Sunday, May 19, 2013

Are you still sure you are secure?

Fairy tales may have their place but not when it comes to IT and to supporting payment processing – a daring fraudulent raid on the world’s ATMs raised many questions. How secure do you really feel?

The fable of the wolf and the three pigs taught us all about the value that comes with bricks and mortar. Patching something together out of straw or sticks just doesn’t cut it if you want to keep the wolf at bay. However, as I recall, while it didn’t end well for the wolf, he did work out that he could enter the premises through the unguarded chimney. The story could simply end with this but one of the messages within the tale that I particularly like is to not take the easy route; it could cost you!

For the NonStop community nothing rattles cages more than stories of hacking and the prospect that one day the NonStop systems will be hacked. Much of what’s discussed in groups and on forums talks about the merits of an integrated stack, the various levels of security already offered (and complemented by offerings from the NonStop vendor community) is the lack of awareness about NonStop “principle of operations” and yet, feed a perfectly good application misinformation and it may crack wide the fortress that is NonStop.

Chimneys or modern networks, when it comes to today’s IT infrastructure, there’s definitely no excuse for not taking every step possible to prevent incursions by unwelcomed guests. This has definitely been highlighted by the events of the past few weeks – if you missed it, there was a global raid on ATMs with criminal gangs fraudulently pilfering $45 million in two separate attacks; the first on December 21st, 2012, that netted $5 million, with the second on February 14, 2013, that netted an additional $40 million.

According to Reuters, “MasterCard, the network under which the cards used in the heist were issued, has said it’s security was not compromised”. The two banks involved were in the middle east – Bank of Muscat, Oman and the other RAKBANK, Dubai. The payment processors involved were both in India – enStage of Cupertino, California, but operating out of Bangalore, and the other, our good friends at ElectraCard Systems operating out of Pune. The culprit – “open-loop” prepaid gift cards capable of being reloaded at any time.

In a story carried by the Malaysian newspaper,
New Straits Times, “Prepaid cards have fewer controls on them than on regular credit and debit cards issued by banks. Each prepaid card issued is like a blank slate: anonymous, new, and lacking any credit history or individual behavior pattern against which bankers and payment processors can measure activity to look for red flags.”

Furthermore, when the story first broke, it was
USA Today that reported of how in the second attack, “After penetrating the processor's computer network, the hackers fraudulently manipulated the balances and withdrawal limits on Rakbank prepaid debit card accounts. Then, teams of so-called cashers allegedly launched carefully timed attacks that caused more than $5 million in criminal losses from more than 4,500 ATMs in about 20 countries. In approximately 10 hours, casher cells in 24 countries conducted approximately 36,000 ATM transactions worldwide, withdrawing an estimated $40 million.”

However, here’s the rub. It wasn’t the processors who were hacked but the two banks themselves. Furthermore, it was the underlying “open loop” refillable debit card too that contributed.
According to the
Wall Street Journal, “The hackers increased the available balance and withdrawal limits on prepaid MasterCard debit cards  … They then distributed counterfeit debit cards to ‘cashers’ around the world, enabling them to siphon millions of dollars from ATMs in a matter of hours.”

“These hackers manipulated balances directly in the payment applications which is not easy to do.” said comForte CTO, Thomas Burg. “Many hackers go for easier options such as unprotected log files containing ‘virtual gold’ such as credit card numbers together with expiration dates”. But as the
New York Times observed, difficult as it may have been, “by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.”

Furthermore, said Burg, “
The main driver behind the work we have undertaken in support of tokenization, for instance, is PCI 3.4 and the need to protect PAN (primary account numbers) data but there are other use cases like PII (personal identifiable information), e.g. mobile phone numbers, national security numbers, patient record numbers - all should be protected properly in order to prevent misuse of such information. It probably could be seen as a general data protection requirement and best practice to tokenize sensitive data. And PCI 3.4 is accomplished today, as far as payments platforms such as BASE24 are concerned, using compensating controls only”


“comForte SecurData is a framework of solutions which helps you to make sensitive data unreadable and to log access to such sensitive data. As a tokenization solution it simply replaces sensitive data with tokens for use within the payment systems and related applications,” Burg then added. “And in so doing, makes any inroads hackers may make (by whatever means) into a system less tempting,
raising the bar for any unwanted intruder much, much, higher.” Yes, the wolf should have abandoned his plan to enter via the chimney once he saw the smoke.

Within the NonStop community, particularly that part of the community associated with payment processors, security will always be a concern and even with comfort in the knowledge of never having been hacked, there’s always room for improvements. Products do exist just as best practices can be followed. Doing nothing at all however is not an option and one of these middle eastern banks just targeted must be regretting. Perhaps it is time to go check the doors and windows, pull down the hatches and set the alarms - $45 million loss is going to prove very difficult to recoup I am more than sure!

No comments:

Post a Comment