The Green Sheet Online Edition
June 13, 2011 • Issue 11:06:01
Wising up about smart phone security
It seems inevitable that mobile smart phone payments will become commonplace. On the one hand, the ubiquity and popularity of the devices make them an obvious payment application for consumers. On the other hand, smart phones offer small, mobile merchants an inexpensive way to leap into bankcard acceptance at the POS.
But smart phones come with inherent security vulnerabilities since they are not specifically designed to make or accept payments. Mark Rasch, Director of Cybersecurity and Privacy Consulting for Computer Sciences Corp.'s North American Public Sector business unit, addressed smart phone security in "Mobile: The New Weak Link," a blog post published on retail technology and e-commerce news site StorefrontBacktalk.
"As retailers of all sizes migrate to mobile-type payments and leverage existing mobile technologies ... the problems of PCI DSS compliance and protection of credit card information increase," Rasch wrote. "That is because these mobile platforms are inherently insecure, making the payment systems that reside on them insecure, too."
Playland for hackers
According to Cisco System Inc.'s 2010 Annual Security Report, the consequence of PC vendors building more secure and fraud-proof computer systems is that cyber criminals have shifted their focus to the "ever-expanding legion of mobile users."
That legion employs smart phones for myriad purposes beyond old school voice-to-voice communication; it's now an entertainment console, a shopping companion, a mailbox and a personal assistant all in one. But the devices lack what Rasch termed rudimentary security protocols, such as firewalls, authentication devices, password protection schemes, monitoring software, antivirus or anti-malware programs, and access controls.
From a consumer standpoint, fraudsters can take advantage of mobile phone security weaknesses in a number of ways, including the most obvious. "Somebody could just pick up my phone, use it to make a payment or make a transfer, put the phone back, and I wouldn't know that anything had happened," Rasch wrote.
But it goes far beyond the obvious. An article in the January-February 2011 issue of the AARP Bulletin entitled "The Spyware in Your Hand" pointed out that inexpensive spyware purchased online gives hackers a way to "hijack" cell phones. "This allows them to hear your calls; see your text messages, emails, photographs, and files; and track your location through constant GPS updates," the article stated.
But for merchants, the challenge may be even greater. "Smart phones were never designed to accept payment data from consumers," said Paul Rasori, Senior Vice President of Marketing for VeriFone Inc. and Chairman of the Secure POS Vendor Alliance. "Given the fact that they are open systems, it's easy to get your hands on developer tools, easy to write applications. There's just a high possibility and a low barrier of entry for a criminal who wishes to take advantage of that open environment."
According to Rasori, the way to secure the smart phone payment ecosystem is through end-to-end (E2E) encryption. In the abstract, E2E refers to how data is encrypted at the moment a card is swiped at the POS and all the way through the "life" of the transaction.
But Rasori is specific in how E2E applies to smart phone payment security. "Really the only surefire way to secure data that's going to travel through a mobile phone is to encrypt it before it ever actually enters the phone," he said. That objective is accomplished by external hardware that plugs into, or slips onto, smart phones and performs the data encryption function before data reaches the phones.
The VeriFone solution is a card encryption sleeve called PAYware Mobile that slips over Apple iPhones. "As you're swiping the card, [data] is immediately encrypted before it enters the phone," Rasori said. "But once it is inside the phone, a valid application is able to just handle that card data in its encrypted format and send it off to the network where it gets decrypted."
Rasori pointed out the ways VeriFone's sleeve defeats hackers. Not only does encryption render the data useless to criminals, but the device itself is secure. If a fraudster steals the sleeve, it can't be used as a card skimmer because there is no way to turn off the sleeve's encryption action so that the fraudster can access unencrypted card data, Rasori said.
Additionally, the device meets tamper-resistant security module specifications that make it "difficult, if not practically impossible" to pry open the device to get to data, Rasori noted.
And even if a fraudster were to find a way in, they would discover precious little to steal. When a card is swiped, the device encrypts data "right on the fly inside of the actual mag stripe head itself," Rasori said. "So it never even leaves the physical magnetic stripe reader head assembly without being encrypted. It's pretty secure."
Merchant Warehouse Inc., an ISO and hardware vendor, offers a similar product called MerchantWARE Mobile, an application that is downloaded to smart phones and works with an encryption-based sleeve from MagTek Inc. called the iDynamo, which attaches to several different types of smart phones.
Markiyan Malko, PCI Program Manager for Merchant Warehouse, said the solution encrypts data at the read head, and since the mobile application doesn't have a way to decrypt it, the whole process is out of the scope of the Payment Card Industry (PCI) Data Security Standard (DSS).
