ESET’s Miguel Ángel Mendoza looks at why combining technology with standards could combat fraud.
Fraud is still on the increase due to the use of new technologies, causing losses to both users and companies. In an effort to avoid this, new controls and security technologies are being developed, including the modifying of paradigms to understand the current cybercrime topology.
One of the most interesting is the combining of EMV chip card technology and the PCI standard which defines the minimum data security requirements that need to be met by any organization that transmits, processes or stores payment card data. So it involves complying with standards while adopting technology.
When combating fraud related to new technologies, the baseline is to understand that, currently, the purpose of cybercrime is financial gain, which is the main reason it continues to increase. Using organized, specialized groups, cybercriminals have begun to run companies, even with models and business plans of their own.
In this context, different sectors may be affected, but it is without a doubt the financial sector that has proven most profitable for attackers. When organizations and users’ assets are to be affected, fraud has been a method frequently used by attackers, especially fraud related to the banking system’s credit and debit cards.
Bank card fraud – a highly profitable business for cybercriminals
Card fraud involves unauthorized activities using the three main types of card: debit, credit and prepay. Unfortunately, there is a range of threats and different methods by which attackers can carry out their activities effectively. For example, security loopholes in organizations, theft or loss of cards, skimming, social engineering, phishing attacks and the development and propagation of malicious codes, for example PoS (Point of Sale).
This swath of options has made obtaining users’ financial data in order to defraud them its main aim. A recently published study illustrated the problem of fraud, with over two thousand data breaches confirmed during 2015, and around four billion cases of stolen data recorded since 2013. This leads to the conclusion that credentials and users’ card data around the world have been compromised.
In parallel, the black market in data about consumers has matured to the point where it is difficult to distinguish it from a legitimate economy. As a result, recent years have increasingly seen initiatives to increase and improve protection levels within organizations that use financial data, from standards that define good practice to migration to new, securely designed technologies. In a similar vein, the application of security practices by users, in an attempt to mitigate fraud.
In this context, security plays a very important role in mitigating current threats, because exposing users’ data puts them at risk, while organizations can suffer damage to their image and reputation.
Now let’s see why combining technology with standards could combat fraud.
PCI+EMV: Protection based on authentication and data control
So, how does combining a standard with a technology combat fraud?
Transactions involving bank cards are widely used around the world and, although new methods of transactions are starting to be seen, it will be some years before we can begin to use other large-scale payment methods, such as mobile wallets and cryptocurrencies. So it is essential to use security technology alongside bank cards.
In this respect, there are two elements that, combined, help increase card data security and, as a result, reduce fraud. Firstly, security applied to EMV chip (Europay MasterCard VISA) technology, which uses secret cryptographic keys to make it difficult to clone cards and carry out fraudulent operations at points of sale.
This is a type of authentication for the point of sale terminal which works when the card is physically present. Because plastic cards have an integrated chip, the data resides there and this guarantees that the cards are real and not a clone.
Secondly, security standards such as PCI give companies access to adequate security controls so that the data on customers’ cards is protected throughout the transaction process. It was designed bearing in mind the possibility that when the card is inserted into the trader’s system, the holder’s confidential data might be transmitted or stored on their network without any type of protection, which means that it is vulnerable.
This is the point at which the PCI norms define protection elements for the point of sale device and additional security controls, such as updates and security patches in the systems, intrusion detection, access management, secure software development, education, and awareness training for employees, amongst other types of measure.
So the combination of security tools, user good practice, education about security, and having a protection strategy, enable us to use the technology more securely and, in this specific case, to reduce the probability of fraud.