The new Annual Fraud Indicator from the National Fraud Authority (NFA) was published this morning and makes some interesting reading.

The headline figure which everyone will pick up on is that the loss to the UK economy to fraud each year is estimated to be £73Bn. Considering the previous estimate in 2011 was £38Bn has fraud really increased two fold? The answer, unsurprisingly, is that it hasn’t; what has changed is the inclusion of new areas of the economy not previously considered in the scope and a step change in the methodology in place.

So what are the interesting facts in the report?

Estimated fraud perpetrated against the private sector came to £45Bn with an estimate of 1.4% of turnover being attributed to this fraud. This is in line with what we tend to see when we talk to merchants about their own fraud estimates. Within this section was the commentary that many retailers identified fraud from their growing online and multichannel operations as the most significant emerging issue they faced. Again this ties in with our own experience here at The Logic Group, where we see retailers trying to address this issue with a multitude of tools. There has been a large growth in the use of 3D Secure (Verified by Visa, SecureCode, SafeKey) and other real-time fraud identification tools to try and identify this fraud as it is attempted. For many retailers the issue they face is to try to identify fraudulent transactions while still permitting the valid customers transactions to flow seamlessly through the system. Rejecting valid transactions can also be a real cost to a retailer and is one of the invisible costs of fraud which will not be identified within this report. Tuning a fraud tool correctly can have a major impact on turnover and fraud levels. Fraudsters are constantly improving their techniques to counteract these tools so it remains an ongoing battle. For example, recently there has been a move targeting call centres as the channel of payment as these are unable to use 3D Secure in their validation efforts.

Identity related fraud (aka Identity theft) was set to an estimate of £1.2Bn, although the report states this is likely to be an underestimate. We are already aware of more attempts to steal individual personal data, as this can then be used within more sophisticated attempts to commit fraud. Why steal well protected card data if you can steal the identity of the card owner and obtain a card in his name anyway. Working in the area of the Payment Card Industries Data Security Standard (PCI DSS) at The Logic Group we see cardholder data is being well protected while alongside it, outside of the protected Cardholder Data Environment (CDE) customer and loyalty data belonging to the merchant remaining vulnerable to attack.

As expected fraud committed upon the individual was up with an estimate of £6Bn. Perhaps most jaw dropping of the wealth of statistics we were presented with in this area; is that fact that 1 million people responded to unsolicited communications by sending money and more unsurprisingly just under 500,000 of these people found it was fraudulent. I remember a couple of years ago a member of a specialist police team telling me they thought there was, on average, at least one meeting a day in a London hotel room where a fraudster would be meeting a victim of this type of fraud for the handover of large amounts of cash.

So the next time you receive that email from your “friend” who has £30M available in a bank account, due to the death of his cousin the general, or the one who rings you to tell you about your foreign lottery win, or the one who has scanned your machine on the network and found a virus they want to fix, don’t send that administration fee. Instead remember that statistic!

I was recently sent a viral video of a baby who's used an iPad to such an extent, that she tried to use the same tablet UI gestures (swiping, clicking and pinch-zooming) when given a real (i.e. dead tree) magazine.

What struck me was how the video appeared to polarize opinion between the people who chastised the parents for 'ruining their child's future' and those who hailed this as a watershed moment in human evolution.

As with many things in life, I try to take the middle ground.

Yes, tablets and modern phone devices with their large capacitive screens are indeed enabling content consumption on a scale not seen before. And electronic paper eBook readers are enabling people to hold room's full of dead tree-style books in something that would fit in one's back pocket. Both of these points have to be worth something! Plus I don't remember reading about anyone selling their kidney for a desktop PC to browse the internet on.

But with schools and libraries still very much reliant on traditional printed matter, this baby (and her children and grand children no doubt) will grow up knowing how to read and use physical books just fine.

On the other hand, I can see that with the further development of these technologies, one day books will indeed be relegated to niche areas. Remember records, tapes and CDs anybody?

And before some of you start protesting violently or getting melancholy over the demise of paper as a form of an information transmission medium, just remember that it wasn't the first (see cavemen or for the believers amongst you Moses) nor were tablets the first to challenge the written paper's dominance. Do you recall the time when dictionaries were printed and we used to send letters to each other? The internet and email took care of both.

Just another step-change
And this is precisely why I have to disagree with the iPad evangelists hailing its ”magical and revolutionary” properties. We have to look at this as just another step change in the way we consume information and interact with technology around us. The bottom line is - consumers expect things to be easy. And following the ethos of taking complexity out of technology/online shopping Apple this year briefly captured the title of world's biggest company based on market valuation (before falling back to a still respectable second place) and Amazon has become arguably the biggest etailer in the world.

The power of 3
So what does this mean for all of us in the Loyalty, Fraud and Payment fields? Well, some could be confused into thinking that the answer is apps or cool chrome buttons, but for me the key in the success of modern smartphones and tablets is as much in under the skin integration as is with the resulting ease of use.

Combining payment, loyalty and fraud functions together into a single customer interaction management solution can make things easy for customers too in a number of interesting ways.

For example, combining Payment and Fraud data will help drive down card fraud even further than with the current methods of doing fraud checks with each payment over a certain value, which will lead to extra revenue for banks and retailers and lower banking costs for consumers.

Combining Loyalty and Fraud can improve loyalty scheme ROI by reducing losses due to sweethearting and allow retailers to pass greater rewards to their customers.

Combining Payment and Loyalty can mean the end of carrying numerous loyalty cards/key fobs as well as tedious sign up processes. It can even give retailers the ability to start offering all their repeat customers tailored offers at the point of purchase before they have even actively opted-in to a scheme.

The combination of all three services will contain all of the above benefits together with the advantages of storing the information in a single database. And together with other technologies such as tokenisation, this triad will allow retailers to offer their customers a fast, intuitive, safe and rewarding shopping experience whether in-store, online or on their phones.

And once that's all in place, we'll have plenty of time to spend fretting over what gradient to use in the latest iteration of our website's 'BUY' button.

I returned from holiday to find another attack vector has raised its ugly head. Reading the latest news, at least two hundred fraudulent SSL certificates (and oossibly over five hundred) have been issued from a trusted root certificate authority (CA). In this case, it appears that Diginotar, the Dutch trusted third party has been breached and spoof certificates for common domain names including google.com have been issued. This follows on from a breach at Comodo earlier in the year.

What are the implications of this? Well the Diginotar root certificates are included within the trusted root authority stores of all common browsers, meaning that the fraudulent certificates would have been trusted when creating a SSL connection. These can be used to create encrypted tunnels to spoof sites where sensitive information could be transmitted, or leading to potential Man in the Middle attacks.

There has been a scramble among the leading providers to remove the Diginotar certificates from trusted stores. Microsoft and The Mozilla Foundation have reacted quickly publishing security updates, and Google have also updated Chrome, by adding the issued certificates to a blacklist. No news yet on Safari.

What does this mean? Well it means the hackers are getting better and more sophisticated as the counter measures themselves have improved.

The certificate model used for e-commerce has always been one area of concern. Once a root certificate is added to the trusted root store, it is difficult to remove and the model of certificate revocations, based on a Certificate Revocation List (CRL) has always relied on end user intervention, even when it is available; consequently is rarely used. The better technology, Online Certificate Status Protocol (OCSP), which provides real-time validation of a certificate is available now in browsers, but not all, and not always by default. However in either case, if the breach wasn’t discovered, the certificates wouldn’t have been revoked, so the response from the CA would have been positive.

