Will EMV Cards and Apple Pay’s Tokenization Have Hackers Shifting Their Focus and Resources from Retailers Like Target to Banks?
As a group, hackers are like rivers. No we don’t mean they’re all wet. If we were looking for a negative descriptor, it would be a darn sight stronger than “all wet.” In any case, what we mean is that like rivers, they often follow the course of least resistance.
With the changeover from stripe cards to EMV chip-and-PIN and the introduction of new technology such as Apple Pay’s tokenization, which cuts down on the amount of consumer data stored by merchants, retailers have become tougher targets with less reward, i.e., data for the cybercriminal’s efforts.
In her article on americanbanker.com, Penny Crosman interviews bankers and tech and security experts to provide an in-depth report on how hackers will adjust to the introduction of EMV, Apple Pay, etc. by shifting their attacks from retailers to banks and other online e-commerce. The following has been excerpted from her piece and edited to fit our format. You may find the complete article by clicking on this link.
Banks take into account new attacks
“How is that [hacking activity] going to stop now that we’ve got Apple Pay and EMV coming along? It’s not going to stop, it’s just going to move to the next likely target,” said James Gordon, chief technology officer at Needham Bank in Needham, Mass.
“Who has the numbers the hackers want? The banks,” Gordon said. “Before, it was the banks and the retailers, retailers just happened to be an easier target. Bankers need to be especially aware that this is just a shift in focus [on the hackers’ part] to banks, front and center.”
Being a target is nothing new
According to the Identity Theft Resource Center, 42 data breaches were carried out against banks in 2014. But other than the massive JPMorgan Chase breach, most of these have been smaller-scale breaches that have fallen under the general public’s radar.
Preparing for more attacks
At the $1.6 billion-asset Needham Bank, Gordon is preparing for EMV in two ways. One is by trying to limit the bank’s exposure to hackers.
“This is easier said than done, but if there are things that can get shut off that aren’t critical to the operation, shut them off,” he said. “If you have less exposed, you have less to watch.” For instance, he’s double-checking firewall rules to make sure nothing’s slipping through the cracks.
More security training
He’s also stepping up security training and education. “We need to stop telling people what’s going on and start showing them examples of [phishing] emails that look spot on, show people how easy it is to put an ATM skimmer on a device, show them videos, don’t just tell them it’s a ‘grave’ threat. We should stop using adjectives and start showing.”
Increase in hacking online transactions and CNP fraud
Neither EMV nor Apple Pay appears to protect online purchases where the consumer must enter [his/her] credit card information, pointed out Philip Smith, director of information technology at the $221 million-asset Harvard State Bank in Harvard, Ill.
“Since online transactions and card-not-present transactions cannot take advantage of the chip or tokenization, we will most likely see an increase in hacking and fraud in these transactions,” he said. “Hackers will continue to attack online merchants and online credit card wallets.”
Apple Pay rival under attack
[Hackers] have already attacked CurrentC, a merchant-backed rival to Apple Pay, stealing the email addresses of early participants. [Smith pointed out that,] “These email addresses [could] then be utilized for directed phishing attacks against those users in attempts to gain their confidential information.”
Threats to new account opening and account takeover
Al Pascual, director of fraud and security at Javelin Strategy & Research, also sees online and e-commerce fraud becoming a bigger risk with EMV adoption.
But the threat he envisions is more around new account opening and account takeover fraud.
“If you can’t steal card data at the point-of-sale, then the next best option is to go out and get the cards directly from the bank,” he said. “You either take over an existing account, and get cards mailed to you from that account, or you steal an identity and apply for an account.”
U.K. EMV adoption resulted in sharp rise in fraud and account takeovers
There was a dramatic rise in fraudulent new accounts and account takeovers in the U.K. when it adopted the EMV standard, Pascual said. “Certainly banks are going to want to be concerned about that, and improving their customer identity programs for new accounts.” They should also be taking advantage of advanced authentication technology.
“If I was a banker, I would really focus on existing account holders, because we’ve already seen this huge increase in account takeovers in the past few years,” he said.
Account takeover isn’t that different from what fraudsters are doing now, he said. “It’s more work and a slightly different MO but it doesn’t require any new tactics or a change in skill sets.”
Banks better prepared for hackers than retailers were
If hackers retrain their focus on banks, most would agree that financial institutions are better braced for attack than retailers have been.
“I’d say based on regulations and our fiduciary responsibility, banks are more secure,” Gordon said. He noted that in informationisbeautiful.net’s visualization of the world’s biggest data breaches, only one bank is associated with a major breach – JPMorgan Chase.
“The track record speaks for itself,” he said.
ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.
ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes over 850 million monthly transactions and protects more than 210 million active user accounts across 3,000 customers and 15,000 websites.
The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.
For more information, visit www.threatmetrix.com or call 1-408-200-5755.
Join the cybersecurity conversation by visiting the ThreatMetrix blog, Facebook, LinkedIn and Twitter pages.