The old approach of handling card fraud under the radar will no longer work for banks
With the trickle down news that is worse and worse from Target about the security breach, the details about the nature of the attacks are what I find interesting. I have been reading a lot about the methods employed in the Target breach and one that immediately caught my eye was the RAM scraper. Today re/code picked up on that too.
Encryption is a word that is thrown around loosely suggesting that it is binary and either on or off. Consider the RAM Scraper.
So what the heck is a RAM scraper and how does it work? First, remember that payment systems — the cash registers and credit card terminals you see in stores and restaurants every day — have a lot of strong requirements for encrypting data, pretty much end-to-end during the transaction process, as well as any records that are stored afterward.
But there’s one particular moment when that data is vulnerable, and it occurs during the milliseconds that it is stored in the system memory — a.k.a. random access memory, or RAM — of the back-end server that processes the transaction. Think of it as a package being delivered to you with a lock on it. Even though you have the key, you still have to open it to see what’s inside. The same thing happens when your credit card number gets decrypted.
That article does a decent job at not being too geeky, yet making the point that modern technology requires a series of steps; in fact a large number of steps between inserting a payment card and a successful payment. Those steps are multiple within each of the participants in the payment process. And each step is a potential weak link in the chain.
Relevance to Bankwatch:
The only participants in this chain of electrons for each payment that has a real stake in the process are the banks. Yet they are quiet. The TJ MAXX fiasco and now the Target breakdown involving 70 million cards; that’s twice the entire population of Canada, or 20% of America, point out that fraud break-ins involve enormous numbers of households.
The dirty secret in credit cards is that they have been managed as a portfolio with revenue and costs. Fraud is an acceptable risk and cost. Fraud is simply one of those costs in the portfolio. This approach has held up so long as frauds were restricted to the group of cards that were used at a specific ATM that was hacked by organized crime. Those hacks were big for the customers involved but small for the bank.
Now the fraud has shifted not to localised ATM’s or individual store POS terminals but to entire store networks. And the big box stores are large!
The old approach of handling card fraud under the radar will no longer work for banks. I would submit this requires a shift in approach that will require amongst other things:
- liability shift to merchants based on merchants failure to meet standards
- new merchant liability standard definition based on the new normal including RAM scrapers that places accountability on merchants that are specific to the types of potential breaches that exist in the chain discussed above
- Exclusion of merchants that will not comply with what may seem to be reactionary measures, but that’s where we are
- EMV V2.0; time for banks to get together and redesign EMV which is currently based on 2007 standards, and deal with the first two points. This involves use of mag stripe, and the entire EMV sequence from card insertion through to successful payment. The design flow must consider that a customer stick his card in the terminal, and must be confident when he pulls it out that the transaction was secure.
EDIT Jan 14, 2014
It just gets worse – 110 million now and confirmation of the depth of malware infiltration which could lead to the RAM Scraper exploit:
Target’s massive data breach, which occurred in mid-December of last year, has affected millions of customers, but the company has remained quiet about howpersonal and financial information was leaked. But CEO Gregg Steinhafel’s interview with CNBC yesterday finally shed some light on the attack, and it’s not pretty: the information was lifted via malware distributed directly through Target’s point-of-sale systems, and the company waited four days before disclosing the attack. That’s probably not very reassuring to the 110 million customers potentially affected by the attack.