So for end-users it adds another level of confusion. Now, even if they connect to a site which apparently provides a trusted secure link, they must confirm that this trust hasn’t been established through a Diginotar root Certificate Authority – either by validating the certificate chain, ensuring that the relevant security updates have been installed or OCSP validation is enabled.

Once again the hackers have found a weak link – and Diginotar have some hard questions to answer. The initial report on the breach states that the hackers obtained full domain administrator rights to the domain where the CAs were located. The password for this account was described as “weak” and the compromise of this one password led to full access to the CA estate.

Malicious software has been discovered on the servers, which could have been picked up by Anti-Virus software – if only it had been installed. Not only that but the web server software was stated to be outdated and not patched.

In addition there appears to be no central secure logging server, meaning that local logs are likely to have been compromised. Although the Payment Card Industry Data Security Standard (PCI DSS) does get bad press occasionally for being prescriptive and dogmatic, if Diginotar had gone through a Level 1 Service Provider PCI DSS audit, each of those weaknesses should have been identified and resolved. For example:

• PCI DSS 8.5 requires that strong passwords are in place
• PCI DSS 6.1 requires a patching policy involving maintaining upto date software with installation of security patches
• PCI DSS 6.2 requires a process to identify new security vulnerabilities when they are discovered
• PCI DSS 5.1 requires anti-virus software on all systems commonly affected by software (including servers)
• PCI DSS 10.5 requires secure audit trails held centrally

I suspect I could go on finding controls which would have failed.

Looking at the current PCI DSS service provider lists there don’t appear to be any SSL certificate authority providers on the Visa Europe Service Provider list, and currently no requirement at this time. Since these SSL certificates are commonly used for e-commerce, perhaps Visa Europe and Mastercard should consider asking these companies to undergo such an audit to provide some level of confidence to the general user community.

Certainly all providers of root certificates which are added to trusted root stores should have undergone some form of security audit. If I was a provider of a root certificate I think I would be running a risk assessment and validating and increasing my security to an appropriate level. Being centre stage to the hacker community is never a comfortable place to be.

Last week, Apple withdrew an application that asked for a 4 digit pin on startup.  Unbeknown to the user, the application was storing the passcodes and transmitting them back to the developer. Fortunately this time, it was not for malicious purposes, but more out of curiosity!   The developer was amazed how the same passcode was used again and again, and that half of the codes would not have been difficult to guess.

With so many requirements on a four digit PIN, there is a tendency to reuse the same PIN across multiple cards and devices. It would not be a stretch of the imagination to suggest that the passcode used for this application would have been the same as the one to unlock the phone, which would likely be the same as the users payment cards!

Over 47% of the results showed that either 1234, or 0000 was used as the code.  This might not be a fair reflection on card PIN numbers as apps are almost disposable, and people would enter a PIN to have a play with the application, and then discard it – in this case, I would not expect anything other than a simple passcode to be used.   Where the results are more interesting is in the use of patterns including 2580 (a vertical line down), 0852 (a vertical line up) and 5683 (L O V E on a keypad!) accounting for another 25% of passcodes.

Results also show a high proportion of numbers starting with 19 or 20 – suggesting that a year (year of birth?) is being used for the code.

How many of us fall into the trap of reusing our card PIN in other applications?  More and more of us have Smartphones and other devices requiring a passcode.  This analysis has certainly made me think about ensuring that my secure details are “secure!”  As the phone becomes an integral part of our lives, now including making payments from the phone, should we look to increase the security surrounding our PIN’s and passwords?

How many of us will rush out to change our PIN’s after realizing how exposed we are from using patterns or dates of birth?  I for one will give a little more thought to my next passcode – hoping to fall out of the 70% included in the top 5 most common used codes!

Well looking at the latest news, Sony Corp. still remains in the spotlight. A new hacking group seem to have made Sony Corp. the focus of their current efforts. However I believe the most interesting incident from a security perspective is the attempted break in at Lockheed Martin and the recent announcement from RSA regarding the replacement of SecurID tokens.

As many people are aware, RSA recently announced that they had suffered a breach and the news filtering out from Lockheed Martin suggests that the information taken from RSA had been used to form part of the attempt to breach Lockheed Martin. It is to Lockheed Martin’s credit that they seem to have spotted the attempt early on and taken steps to halt it.

I thought it would be interesting to speculate how this attempt had been put together.

As many people know, RSA provide the SecurID tokens which provide one-time token-codes which, when combined with a password or PIN can help meet the two-factor authentication requirements of standards such as the PCI DSS. For example, PCI DSS specifically requires two-factor authentication for remote access, defined as network level access from outside of the network, as part of Control 8.3.

So, if the token-code changes after every use, could data retained at RSA have been used?

Well since RSA have stated that they will actively replace SecurID tokens for large corporations, one must assume that some essential data was compromised.

Taking a step back, it is probably worth describing how the RSA token is believed to work. The token code generation changed recently to support AES, so I will assume this is what we are working with, as this will provide enough of an overview.

Each token will have a unique random value which is referred to as the seed. This is a 128-bit value. On top of that there will be a 64 bit representation of time, a 32 bit salt and a 32 bit padding value. The values are placed together and then encrypted under the AES algorithm in ECB mode, which means that AES is used as a pseudo hashing algorithm. This will, after some manipulation, be the code to be displayed as a 6 to 8 digit value.

Since RSA are using a symmetric encryption algorithm, then the validation of this code will require an authenticating server to make the same calculation with the same information and come up with a match. This implies this server must know the seed value and the salt. In fact I believe the salt value is actually the serial number of the token.

Since these values are loaded into the token at build time, then obviously during the fabrication process, RSA will have knowledge of these (in order to load them) and then they must pass these values across to their merchant to load into their authentication server. So we can presume there are three copies, RSA, the authentication server at Lockheed Martin and then the actual token.

If this model is correct, then it would appear that the hackers of RSA went after the token seeds and serial numbers and with these, they could then potentially generate the token codes at any given time.

Of course this only provide one of the two factors of authentication in this model. When a user logs in remotely they are asked for their username, and then they normally enter the token code and then either a PIN or password. So the hacker will now have had to try and access the username and PIN. Similarly they would need to know which token belongs to which user. These extra steps may explain why the RSA hack was treated in a relatively benign way to begin with.

If we move back to the details of the RSA hack, then we already know that this was achieved with a zero-day attack using a vulnerability in Adobe Flash after spear phishing a set of RSA employees. Once in they were able to use a modified remote administration tool to collect usernames and passwords. One assumes that if the same team is involved, then they may well have attempted the same mechanism to exploit a set of Lockheed Martin employees. If they achieved similar success then they would have gained both factors of the two-factor. The combination of the two would then permit an illegal entry.

This shows both the sophistication of the attack and the determination of the hacking team. Lockheed Martin seem to have had a defence in depth approach to security so even though their perimeter was breached, the behaviour or activity which was spotted raised alerts which permitted this attack to be halted.

This strength in depth approach is included in standards such as PCI DSS. PCI DSS and similar standards do put a great emphasis on perimeter defence and strong authentication, but PCI DSS also requires many further controls to be in place for exactly this reason. So perhaps the next time you think PCI DSS seems to be expecting too much you may reflect on this particular attack.

I wonder what the Japanese is for “when you are in a hole it’s usually a good time to stop digging“?

I read the new Sony press release with some bemusement; the one with regard to the loss of 25 million further customer details from Sony Online Entertainment. The release had the following statement:

information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained.

I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance. The PCI DSS control 3.1 states that cardholder data must be kept to a minimum and that a data retention and deletion policy must be implemented which involves a process for the secure deletion of cardholder data when it is no longer required. I would suggest outdated credit card databases fall fairly under this category.

