Security breaches aimed at lifting sensitive data have become a depressing part of the new normal for payments and commerce players specifically – and much of the digital ecosystem in general. There are dozens and possibly hundreds of security solutions and billions spent by companies of all shapes and sizes on them. Yet, it seems, every entity – from the largest company in the world to the White House is trying to figure out how to keep the ever proliferating number of cybercriminals from running off with our data.
It’s a problem security blogger Brian Krebs compared to playing an unwinnable game of “whac-a-mole.”
Luckily for banks and payments players, security protocols evolve along with the folks who try to bypass them – and into some fairly out of the box territory.
Territory like that stalked by security firm Cryptosense – which takes the unusual step of hacking their clients to prevent them from, well, getting hacked.
“The idea of our software at a very high level is to simulate a very powerful sophisticated attacker. We are going to attach ourselves to a critical back office part of your payment system and our software is going to do its best to break in,” Cryptosense CEO Graham Steel explained to MPD CEO Karen Webster in a recent podcast interview.
The Cryptosense software focuses on the cryptogenic – or encrypted – features of backend systems like PINs, security keys and other forms of encoded information that hackers go after to unlock sensitive systems.
“[Cryptographic systems] are the way that you make authentication codes across EMV transactions, or the way you manage your keys for encryption PINs – there is a lot of crypto here and there in payments systems,” Steel explained.
Before founding Cryptosense, Steel was a cryptographic researcher. He said it was only after being approached in London at a conference by a bank about his research that he really saw the size and scope of the need – and what he could do to fill it with a different approach to cybersecurity solutions.
“What we usually find are just little mistakes, little configuration errors or small things that are being done wrong,” Steel told Webster. “The things we find wrong are often easy and simple but they are hidden among all the other functions that are found in payments back office application. They are shallow, but they are hard to find because of all the other layers.”
And this is an endemic issue in banking and payments – Webster pointed out – because of the vast reliance on legacy systems that offer a virtual buffet of complicated, intertwined and therefore, exploitable targets for the active hacker.
“That’s definitely part of it,” Steel concurred with Webster. “Another thing we find often is that people want to maintain compatibility with different schemes or backward compatibility with what they were using before two operators like banks have merged together. They then have to mash up two different systems. Our typical customer will be putting in a new scheme and we will work with them to run our software to find any problems.”
Apart from a one-time stress test- Steel noted that Cryptosense also leaves “a little bit of its software behind,” to continue monitoring the systems – especially with legacy systems that are less than state of the art.
“Payments operators are often required to use cryptographic schemes that are not 100 percent secure – and we know that they have certain weaknesses – and will always have those weaknesses,” Steel said. “They require a lot of access for an attacker to actually exploit, so the point of our monitoring is to sit there and make sure that this type of access is not going on.”
And keeping access away is an increasingly difficult task since criminals are getting smarter and more professional.
“The life of Chief Security Officer around banks or payments at the moment is an extraordinarily difficult one – they have to prioritize between 7 or 8 things,” Steel told Webster. “We do see a really high level of sophistication, attacks that are carried out in the U.S. when the attacker never leaves a country in Eastern Europe. People now recruit hackers to carry out different part of their attack. We also notice that people who are criminals are much faster to weaponize attacks that are published in the academic literature than they used to be. Even very sophisticated crypto attacks.”
Facing an increasingly specialized and smart field, Cryptosense is itself very specialized. When asked about the “spear-phishing” attacks that have been popular this year – where attackers gain access to a network by slowly crawling it through human beings opening the wrong infected email – Steel noted that that it also part of his firm’s purview.
“We don’t try to go after the social engineering attacks,” Steel remarked. “The thing we can do is intervene when that breach goes from being a guy who got access to your network to a guy who’s trying to cash out with an attack on the cash machine network.”
And, apart from being specialized, his firm’s security software is also evolving – with a model checker that is consciously looking to think of secure breaches before cybercriminals get a chance to test drive them in a real attack. This, says Steel, means a system that is more adaptable and also validates the need to keep a comprehensive database of every attack of every type by which to cross-reference.
“The really interesting part of the software is the model checker that takes all the possible commands that software might call and it looks for all the combinations you wouldn’t think of,” Steel told Webster. “We don’t have to keep up to date with every way that an attacker has come up with in the past because our engines will come up with new ones.”
This doesn’t mean that the firm can afford not to do its research. Quite the contrary, Steel says it frees up the intellectual capital of the firm to “understand where the attacks are evolving from and what new mathematical treatments of crypto are,” so that this information can be fed into the model checker.
As for what’s next? Steel told Webster that thus far Cryptosense has been narrowly focused on payments and banking – but that in the next year they hope to branch out.
“We’re really quite specialized around these payments systems and banking,” he said. “What we are looking to do is broaden out our technology into other enterprises.”
Given their specialization of cryptography, Steel says they would look for connect applications like VPNs and email systems.