4 minutes
Strategies for plugging two key holes
This is bonus from “EMV Security” in the September 2014 issue of Credit Union Management magazine.
If credit unions, banks and merchants had just plugged two data security holes, they could have eliminated 95 percent of the data security breaches that have occurred in the past five years, insists George Waller, executive vice president of StrikeForce Technologies, Edison, N.J., a software security developer. But those holes remain unplugged—with the blessing of regulators.
One effective plug is two-factor, out-of-band authentication (through which two forms of authentication flow over distinct channels), but financial institutions are using bad plugs with two-factor, in-band authentication (still two forms of authentication, but they move on the same pathway), he charges.
“The FFIEC (Federal Financial Institutions Examination Council) made a major blunder by approving two-factor authentication without insisting that part of it be out of band.
“Two factors are good, but if you tie them together and send them over the same channel, fraud will occur. It’s been proven over and over that man-in-the-middle intrusions will beat in-band, two-factor authentication. FFIEC is prescribing something that has already failed many times. It’s common knowledge that many CUs will adopt the least expensive solution that their regulator will accept, even if it’s ineffective.”
Ideally, a member should perform an out-of-band authentication when he logs into his CU’s website. In such a case, the member’s phone would ring and provide the member a secret PIN code to use for enabling the transaction, Waller explains. This will also assure the CU that the login and transaction process are being done by the member.
In this out-of-band process, one piece of information travels over the Internet channel (the user name), and the other piece of information (the secret PIN code) travels over the mobile channel. “They never travel together, which makes it extremely difficult for the system to be compromised,” he says.
The other security threat is key logger malware that is surreptitiously inserted in an unsuspecting user’s computer to record and report his or her keystrokes and gain account numbers, passwords and PINs. “You can’t stop the insertion of key-loggers, but you can render them ineffective with keystroke encryption,” Waller says. Both plugs are products that StrikeForce sells.
In areas where EMV prevails, on-premises, card-present fraud has virtually disappeared, notes Rama Iyer, CEO of DirectRM, a security software company based in Alisa Viejo, Calif. You would have to gain possession of the EMV card and the cardholder’s permanent PIN to perpetrate fraud, he says
And that has shifted fraud to the United States with its less-secure mag-stripe cards and point-of-sale swipe readers and its rampant use of card-not-present commerce, he observes.
Iyer describes another nuance of two-factor authentication that could obviate the need for out-of-band communication. In this situation, he says, at least one password has to change from transaction to transaction, he says. DirectRM has a product for that—Direct Authenticator, which is a card with two microprocessor chips—an EMV chip and an OATH chip—as well as the persistent mag stripe. (OATH, short for the Initiative for Open Authentication, is an industry standard.)
The OATH chip on the card generates a one-time password that changes every few seconds and is nearly impossible to duplicate. This allows the card to be used, virtually fraud-free, in both card-present and card-not-present situations, he says. DirectRM is talking to three CUs in California and one in Tennessee and their processors about issuing the dual-chip card.
EMV will help, but it shouldn’t be the top fraud prevention priority for CUs, says consultant John Best, founder of Best Innovation Group, Hudson, Fla., and a speaker at CEO/Executive Team Network Nov. 2-5 in Amelia Island, Fla
“People are talking about the front end, but it’s the back end I’d worry about—the layers of integration with third-party providers needed to keep the right information flowing through the right channels,” like members reviewing credit card transactions through their mobile banking channel, he observes. Serious hackers don’t want to skim a few hundred credit card numbers; they want the big gulp, like they got with Target. If they can crack a data transfer point between systems at a CU and get into the big database, and especially if they can then swim upstream to the servicer’s database, that’s what should keep CU security pros awake at night, he suggests.
Richard H. Gamble is a freelance writer based in Colorado.
Photocredit: dollarphotoclub.com/torsakarin