Not only that but the PCI DSS Prioritised Approach categorises the 220+ controls into 6 Risk levels and control 3.1 is one of only 8 controls considered severe enough to be put in a Risk level 1. In these litigious days one can only assume that the Sony lawyers and Marcom staff who proof read this statement had been missing during the Security Awareness Training (Control 12.6, Risk level 6 :-) )

On another tack with regard to this breach, I have been reading that Sony have said that in the original attack, that they couldn’t be sure if the credit card database (the large one) had been stolen but in any case the entire database was encrypted.

This statement has been endlessly repeated – yet no-one that I can find has asked Sony the obvious question. “Did they take the decryption keys as well?” Because let’s face it, if they got the keys as well, then the encryption is as useful to Sony and it’s customers as the proverbial chocolate teapot.

Where were the decryption keys? Well this is a rhetorical question because I don’t know – and let’s hope that neither did the hackers.

However if you are smart enough to grab millions of card details from a large organisation’s database and then find it is encrypted, you might just be tempted to wander back in to see if you can find a decryption key. Even worse, imagine if the key was stored in the database itself, or put in clear text into a configuration file, or left under the doormat (in a humorous virtual way ) – surely no one would do that. But then again, surely no-one would leave 100 million personal details lying around would they?

Today we hear confirmation about a breach of the Sony Playstation Network with the loss of millions of account names and personal details and potentially the loss of payment card details such as the payment card number and Expiry dates, but excluding the security code.

The type of data rumoured lost includes names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to: What is the name of your pet?

So should we be concerned?

Well if I was one of the potential victims of this theft I would be. Why? Because the amount of personal data which has been supposedly taken would allow a fraudster to start to take over my identity. Much of the rumoured stolen data can be used to authenticate and validate a user, particularly when that user claims to have forgotten the usual authentication tokens such as passwords and passphrases.

The problems arise because we humans are quite forgetful of our authentication details such as passwords. This means we tend to use the same passwords for multiple systems or at the very least similar passwords for similar systems. When we use random passwords then we tend to forget them. The systems we inter-operate with are aware of this and see this forgetfulness as a real inhibitor to them being able to validate and interact with us. They are also aware that the loss of authentication could lead to the loss of a sale or provision of a service. However they know that we remember personal details much better, so questions related to address, dates and favourite or personal facts become a fallback authentication process for the service provider. Unfortunately this also means this personal information becomes far more valuable to a hacker as well.

Only recently I was with a family member who was paying for some items on an ecommerce website. As often occurs these days, as part of the card authentication process she was taken to a 3D secure card authentication screen where she suddenly found she couldn’t remember her secure password.

Helpfully the bank in question gave her the option to select “Forgotten password?” and she was then validated by being asked for her date of birth. Once validated by this information, the password was permitted to be reset.

Similarly most on-line applications will provide the capability to retrieve forgotten or lost passwords by asking for personal information such as date of birth, address or some well-known security questions, such as name of pet, birth place etc. – which just happens to sound familiar. The problem is that much of this data can’t be changed - it’s easy to change a compromised password, but how do you change a compromised date of birth ?

So if I was one of the potentially compromised users in the Sony Playstation network I’d be working very hard today to change any account details which used the same or similar account names and passwords, thinking about changing my email address and I’d either kill the cat, or at least renaming her!

Why is it; whenever there is a breach of a company’s security it is always attributed to the work of sophisticated cyber criminals? Is this because it really does take a sophisticated criminal to breach an environment these days or do victims prefer to characterise the cleverness of the criminal rather than the weakness of the security environment?

The Verizon RISK team issue an annual breach report which summarises all of the breaches they and the US Secret Service have investigated over the last year. According to their 2010 report 96% of the breaches they investigated could have been avoided by the implementation of either simple or intermediate controls - an increase of 9% over the preceding year. Not only that, but the report authors considered 85% of the attacks as not being highly difficult to implement.

What do they mean by simple or intermediate controls? Elsewhere in the report they state that 79% of breaches were at merchants who hadn’t been assessed as compliant to the Payment Card Industries Data Security Standard (PCI DSS), which perhaps provides a clue to at least some of controls which fell under this description.

Even though PCI DSS compliance is targeted at merchants handling payment card details, it can still be used to provide a framework of useful controls to consider when creating a secure environment. Don’t forget, cyber thieves will take whatever data they believe they can use; names and email addresses seem to be in vogue at the moment.

Checking the Open Web Application Security Project (OWASP) which maintains a list of the top ten risks and vulnerabilities a web environment can be exposed to, one would expect this new wave of sophisticated attacks to show up on the new 2010 list. Surprisingly, the vulnerabilities here have been pretty static. In fact SQL Injection recently celebrated its status as a top 10 risk for the period of 10 years on the list.

Ironies of ironies, only this week a leading web application security company announced a successful SQL injection attack against its corporate web site which just goes to show we all need to be vigilant and practice what we preach.

Back to the Verizon report and the authors report that only 21% of organisations who were breached had developed and maintained secure systems and applications as required by PCI DSS compliance. This part of the standard requires that payment solutions and applications have been securely developed and tested against a set of known vulnerabilities such as the OWASP Top 10. So if organisations still aren’t protecting themselves from well-known vulnerabilities why would a cyber thief need to develop these new sophisticated tools?

So perhaps we really only do hear about these highly sophisticated attacks - there certainly are some clever hackers out there; but before throwing up our arms in despair we should also heed some of these other less well publicised statistics and prepare our environments to defend against the less sophisticated attacker. Reducing our risk down to only the top 4% of attackers seems like a good idea to me.

Every man and their dog has a smartphone these days. Whether an Android, Apple or Blackberry device, today's mobiles are as powerful as desktop PCs were only a decade or so ago. They can browse the internet and run a countless number of applications. As such is it inevitable that more and more people are starting to use them like they do with their main PCs – keeping increasing amounts of sensitive personal information on them and using them to make purchases and do personal banking. The problem is that unlike their PCs, most mobile phones are not currently adequately protected against viruses. But how many smartphones are there and do people actually use them in sufficient numbers for this to be an issue?

The potential scale of the issue

According to Gartner in Q3/10 88 million computers (desktop/laptop/netbook) and 80 million smartphones were shipped globally. Half a year later down the line, with mobile manufacturers bringing out new models with ever-increasing frequency and the proliferation of more and more tablet computers, the balance has probably tipped in favour of smartphones. So we know for sure that there are a lot of devices out there. But are they being used?

Well usage figures from Tecmark show that smartphone web traffic now accounts for over 8% of all web traffic in the UK and is growing exponentially. Business Insider tells us that the UK has the 5th biggest mobile market in the world after USA, Japan, Korea and Italy. Ofcom calculates that mobile internet usage rocketed by 240% between 2009 and 2010.

All of these stats point to the fact that the online market is already big and in continuing to increase at a dramatic rate. So where does the problem lie?

Consumer perceptions are at the heart of the issue

Over the recent years intensive media coverage has first alerted then educated the wider public to the threat posed from email scams and viruses/trojans as well as the importance of having a firewall and an up-to-date virus scanner installed.

The problem is that consumers don’t think of their smartphones as just another PC, even though modern smartphones can perform all the every day tasks a PC can.
Most consumers do not have virus scanning software installed on their smartphones and the key mobile operating systems (Android, iOS, Blackberry & Windows Phone 7) don’t contain such software by default.

Furthermore the proliferation of app stores and 1 click installation have made it easier for people to add new functionality to their phones. People add and remove apps in a much more casual manner than they would do with their home PC.