"So it passes encrypted data to our gateway, which is where we decrypt it and process it," Malko said. "And then we respond back with an approve or decline, but no credit card numbers, so that way it stays out of scope."
Rasori said the way not to secure payment card data on smart phones is exemplified by Square, the brainchild of Twitter co-founder Jack Dorsey. The Square device is a card accepting dongle that plugs into the audio jack of the iPhone. The problem with Square is that it has "absolutely no encryption whatsoever," Rasori said.
In March 2011, VeriFone Chief Executive Officer Douglas Bergeron published an open letter that asserted Square Inc. overlooked a "serious security flaw" in its device that puts consumer data at risk.
"In less than an hour, any reasonably skilled programmer can write an application that will 'skim' - or steal - a consumer's financial and personal information right off the card utilizing an easily obtained Square card reader," Bergeron wrote. "How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this."
In a reply posted on Square's website, Dorsey countered, "Our partner bank, JPMorgan Chase, continually reviews, verifies and stands behind every aspect of our service, including our Square card reader. And we are constantly improving the payment experience to enhance security." Dorsey also pointed out that federal law guarantees cardholders are protected against fraudulent charges made using stolen card data.
Gary Glover, Director of Security Assessment for SecurityMetrics Inc., sides with VeriFone on the issue. "If Square had decided to put a little encryption chip inside their device, instead of it just having it be a straight, clear-text read of the data off the card, then the data leaving the card swipe hardware would be encrypted with a strong, two-part public key," he said.
Without encryption, the device is subject to exploitation by criminals, according to Rasori. The unencrypted data can be easily intercepted by malware on the front-end, he said. Additionally, a fraudster can "write an application and just run around skimming peoples' cards," he said. "It could be selling t-shirts. Swipe your card and say, 'Oh, my Square's not working, can you pay me cash.' And they just captured your card."
Despite the controversy, the Square device is gaining popularity. Dorsey revealed in late May 2011 that 500,000 Square readers were in circulation, with Square processing $3 million in mobile payments daily.
Rasori lamented Square's "reckless" practice of shipping the devices free to anyone who wants one, with minimal if no background checks performed. "We're at a critical juncture with consumers trusting this whole process," he said. "For the last 25 years consumers have had their cards swiped through a purpose-built device, which is by and large trusted by anyone out there. ... But what does Square do? They come along and, in their desire to be innovative, they're creating a situation where people maybe will not trust this."
Pinning it down
Apparently, the media reports about mobile platform security haven't fallen on deaf ears, especially among consumers who are tech-savvy. In an Accenture survey of "early adopters" in 11 countries, 73 percent of respondents indicated that making payments using mobile phones raises privacy concerns while 70 percent believe mobile phone payments increase the risk of identity theft and fraud.
Even the PCI Security Standards Council (PCI SSC) has taken a step back and given itself more time to sort out the issues related to mobile payment security. In 2010, the council placed a moratorium on certifying mobile payment applications until it could formulate a new set of guidelines specific to the platform.
"The PCI Council is working hard to develop security guidelines and requirements for this type of environment, which wasn't really designed for this," Glover said. "It's going to take some time to figure out the things that should be done to secure this area."
The PCI SSC administers three sets of guidelines: the overarching PCI DSS and its two complementary standards, the PIN Transaction Security DSS and the Payment Application (PA) DSS. Mobile payments present a particularly challenging technology to pin down because of the number of its moving - and to some degree undefined - parts.
"The question is, which is which on the phone?" Rasch stated in his blog. "The phone is the network, the phone is an operating system and there is a downloadable application - is that PCI DSS or PA DSS? Do I have to comply with PCI DSS for my iPhone, my Android device? And how do I do it? How do I lock it down? How do I secure the network it's on when I have no control over the network?"
According to Glover, it's going to take the PCI SSC time to fully address smart-phone security issues, with guidance from and collaboration with a variety of stakeholders. "It takes a while to get these things developed and vetted through industry experts and then get them all written down, so all the card brands can agree on it," he said.
Shoring it up
In the absence of mobile-specific PCI standards, Glover suggested that using the current PCI DSS and its related standards as a basic reference guide could be a good course of action.
"There are a lot of things that are pretty generic across any kind of application development," Glover said. "You've got to have strong encryption, access control - and you should be logging. ... So render the data unusable is probably my best advice. Encrypt it at swipe, then wait for the council to come up with further data on how to write the requirements."
Bob Russo, General Manager of the PCI SSC, expects the council to deliver guidance about mobile payment security by the end of 2011. But perhaps the industry is feeling a need to accelerate the dialogue. Visa Inc. issued a best practices paper on the subject in late April 2011, a little over a month after VeriFone's March campaign against Square. Rasori believes Visa's release date was not coincidental.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.