments industry, as a whole, stands to reap great benefits from taking on this mission and arming its consumers with the ultimate countermeasure: education.
Tony Griffith is an Integration Specialist with a leading integrated payments company and has over 20 years of experience in technology, management, customer service and training. He can be reached via email at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.