Proliferation of viruses onto mobile platforms and their impact

Virus writers have been quick to take advantage of the 3 above points and have started writing increasingly complex and capable viruses for these new platforms. A case in point is a virus dubbed Geinimi. Usually posing as a gaming app in unofficial Chinese Android app stores, once installed on a system, Geinimi is able to:

• Send personal information to a remote server
• Receive commands from remote servers enabling the infected mobile device to become part of a botnet
• Send SMS messages to premium rate phone numbers

All without the user’s knowledge. Whilst today such viruses are rare and their proliferation rate is relatively slow, if unchecked they could become mainstream very quickly indeed.

The importance of Android to this debate

You may have noticed that the Geinimi trojan (like most of the mobile viruses in the wild today) is written for the Android platform. Helped by its pseudo open-source status, and backing of the biggest internet company in the world (Google), Android is now both the largest and the fastest growing smartphone platform in the world. Due to this popularity Android has naturally become the virus writer’s favourite OS (in a similar way to how Windows became the favourite desktop OS for PC virus writers).

Another reason that virus writers focus on Android is its relative openness. Apple’s walled garden approach may be restrictive (to the point of being viewed as anti-competitive by some), but at least it allows for careful vetting of all applications sold through its app store. Of course with Apple’s iOS, unless you jailbreak your phone or tablet, you won’t be able to install applications from non-app store sources. On Android you can install applications from non-official sources, which gives rise to the possibility of rogue applications being installed.

So what can be done?

The proliferation of mobile payment fraud can be averted through concerted actions throughout the related industries. These actions will probably include:

1) Media
Education of the wider public in the importance of using mobile virus scanning software, being careful to only installing applications from official sources and generally being aware of security advice issued by the mobile industry

2) Mobile OS developers

OS developers such as Google, Apple, Blackberry and Microsoft need to put a big focus on making their platforms secure and supplying their end users with virus software. PC operating systems like Windows 7 already come with a pre-installed virus scanner software and the same should happen in the mobile space.

The Mobile OS developers also need to improve app security screening before apps make it onto official app stores and look at ways of minimising the possibility of apps from unofficial app stores infecting people’s smartphones (obviously without in the process limiting end-user choice).

3) Network Operators

Network operators need to ensure that the phones they issue are kept updated with the latest security patches. Automating this process will ensure that no phone is left on an older version of software which is vulnerable to infection. Network operators also need to look at the possibility of providing virus detection software either free of charge or as an added extra until mobile OS developers introduce such features into their OS’ by default.

4) Retailers and Financial Institutions

Retailers who want to sell through the mobile channel or banks who want to enable mobile banking services need to ensure that all development (whether through platform specific apps or platform agnostic mobile websites) is entirely PCI DSS compliant. On top of that they need to include extra security features to ensure that even if the security of the mobile device has been compromised, the account security cannot be breached.

Banks are already leading the way in this with the likes of First Direct making people enter three random characters from their password instead of the whole one whilst Barclays use an external Pincentry security token which uses 2 factor authentication. The aim of both of these approaches is to minimise (if not annul) the possibility of account security being compromised by logging in or initiating a transaction through a infected mobile device.

Retailers also need to look at similar ways of securing their points of interaction; perhaps by making us enter a random subset of our full passwords and periodically asking us for extra information such as security questions or information on their transaction history.

5) Individual Consumers

But at the end of the day no one is going to protect you the way you protect yourself and end users need to realise that “with great power comes great responsibility”. Or more accurately that as phones become more integral to our lives, they also become more dangerous if a malicious hacker takes control of them. Thus we all need to be more careful of how we use these small but increasingly powerful devices.

It is estimated that 1 billion card transactions per year worth an estimated £40bn are processed by the UK’s 700,000 contact centre agents. Therefore it is not surprising that Card not Present fraud (stolen details over the phone, internet or mail order) accounts for 56% of all UK card fraud. With the vast majority of CNP fraud coming from contact centres, losses stem not only from fraudulent transactions, but also from cards that are leaked to the criminal fraternity by coerced call centre employees.

What can businesses that run contact centres do to prevent or stem this leak? After all they need to take payments, they need to provide effective customer relations and therefore they need their people to be on the phone to the customer.

For PCI DSS compliance any contact centre which transmits, processes or stores payment card data is required to look after the customer’s card data. Customers need to know they can trust businesses with their personal information. Betray that trust through a data security breach and a business can wave good bye to their customer base and bank balance. On the upside, businesses that demonstrate that they take PCI DSS compliance and security seriously can strengthen their customer relationships. By ensuring phone payments are secured reduces the real fraud risk and reinforces the customer’s perception of security at the same time.

The main issue addressed by PCI DSS compliance is data storage. Businesses can store PANs (Primary Account Number), but these post authorisation must be encrypted. Sensitive Authentication Data (SAD), such as the security code, found on the back of the card must not be stored post authorisation even if encrypted. There are payment solutions designed to help businesses protect their customers card data and reduce the scope of PCI DSS compliance, by for example adopting hosted payment gateways whereby card data is entered and stored within a third party service, where strong encryption and tokenisation technologies are used. The additional challenge however, for the contact centre remains with the fact that calls are recorded “for training and monitoring purposes”. The challenge of not recording, or having the technology to secure the recording of the payment details needs to be addressed, so as to not allow for those leaks to occur.

Addressing the challenge of PCI DSS compliance within the contact centre environment needs to be balanced with the operational need to record the conversation. PCI DSS compliance should not just be treated as a matter of course, as there are cases of fraud carried out on call recording solutions. With the use of off the shelf analytics software it is very easy to extract card data from digital call recordings.

So how do businesses stem the leak? There are now new technologies on the market that compliment the card processing process. Once such a solution is implemented, card details are never captured on call recordings nor heard by the agent in the first place. Instead of reading out the card details to the agent, this new technology allows the customer to type them using their phone keypad. The solution masks the payment dial tones from the agent, whilst ensuring that the rest of the conversation is recorded. This is all done with the caller remaining in voice communication with the agent to maintain the customer experience. Businesses can now not only make their call recording solutions PCI DSS compliant but can also take their contact centres out of scope for PCI DSS compliance.

If the agent hears no data, and sees no data then they can leak no data.

You are a retail business. You have spent a small fortune in time and money to upgrade your systems and have now achieved that holy grail – PCI DSS compliance. Do you sit back and relax, safe in the knowledge that you have achieved security nirvana and that fraud will never show its ugly face in your business again? Well not quite.

PCI DSS compliance has its limits

The issue is that PCI DSS compliance by its very nature can’t be all-encompassing. It deals with payment data (credit, debit, payment, pre-pay etc.) data and the flows of this information through your business. Anything not directly related to credit and debit card data is considered out-of-scope. After all, the PCI DSS standard was created by the likes of VISA, MasterCard, Amex, DiSCOver and JCB, so naturally their key priority is in keeping payment data safe and secure.

But recent technology developments demonstrate that fraud (like water) always seeks the least path of resistance and does not differentiate between in-scope and out-of-scope areas of a business. A recent story beautifully combines payment, loyalty and fraud with a dash of new technology and a pinch of sub-standard implementation to show us the limits of achieving PCI DSS compliance.

Starbucks Rewards

Starbucks have recently introduced iPhone and Blackberry Apps for their Starbucks Card Rewards loyalty program. All you do is launch the App in your smartphone, get the phone screen (showing a barcode) scanned by the StarBucks employee and enjoy your tall skinny extrawhip half-caf double caramel macchiato. The App does the rest, as it is matched to your account, which in turn is matched to your credit/debit card details. Thus money is taken out and loyalty points are added in automatically. Simples!!

