Comments: Attack on Brit retail payments -- some takeways

recent post on this subject with some additional references
http://www.garlic.com/~lynn/2008e.html#34

as i've mentioned before, we were called in to consult with small client/server startup that wanted to do payment transactions on their server (also had invented this stuff called SSL)
http://www.garlic.com/~lynn/subnetwork.html#gateway

which is frequently now called electronic commerce.

we then also got involved with the x9a10 financial standards working group that had been give the requirement to preserve the integrity of the financial infrastructure for all retail payments. part of this included doing detailed end-to-end vulnerability and threat analysis.

various vulnerabilities/threats ... some of which were decades old

compromised card acceptor devices (both magstripe and chip)
skimming attacks
evesdropping attacks
security and data breaches
replay attacks because of associated static data paradigm

some of this has been previously discussed in the threads related to naked transactions ... misc. posts here
http://www.garlic.com/~lynn/subintegrity.html#yescard

the x9a10 financial standard working group produced the x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959

part of the standard was making x9.59 immune from evesdropping, security & data breaches, various skimming attacks and some of the card acceptor device compromises.
x9.59 didn't do anything to hide the transaction information ... but it made it useless to the crooks for purposes of doing fraudulent transactions.

we've claimed that the major use of SSL in the world is its use in electronic commerce ... which we had previously done ... for hiding financial transactions. however, x9.59 standard turns out to eliminate needing SSL to hide electronic transactions as a fraudulent financial transacton countermeasure.

The remaining cases of compromised card acceptor devices, we had claimed would require personal transaction devices ... possibly built off of cellphone or PDA platforms using wireless interfaces (since x9.59 had already eliminated evesdropping on the internet as a vulnerability ... it would also eliminate wireless evesdropping between POS
interface and a personal transaction device, as a vulnerability).

some of this can be seen in discussions involving the EU FINREAD standard from the 90s. FINREAD would be a personal card acceptor device that met some integrity evaluation criteria. However, in the FINREAD standard ... there was no provision to provide assurance to a financial institution that a FINREAD device was actually being used.
http://www.garlic.com/~lynn/subintegrity.html#finread

X9.59 provided provisions for things like dual-signatures ... one to authenticate the entity generating the transaction and a second to authenticate the environment integrity where the transaction originated. This is something we referred to as parameterized risk management ... being able to provide the approving financial institution additional assurance about the environment and possibly location where the transaction was performed.

Posted by Lynn Wheeler at February 27, 2008 07:43 AM

This was covered fairly extensively on the evening news in the UK the night before last.

It headlined on newsnight, and Paxman interviewed an industry spokewoman who came off with very little credibility.

Take a look at www.bbc.co.uk/iplayer and search for newsnight any time in the next four days and you can watch the episode (26/2/08).

The other thing that is notable was the a few days earlier there was another of those scandals where a large proportion of a community had their card and pin details stolen by a compromised machine in a petrol station, followed by a bunch of foreign withdrawls. The governments reaction seems to be to have issued a directive that credit card fraud should be reported directly to the banks, and not to the police. And banks have started to become more inclined to accuse card holders of not protecting their own pin and refusing to cover losses unless there is evidence (such is in these mass frauds) that it wasn't due to individual user carelessness.

Posted by Digbyt at February 28, 2008 05:21 PM

originally suppose to go down ... but went up by better than 1/3rd instead:

Card fraud GLB150m worse than expected
http://www.thisismoney.co.uk/news/article.html?in_article_id=431514


APACS Reports Card Fraud Statistics for 2007
http://www.paymentsnews.com/2008/03/apacs-reports-c.html
Increases in card fraud
http://www.loans4.co.uk/loan_news/news.php?item=281-Increases_in_card_fraud-281
New figures show rise in card fraud
http://www.computeractive.co.uk/computeractive/news/2211865/apacs-figures-show-rise-card
Card fraud abroad up claims APACS
http://www.itpro.co.uk/security/news/177357/card-fraud-abroad-up-claims-apacs.html
Credit card fraud hits record levels
http://financialadvice.co.uk/news/2/creditcards/6464/Credit-card-fraud-hits-record-levels.html
Overseas card fraud rises by 25%
http://www.bankingtimes.co.uk/12032008-overseas-card-fraud-rises-by-25/
Credit card fraud reaches record levels
http://ftadviser.com/FTAdviser/Insurance/News/article/20080312/39fdaf52-f02a-11dc-bfbb-0015171400aa/Credit-card-fraud-reaches-record-levels.jsp
Card fraud soars to record high despite chip and pin
http://news.scotsman.com/uk/Card-fraud-soars-to-record.3868258.jp
Criminal gangs fuel a record 25 per cent rise in card fraud
http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=531068&in_page_id=1770
Credit card fraud soars despite 'chip and pin'
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2008/03/12/nfraud112.xml
Plastic card fraud goes back up
http://news.bbc.co.uk/1/hi/business/7289856.stm

Posted by Lynn Wheeler at March 12, 2008 04:19 PM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x55f183d446c8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.