Breach Defenses At Work, But For How Long?

By Jeffrey Green (@epaymentsguy)

It’s often been said that for whatever data breach defenses the payments industry introduces, hackers develop ways to get around them. We may be in one of those phases where defense has the advantage, but, as we all well know, the offense almost always gets the ball back.

This week we learned that Distributed Denial of Service (DDoS) attacks frequently have been used by self-proclaimed hacker activists to disrupt mobile servers or networks. The group Anonymous, in its operation against WikiLeaks’ opponents, reportedly used such attacks.

“This method is surprisingly effective, and companies are finding out that groups of Internet users working together can flood the pipes of even the largest networks,” says Business 2 Community.

P2PE Milestone

Efforts from industry vendors to combat fraud this week also hit a milestone as secure payment-technology provider Bluefin became the first company in the U.S. to receive PCI validation for a point-to-point encryption (P2PE) solution.

The PCI Security Standards Council provided the validation.

“It’s not just go in and buy a device off of the shelf that encrypts the data,” Ruston Miles, chief of product innovation, told Market Platform Dynamics CEO Karen Webster in an exclusive podcast interview. “It has to do with an entire solution being audited and validated. Every piece – the injection facility, the front-end devices, the back-end decryption, the applications that go on the device.”

Hackers hacked

Hackers themselves also are feeling the pinch, as unknown culprits on Monday shut down websites known to host credit card data stolen in the December breach at Target. It remained unknown who was responsible for the public service.

Biometrics concerns

States are starting to pay close attention to biometrics use to ward off potential intrusions to individuals’ privacy. Lawmakers in Wisconsin this week reportedly will take up a bill approved in committee that would prevent school district officials from collecting biological information including fingerprints and retinal images from students.

“There are a lot of people who are concerned about biometric data,” said State Rep. Mandy Wright following an earlier 7-3 committee vote along party lines. “It does sound scary, but the fact is we are doing little to none of it right now.”

Consumer breach reaction

How consumers react to breaches was brought out in the results of a Feedzai survey, which found that 60 percent of respondents who knew about the breaches at such notable retailers as Target and Neiman Marcus put the merchant responsible for preventing future breaches. Comparatively, 13 percent believed responsibility fell on banks, while 5 percent said it fell on consumers (though the percentage rose to 10 percent of males ages 18 to 34).

LoopPay and HCE

We also learned this week how innovation in protecting payments doesn’t need to reinvent the wheel. LoopPay, for example, provides a secure mobile wallet solution that works with most existing retail point-of-sale terminals. In a podcast interview with MPD CEO Karen Webster, LoopPay Chief Technologist George Wallner explained why he believes Loop is not only a technology breakthrough, but a superior technology solution that can be implemented right now.

Loop’s MST (magnetic secure transmission) technology formats card data into simulated magnetic stripe tracks and transmits them via a pulsed magnetic field, which can be read by any POS terminal that accepts a mag stripe today. Loop takes this process one step future by doing something Wallner calls “Mobile Tokenization,” which uses Host Card Emulation (HCE) to tokenize and distribute cardholder data that is presented to a retailer’s existing mag stripe terminal via Loop’s MST technology. Tokens are issued by a secure, central location.

In March 20, the NFC Forum issued a statement on HCE, noting service providers need to evaluate and determine the best place to store credentials for their solutions, keeping in mind the trade-off between security risks and convenience.

Each model has its merits depending on the use case, Paula Hunter
NFC Forum executive director, noted in the statement. For instance, use cases that rely today on bar codes could immediately benefit from HCE without raising new security concerns, she said.

“However, transactions currently relying upon tamper-resistant secure storage of assets would need more thorough consideration,” Hunter said. “We’re encouraged by the steps being taken by providers of HCE-based solutions to ensure that their offerings meet consumer and business demands for latency and security.”