The issue arises from the fact that the barcode in question is not of the dynamically generated variety, but is static and valid for the life of your Starbucks Card Rewards loyalty membership. This means that if someone else got hold of this barcode, they too could get free coffee on your account. But how is this done?

The Scam

The scam is technically reasonably simple to pull off. All the miscreant needs is you have access to an unsecured (i.e. not pin or pattern protected) smartphone of a mark for at least 90 seconds. All the fraudster then needs to do is:

• Launch the app
• Hit the mobile equivalent of “print screen”
• Send themselves the resulting screen grab via email or mms
• Delete the sent MMS or email from the sent folder to erase any trace of the subterfuge
• Replace the handset to where it was found

From then on, all the criminal needs to do is load the image onto their phone and get that image scanned at the till, so that they too get to enjoy watery coffee, cakes and whatever else Starbucks sells on the bill of the unaware victim.

Much a do about nothing

But wait I hear you cry, there are a lot of caveats to pulling off this ruse. The smartphone needs to be unprotected (e.g. no password), it needs to be left alone in a public place for at least 90 seconds, the ne’er-do-well needs to have a phone with an identical resolution screen….and all of this for some free coffee. Many of you will correctly point out that most fraudsters probably won’t bother to go to all of this effort for such a small reward.

And you may well be right. Yes the scam does have severe limitations, but it does demonstrate that companies do need to take care in introducing new technologies in order to minimise the chances of fraud. After all, as the above app does not store or disclose any payment information it does not contravene the PCI DSS compliance status of the company. But that does not make it fraud-proof.

In keeping with things at this time of year I’ve been thinking about a few predictions for 2011.

First off, I think we’ll see more coordinated fraud attacks. As the take-up of PCI DSS compliance continues, fraudsters will be forced to focus more strongly on specific targets. With PCI DSS compliant environments it is clearly harder for would be fraudsters to illicitly obtain card numbers and personal data, meaning would be fraudsters will have to take a more structured and planned approach to their activities, as a “scattergun” strategies will begin to pay less of a dividend.

Point to point encryption will be used as a key strategy for merchants looking to descope from PCI DSS regulations. With the well publicised cost implications of achieving PCI compliance, encrypting sensitive data and therefore removing it from the scope of PCI DSS regulations is emerging as a more cost effective strategy for businesses.

In the payments arena, I think it’s likely we’ll finally see the emergence of contactless technology among consumers too. Drives on increasing consumer understanding and comfort levels will be key to this, and with cards now prevalent throughout the UK it’s really just a case of getting the messaging right before we’ll see usage increase. From a security/fraud perspective I expect the impact to be minimal. Contactless transactions are limited to low value transactions –i.e. newsagent and coffee shop purchases. With this in mind, fraudsters are unlikely take the risk for such a small return.

Thus I think 2011 will bring with it an increase in identity theft. If PCI regulations have limited the availability of card data then we’ll start to see fraudsters looking for other ways to ply their trade. By making obtaining the card data more difficult I suspect we’ll see fraudsters switching to gathering personal (cardholder) data as a possible outlet and solution.

Sometimes “it will never happen to me” should not be the corporate line!

Last year I discovered that my credit card had been used for a number of rogue transactions. My first thought was to blame the wife…but on second glance, they were clearly fraudulent. My mood changed as I thought about all the phone calls and letters it would take to clear up this mess.

I knew instinctively that these transactions were through web channels as with the introduction of Chip and Pin card present fraud is more challenging, yet the web was still the easy target. A year on, the implementation of 3D Secure in the form of MasterCard SecureCode and Verified By Visa, although occasionally frustrating for consumers, has helped reduce the potential for online fraud. It has been the first step in closing down another route for criminals.

Once I had managed to report the fraudulent transaction, it got me thinking about how companies track the point of breach. The fraudster must have managed to get my details from somewhere! Speaking to our fraud team, pin pointing the location of the breach depends on how the stolen data is used, and the scale of the operation.

It is simple maths. Once a number of cards have been reported, then an issuer can cross reference previous transaction purchases to see if there is a common denominator. If a large percentage of the compromised cards had previously been used at a particular retailer, then there is the possibility that this is the source of the problem. With access to the necessary data, patterns quickly emerge, and merchants are informed about the suspicion of a breach.

For the retailer…it is time to call in the cavalry in the form of a Qualified Forensic Investigator (QFI). This group of individuals can identify potential weaknesses in systems, understand whether a breach has occurred – possibly by whom, and present information on how this can be addressed. Often this activity should be carried out as soon as possible to increase the possibility of identifying the perpetrator before the case goes cold.

QFI’s are able to react or to be proactive regarding security. Like a fire drill, it is important that companies have a plan just in case of a breach, but far too many believe that “this will never happen to me!” With the industry constantly trying to keep up with the cyber criminals, it is always important to have a plan in place, as well as keeping the phone number of a QFI in a company's back pocket. You never know when it might be needed needed.

Following recent news that more than two-thirds of companies have been hit by data breaches over the past year, the report featured in Computer Weekly is an interesting, if not alarming, confirmation that fraud is on the rise. Although person-present payments have improved security measures due to developments in global security standards like PCI DSS; cyber attacks still continue to be an area of vulnerability for businesses across the UK.

Current laws in the UK don’t make it necessary for details of data breaches to be publicised, so the report provides an interesting insight into the number of businesses which are being affected by constant security threats. In the US there is a completely different approach and the State Security Breach Notification Laws publicise data breaches, there is more understanding and knowledge of how an attack has occurred, dulling down sensationalism surrounding a data breach.

In my experience, businesses and consumers are still falling victim to techniques which are relatively old news; take for example SQL injection – a code injection technique which exploits weaknesses in the checking of input data and which is very well known. People just don’t want to envisage that this kind of attack may happen on their own doorstep. Security professionals need to raise awareness to the constant and evolving threat which cyber attacks pose to businesses and most importantly how they can apply best practice techniques to deal with them.

According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye watering £30 billion a year. 58% of fraud is committed in the private sector with tax fraud hitting £15.2 billion, and, in the private sector, financial services companies and organisations are said to suffer yearly losses of £3.8 billion through crimes including mortgage and insurance fraud, online banking, cheque and card fraud.

According to CIFAS, the UK’s Fraud Prevention Service, nearly 60,000 proven frauds were identified in the first three months of 2010 alone. Identity threat, where fraudsters use the names and details of innocent victims to generate cash-flow, has also increased by almost 20% in the first quarter of 2010 compared to the same period in 2009.

In order to effectively combat fraud and security breaches, merchants across all sectors need a better understanding of their overall fraud and security landscape threat and exposure. Many merchants make the mistake of putting all their effort into preventing ecommerce fraud. This however is short-sighted as there are no boundaries to fraudulent activity. All channels are vulnerable.

Fraudsters can be first party, third party, ‘friendly’, opportunistic or part of an organised group of criminals - anything from an underage person trying to buy alcohol with a parental credit card to an organised gang of criminals performing a complex Denial of Service (DoS) attack designed to make a computer resource unavailable to its intended users. Fraud can also occur anywhere within a business – from externally generated activity to internal threats from one’s own staff.

Multichannel approach for a multichannel problem

The problem is vast, constant and evolving - as fast as merchants can detect fraudulent activity and shut it down, fraudsters remain one step ahead with new techniques for merchants and the payments industry to fight against across multichannel environments.

And, no matter how much an organisation works to protect or prevent security breaches, you can bet the persistent fraudster will be working diligently to find another channel to exploit. If they have been prevented from defrauding a merchant in a shop where the cardholder has to be present to make a purchase by Chip and Pin, they may then try to find gaps within a merchant’s ecommerce environment.

If that merchant has 3D Secure in place to limit ecommerce fraud, fraudsters may then see if they can exploit that merchant’s call centre channel. And, when a fraudster or gang of criminals succeeds in committing fraud in one particular channel, they will often extend their activity to other channels because it is easy for them to do so.

Certain sectors are also subject to particular types of targeted fraud and merchants should be aware of the types of fraud prevalent in their market.

In the Financial Services sector for example No Intention to Pay (NITPs) fraud is on the increase. Here fraudsters may sign up for car insurance (usually using a compromised credit card) for the first payment of the policy and then set up a direct debit to pay for the remaining 11 instalments. As soon as the insurance certificate is received the fraudster will cancel the direct debit facility. The insurance company generally writes this off as it’s deemed too expensive to follow through. Meanwhile the fraudster has the certificate if stopped by the police or needs to prove the vehicle is insured.

Charities are also well known for being used as test sites for fraudsters. As many of these charities take low value transactions, fraudsters use these sites to see if compromised cards can get through authorisation before going to other sites selling higher value goods.

Merchants that sell goods and services with an age restriction (e.g. alcohol, knives, games or betting services) are also regularly targeted by fraudsters. Underage children may try to make themselves older by changing their date of birth or use a parents credit card to buy restricted goods. Or someone may try to open up an account to access pornography using a nearest and dearest’s personal details. Without proper identity checks to catch them out, fraudsters can easily get around such restrictions.

How should merchants tackle fraud and security breaches?

The truth is that there is no silver bullet to combat fraud. A merchant can’t simply adopt 3D secure and presume they are safeguarded – fraudsters will find another way. There is also no ‘one size fits all’ solution, as every merchant is different with different fraud levels and exposure. One prevention technique will work for one and not the other.

Merchants need to look at their payment and loyalty environments as a whole, not just looking at fraud prevention in isolation.

Prevent

The first step is to take measures to prevent against fraud and detect areas of vulnerability before fraudsters can attack. This can be done by implementing correct procedures (and ensuring that the business is following those procedures), training staff to recognise fraudulent activity, adhering to industry initiatives such as PCI DSS, 3D Secure and CV2, and making use of expert fraud screening and prevention suppliers.

Protect

Merchants need to make sure their infrastructure is protected against security breaches. If infrastructure and networks are not protected, hackers will penetrate systems and steal consumer and business data. By complying with best-practice guidelines such as PCI DSS, organisations can protect their infrastructure, customer confidence, loyalty and ultimately retention.

Pursue

However, even if a merchant follows best practice guidelines and is PCI DSS compliant, it may still be the victim of a breach. At this stage it is important to have procedures in place to pursue. This allows merchants to rapidly respond to any external or internal breach and understand why it happened, who caused it, where and when it took place so the breach does not occur again. This can include calling in a Qualified Forensic Investigator (QFI) that uses ethical hackers and a dedicated forensics lab to identify and pursue attacks including website hacking, unauthorised access to critical systems, theft of financial or critical data, and unauthorised use of computer equipment.

While fraudsters are ever more resourceful and have been more active than ever during the peak of the recession, there is a continued effort on behalf of the industry to stay ahead of the fraud curve. As there is no one solution or approach to combat fraud, retailers, banks and security specialists must increasingly work together and pool expertise to help organisations to actively prevent fraud before it happens, protect against breaches that are likely to happen or are happening, and aggressively pursue fraudsters once a breach has taken place. In order to enhance customer confidence, interaction and reduce business risk, organisations too must step up and ensure they have the processes in place to ensure they are managing their information and transactions securely. Point solutions are available, but at the end of the day, it will be combined fraud and risk management expertise with an overall integrated approach that will keep fraudsters at bay.

100% security doesn’t exist.

The frustrating truth is that almost every organisation will suffer a security breach at some point. Whether it is the defacing of a website, loss of data through a Trojan horse or the corruption of a system by a virus or worm, most companies will experience some form of data breach. This includes merchants who have diligently put measures in place to prevent fraud by implementing the correct security processes and procedures, enlisted specialist third-party anti-fraud services, adhered to appropriate industry initiatives such as 3D Secure and CV2, and complied with PCI DSS to protect their infrastructure against attack.

While all of these measures form part of a comprehensive security plan - and PCI DSS is a good basis on which to build resilience to a breach - there simply is no foolproof solution. The level of fraud is staggering and always changing in scope. In 2008 for example, 19% of organisations who were subject to a security breach were, in fact, PCI compliant. Many organisations never even realise they are hacked. In 2008, 69% of credit card breaches reported were by third parties rather than the breached organisation.

Hackers use freely available company data to target and ‘footprint’ an organisation in preparation for an attack. They are creative, innovative and above all persistent; intent on stealing data from whatever channel they can, be it customer data, credit card numbers or corporate documents. No matter how much an organisation tries to prevent and protect against a breach, the persistent hacker may find a hole that a systems administrator hasn’t plugged. Merchants should therefore be ready for the eventuality of a security breach with procedures in place to pursue and rapidly respond should an external or internal breach occur.

Prepared for action

Once a breach becomes apparent, merchants must immediately contain and limit the exposure of the breach to minimise data loss. If the merchant is PCI DSS compliant they will have an incident response process in place which should be followed. If a merchant does not have an incident response process in place or are not PCI DSS compliant, they should engage the services of a forensic specialist to investigate the breach to determine the root cause and to pursue the perpetrators.

Merchants also need to notify their acquiring bank as soon as possible who may also request that they assign a Qualified Forensics Investigator (QFI), from a reputable fraud and payment security specialist like The Logic Group, to investigate the breach. The merchant can choose their own QFI from a list provided by VISA and/or MasterCard. Prompt action is critical when a breach occurs; if a merchant doesn’t already have relationships in place with a QFI valuable time can be lost. In some instances it can take as long as three to four weeks to get the legal agreements in place (such as NDA’s, contract for forensic services, pricing schedule etc). It therefore makes sense to already have a QFI assigned to the company. If the relationship already exists the QFI can be integrated into a merchant’s incident response plan so reaction to a breach would be immediate.

Pre-arranged service contracts with QFI’s are available providing a 24 x 7 call-out service to deal with any security incident. Such contracts are similar to a gas boiler maintenance contract with an on-call emergency service and an annual inspection to assess risks and exposure from external and internal threats.

Within three days the merchant must also provide a Compromised Entity Details report to the card scheme(s).

Investigating a breach

A forensic investigator will follow a structured forensic methodology using different tools to analyse the compromised environment. An investigator will first work to isolate the area of compromise to limit further compromise and also to maintain the integrity of the environment. This will allow them then to conduct forensic tests to identify the method of compromise and, where possible, identify evidence to support finding the identity of the perpetrator. Most importantly, the investigator will know how to preserve, extract and analyse evidence in a manner that can stand up in a court of law and that complies with the requirements of the card schemes.

Many security breaches are via SQL injection. Typically this is where an e-commerce website has not been security coded or hasn’t had the appropriate security penetration testing performed. This weakness allows a hacker to steal data directly from the customer database anonymously over the Internet. Many main high street brand names have a significant online presence in, for example, the estate agent, holiday travel, car insurance, electrical gadgets, auction and book selling market sectors. In these markets insecure websites can potentially leak customer and financial data.

In the majority of cases the method, area of breach and data at risk can be identified. In cases where the compromised card numbers are known, they can be searched for using e-discovery tools.

QFI’s can also use a Certified Ethical Hacker (CEH) to identify risks. Using the same tools as an unethical hacker, a CEH will have permission to hack a live system with the full cooperation of the client in order to identify where there are weaknesses in the environment. The CEH will then write a report on the weaknesses found and provide recommendations for remediation.

The evidence captured during an investigation will be analysed, logged and securely stored in a forensics lab which employs specialist tools to ensure all data is protected during the investigation so that evidence cannot be tampered with.### Knowing what to do and taking quick action in the event of a breach is critical. Using the service of a QFI and establishing the relationship early on will help to ensure that a breach will be identified and contained quickly. The resulting forensic analysis will also provide the best possible chance of pursuing the breach and shoring up an organisation’s defences to ensure a similar attack doesn’t happen again.

Security is not a quick fix. Organisations must evaluate and assess all parts of their business to identify the risks and potential of exposure. Comprehensive processes and procedures must be put in place to prevent breaches from happening in the first place, best-practice guidelines should be followed to protect an infrastructure from attack including compliance to PCI DSS, and organisations should be ready to pursue a breach should it occur by rapidly responding in the event of a compromise. While fraudulent activity can never be avoided completely, this is an organisation’s best defence.

In the past decade there has been a sharp increase in focus on the security of cardholder data held by third parties. High profile data breaches and the associated losses resulting from the fraudulent use of compromised cardholder data have made global headlines and have struck fear into consumers and merchants alike.

Well publicised breaches include the Heartland payment Systems Inc in 2008 and TJX Companies Inc in 2007. In both cases it was reported that well over 40 million card details were compromised. Although breaches tend not to be as well publicised in Europe (as the duty of disclosure is not mandated), in the UK fraud is known to have accounted for £610M of transactions in 2008 which was 0.12% of the total card turnover.

However fraud can and does, hit every corner of a business. According to a survey published in April 2010 by PwC, 92% of large British businesses have experienced some kind of security breach in the past year – including attacks by cybercriminals and accidental leaks of confidential data. According to the report, large companies are dealing with an average of 45 incidents a year – up from 15 only two years ago – and the cost incurred to deal with these incidents is soaring with the worst cases cited as costing as much as £690,000 to fix.

In addition to putting measures in place to prevent fraud at the point of purchase, merchants must also protect their infrastructures from security breaches and attacks. If network infrastructures are not protected from hackers’ intent on obtaining sensitive information such as cardholder data, hackers will penetrate systems and steal consumer and business information which will be used for fraudulent activity.

All businesses, regardless of size or industry, need to fully understand the scope of their fraud and security landscape and put measures in place to prevent fraudulent activity from occurring. This includes reviewing exposure to card data fraud, identity fraud, internal fraud and sector specific fraud. Implementing the correct procedures (and ensuring that the people in the business are aware of and following those procedures), incorporating appropriate anti-fraud systems, adhering to industry initiatives such as 3D Secure and CV2, and training staff to recognise fraudulent activity should all be part of an overall anti-fraud strategy.

A multifaceted approach
The most comprehensive way for a merchant to protect their infrastructure is by complying to the Payment Card Industry Data Security Standard (PCI DSS) which was introduced to address the increasing threat of the loss of cardholder data and protect infrastructures from attack. Merchants, acquirer’s, payment service providers and issuers are now mandated to become compliant with this standard to protect cardholder data both in transmission and at rest throughout the payment network infrastructure.

PCI DSS is multifaceted and includes requirements for security management, policies and procedures, network architecture, software design and other critical protective measures. This includes building and maintaining a secure network, protecting cardholder data through encryption technology, developing and maintaining secure systems and applications, implementing access control measures, regular testing of security systems and processes, and maintaining a policy that addresses information security.

Though PCI DSS may initially be daunting, merchants should view compliance not just as a mandate, but as a critical component of their overall security and anti-fraud strategy. Opportunistic fraudsters continue to strike across different channels and securing infrastructure against a breach is a necessary element of any security strategy.

The cost of non-compliance
While there is a significant threat of fines for non-compliance to the standard, merchants should also consider that a data breach resulting from non-compliance will inevitably result in significant damage to brand reputation. A report by Ipsos MORI found that merchants could expect to see customers abandoning firms that suffer security breaches (53% of respondents), opting to cancel their credit cards (48% of the respondents) and lastly reporting them to the police (20% of the respondents) or national consumer bodies (17% of the respondents).

The Logic Group recently carried out its fifth annual survey of PCI DSS compliance and awareness which encouragingly revealed that there is a growing trend toward adoption of the standard by card security professionals and that the standard is achieving its objectives. According to the study, 83% of businesses believe that their organisation is more or significantly more secure due to PCI DSS which is good news for all.

The survey also discovered that organisations, although more attuned to the benefits of PCI DSS than ever before, are almost unanimous (98%) in their belief that greater focus should be placed upon improving security not just achieving compliance for the sake of it. Perceived wisdom is that if organisations focus on comprehensive security across their business channels, then compliance will follow.

There are many specialists who can help organisations implement and comply with PCI DSS, however there are only around 40 organisations with Qualified Security Assessors (QSAs) in the UK which are authorised to conduct on-site audits validating a merchant’s adherence to the requirements of the PCI DSS. To become a QSA their suitability as an organisation has to be reviewed as part of a rigorous application process, before an organisation can receive approval from the Security Standards Council to put forward a number of individuals to take the QSA training course and exam.

When implemented correctly, the requirements of the PCI DSS successfully protects merchants from data exposure and compromise. As a result, on-site PCI DSS audits performed by QSAs have become vital in today’s environment. How successfully an assessment is conducted can have a significant impact on the implementation of PCI measures and controls, which can be a costly and quite painful process for merchants, so it is a qualification that comes with significant responsibilities.

Although increasing numbers are embracing the broader benefits of PCI DSS, many however are still underestimating the amount of time it will take to achieve compliance. At the beginning of 2008 71% of respondents said they were either already compliant or expected to be compliant within 12 months. One year on though the figure to have successfully achieved full compliance still stands at only 25%.

Constant evolution
Technology and business processes linked to fighting card fraud and sustaining compliance are rapidly evolving and keeping up can be a challenge. Attacks and techniques are increasingly innovative and fraudsters are ever persistent. In addition to putting measures in place to prevent fraudulent activity, organisations need to protect their infrastructure against security breaches and for this PCI DSS compliance is a must.

End to end encryption (E2EE) is a system which requires that card data is encrypted or more simply speaking, scrambled, at the point of payment, using a secure device. The data is only decrypted, or reformed within a secure data centre which has been certified as a PCI DSS compliant environment. This practice ensures that card data is not exposed to the threat of fraud whilst it is being transferred to the point of storage.

Putting preventative and protective measures in place however isn’t foolproof; unfortunately 100% security doesn’t exist. The reality is that even if an organisation is PCI DSS compliant, they may still be the victim of a breach. Merchants therefore should also have procedures in place to prepare themselves for the eventuality of a compromise so they are ready to pursue and rapidly respond to any external or internal breach should it occur.

Contactless payment technology continues to develop; it is a hot topic of discussion as Barclaycard rolls out an update to its TV advert demonstrating the ease of contactless technology – but will its implementation become a rollercoaster ride for retailers and will hard currency become harder to find in the future?

Cash will always be necessary; it is something that we all carry in our pockets for quick and easy small-scale purchases and a whole industry exists purely to handle and transport it. Indeed, many supermarkets and retail chains offer their customers the opportunity to get ‘cash back’ as they buy produce via a debit card. Consumers view it as a convenience yet the reality is that it saves the retailer a considerable amount of ‘cash’ in money management fees.

Card fraud always makes the headlines, yet cash is equally, if not more vulnerable to theft and fraud. Consider just how many fake notes there are in circulation and the amount of money which is lost through theft or damage – The European Central Bank, which is responsible for identifying fake notes, reported that over 860,000 faked Euro notes were withdrawn from circulation in 2009, and the amount of faked Euro notes has been on the rise since 2004. When you compare this with the amount of transactions that huge retail chains process electronically, then the occurrence of card fraud is relatively low, aided by the enforcement of security schemes such as the Payment Card Industry Data Security Standard (PCI DSS), which is a set of comprehensive, mandated requirements designed to enhance the security of account data on a global basis.

The overriding incentive for retailers to embrace electronic payment methods is the low cost of processing card transactions. Consumers require a payment method which they are comfortable and familiar with using. Contactless technology is speed and convenience driven, if it is widely adopted could we see an end to fumbling for change in your pocket?

A contactless payment system allows consumers to use their card or payment device up to four or five times, before they will be prompted to input their PIN number. A transaction limit will be set, for example £15, then the consumer could purchase items of this value without needing to input their PIN, until the set number of transactions has been reached. If a consumer were to lose their card, then the bank could only lose a maximum of £75 working with this limit. However this does suggest that paying for high value items using contactless technology may not come to fruition, as should the card be lost or stolen then the bank would stand to lose more money. Trials have shown that consumers will tend to use a blend of transaction types, which means that cardholders will rarely have to input their PIN number for contactless transactions as their identity will be verified by regular Chip and PIN transactions.

Barclaycard reports that there are now 25,000 terminals, the majority being based in the capital which are able to accept contactless payments. Back in September 2007 it signed up more than 1,000 London outlets to accept its touch and pay credit card, which was inspired by the technology used in the Oyster card. Three years on the pick-up of the technology has been relatively slow, however this is more likely to be a result of the tough economic climate during that period rather than consumer resistance to the technology.

If the technology is to be widely adopted then many more businesses will need to invest in the system, but as the country rises out of the recession, the business case for investment in the technology is strong and with the potential to reduce transaction times and increase the average spend of more customers, we could see the technology being widely used in around 18 months; although the necessary infrastructure will take time and investment to set up. The Logic Group handles transactions across more than 250,000 points of sale and clients are already discussing the benefits of adopting the system now.

However, a surprising number of people still do not have access to credit or debit cards. The latest figures from the Financial Services Authority report that six out of 17 basic bank accounts – about a third – do not offer a debit card, in contrast it is estimated that over five billion people across the world have access to a mobile phone. Contactless technology therefore could be incorporated into a mobile phone cover or attached to the phone itself; allowing people that do not have a high credit rating to access the technology without having to use a bank card.

Many different ideas are being discussed regarding the most effective way of making contactless a mainstream technology. Barclaycard, the ostensible pioneer in this area, has made use of a system that people are familiar with, piggybacking on the success of the Oyster card, it launched its contactless system in London where there is less resistance to adopt technology that people are already comfortable using.

Although society will probably never be entirely cashless, by the time the next Olympics is underway people in the UK may well be actively making contactless payments and will certainly be using much less hard cash overall on a daily basis. Barclaycard is planting the seeds in consumers’ minds and by pioneering the technology it will inspire other companies to innovate ideas. The infrastructure to allow contactless payment to become widely adopted will be eventually put in place, but this will take considerable time and investment. So although cash is still king, for now at least, it may not be too long before we see contactless cashing in.

What is casual fraud? It can be anything from fraud conducted on online shopping and auction websites – with products purchased but never received, and internal fraud by employees and employers, to online dating scams and the so-called ‘Sweetheart Fraud’ – a deception that refers to the collusion between an employee and a customer.

And that’s not all. Last year a survey commissioned by The Logic Group suggested that 83% of businesses believed that their organisation is more or significantly more secure due to PCI DSS, the comprehensive standard intended to help organisations proactively protect customer account data, but will budget and staff cuts lead to businesses cutting corners and leaving themselves exposed to fraudulent activity, and ultimately, the fines levied for non-compliance?

Darwinian hackers
The whole profile of the hacker has now changed. The stereo type hackers were ‘geeky’ youths with no social skills with their only allies being a computer. Traditionally, hackers generally came from two areas of society either from a university or from middle class white collar families; this was all linked to having access to unlimited hours on a computer. Now the hackers have grown up and evolved to become professionals – games programmers, security consultants or business proprietors. The hacking world, like punk rock music, has matured and out of the random chaos there is now order, organisation and significant investment.

Whilst the rest of the economy reduces spending and investment, the hacking world is gathering force, investing more and more into its infrastructure and capabilities. Organised crime has now moved to organised hacking, where risks are lower, the chance for detection slim, the rewards higher and legal cross-borders prosecution is complicated. A Transmission Control Protocol (TCP) packet – protocols which all internet communication relies on – can be hijacked, manipulated or injected by fraudsters; their malicious software has no moral, political, geographical or economical bias; it also does not grow old, or go off the rails becoming prone to drug abuse. It is the perfect criminal agent.

This new dawn of hacking has reached maturity through a single killer app, the botnet. This enigma has streamlined hacking to improve the breadth, speed and resilience of the delivery of hacking payloads. There are many types of malicious code, be it a Trojan, worm, virus, scareware, ransomware, phishing, spam, spyware, keystroke loggers, prankware, adware, with more evolving on a monthly basis.

Constant evolution
Whatever the impact of malicious code, and it is getting more inventive every year, the botnet provides the ideal delivery mechanism. Botnets are very similar to a corporate WAN – a computing and communications environment that provides users with hardware and software services behind the corporate firewall - they take time to develop, setup, configure, manage, maintain, test and deploy. They follow the same System Development Life Cycle of major IT projects, with project managers, coders, testing teams etc. Some even have quality control teams. After all Botnets have to be efficient and secure, to create a viable revenue stream for the organised crime teams so, just like any other corporation, that their ROI satisfies their shareholders.

Hacking for the masses
Now that computers are cheap enough for anyone to afford them, new hackers are developing around the world in economically challenged countries and the developing world. These are the new and cheaper employees of the botnet enterprises that efficiently deliver malicious code to order.

20 years ago there were many types of network delivery mechanism, for example XNS, Netware, IPX, NetBios, SPX, X25 etc. This has been homogenised and in reality the only network is IP and realistically it’s the Internet. So if I was asked to think of the top five hacking scams, the answer would be that it has all been homogenised and is delivered through a single framework; the botnet. The actual malicious code or scam then becomes irrelevant. Like the common cold, if you get a sniffle does it matter if it is the rhionovirus, coronavirus or the adenovirus? As far as you are concerned it’s a cold and you caught it through breathing; something you’re not likely to stop by choice. So if you receive a Trojan or some ransomware, does it matter? You caught it from a network, probably a botnetwork, and a network is not something you are likely to stop using by choice.

Learn to fasten your seatbelt
The major current hacking threat is the Zeus Trojan, but if you are reading this article in the doctor’s surgery waiting to find out what particular strain of flu virus you have, this magazine could be more than 6 months old and the Zeus Trojan will have been nullified and today it could be the Scudera Trojan, which hasn’t even been developed yet.

Hacking scams are now a way of life and are here to stay. The car has been around for well over a century and killed millions of people. We are not going to stop driving cars (by choice anyway), but we now all wear seatbelts. Today a computer without Anti-Virus or malware detection software is like driving a car without a seatbelt. That said a network without a hacking scam would see forensics investigators joining the bread line!