Cyber security: Safeguarding Online Sales

Transcription

1 COMMERCIAL BANKING Cyber security: Safeguarding Online Sales Helping business navigate the changing payments landscape

2 INTRODUCTION SETTING THE SCENE We are in the midst of a digital revolution. From the way we buy and sell products to the way we store data, everything is changing. These changes also bring challenges and, as card payments have overtaken cash, e-commerce fraud has risen to its highest level ever. This White Paper will guide you through the increasingly critical issue of cyber security. Growth in Cyber Crime: The Bank of England says cyber attacks have overtaken the eurozone crisis as their chief concern Cyber crime is estimated to cost the UK economy 27 billion a year Over 90% of large businesses say they ve suffered an information security breach E-commerce fraud rose 14% in % More than 90% of large businesses say they've suffered a breach. It s easy to assume cyber attacks only affect small businesses that lack the resources of larger operators to implement strong security measures. But a number of large US retailers have recently had customer credit card data stolen by cyber criminals. Multinationals are at risk too. Longer supply chains around the global economy create more and more points of weakness for attackers to target. Current Trends Attackers can be split into four types: Script-kiddies typically young, socially isolated, intelligent and motivated by fun or the challenge Hacktivists individuals or groups typically motivated by politics or ethics Organised criminals increasingly capable networks with purely financial motives Nation States/Spies well-funded teams with highly advanced methods and geopolitical motives The most common types of threat that people need to be aware of are: Online banking fraud fraudsters are increasingly attempting to trick people into giving their account details through and telephone scams E-commerce fraud fraudulent sales through bogus websites that offer either goods or services that are not provided or counterfeit products The point of sale (POS) may also be targeted

3 Case Study Target in several ways. Cash register terminals can be infected with malware in the factory or organised criminals can sell fake devices. Hackers can also access individual networks using WiFi hotspots, with the ultimate goal of hacking into servers and gaining access to a retailer s POS system. They usually do this through what is known as social engineering, where a target receives an encouraging him or her to click a link or open a file. This will contain malware that exploits software vulnerabilities and allows the attacker to download tools called Trojans so they can remotely control the compromised system. The way we pay for things is changing all the time. Unfortunately, new forms of payment such as contactless and mobile also lead to new dangers. Companies are implementing a range of different actions to combat the threat of cyber crime around new payment methods. For example, Apple Pay uses Visa s Token Service system. This replaces cardholder information, such as account numbers and expiration dates, with a unique series of numbers to validate the customer s identity. Visa says it will expand this device to manufacturers other than Apple. Combatting Cyber Attacks Few, if any, organisations could confidently rule out a cyber attack, so it pays to be prepared. Companies should take steps to remain aware of the latest risks, reduce the likely net impact and time required to recover from any attack and to ensure they can respond quickly and effectively. Some of the key questions businesses should ask themselves are: What information would be most valuable to cyber criminals? Do you have a clear procedure to follow in the event of an attack? Who monitors your security and do they give you threat information? Have your staff received sufficient training about cyber crime? Tackling the threat of cyber security should also include a culture of cyber risk governance at board level. Fostering staff awareness throughout the business and designing security architecture and programmes are essential. Simulated attacks and incident response exercises are another vital part of testing your company s readiness. Identity and access management technology could also prove crucial, along with good cyber threat intelligence to warn about emerging risks and suspicious events. In an ever-evolving world, no one has all the cyber security solutions at any given point in time. But collaboration is key to tackling the threat of cyber attack and minimising the potential costs.

4 QUESTIONS AND ANSWERS QUESTIONS AND ANSWERS WITH PHIL THOMAS Phil Thomas Head of Product Lloyds Bank Cardnet Phil Thomas, Head of Product for Lloyds Bank Cardnet, provided expert answers to questions sent in by merchants who listened in to our Cyber Security Webinar. Here, we list some of the best questions and summarise Phil s allimportant responses: Q: What are the consequences of failing Payment Card Industry (PCI) compliance? secure, whether it s a fingerprint, a voiceprint or a heartbeat scan. PT: I think the most important thing to note is that by not adhering to these industry and global standards, a business leaves itself far more open to the type of breach we ve spoken about on the webinar. The standards [are] to ensure the security of how data is stored and transmitted, so not adhering can leave quite a big gap for a breach to occur. There are also instances of fines arising from the global card schemes that could emerge as a result of not being compliant. We understand that the PCI standards can seem quite onerous at times and we, at Cardnet, are here to help our customers get to those standards and work with the card schemes to ensure we make things as smooth as possible. Q: How safe are biometric authentication methods? PT: This is a real area of interest and focus now. They are coming out of military grade technology that s been around for a number of years. It s a lot easier, frankly, to hack someone s password or a PIN [number] than it is to steal a voiceprint or a fingerprint. There s no way of saying it s absolutely foolproof because as the technology evolves so, no doubt, will the cyber criminals. But the general opinion of the industry, wherever biometrics are being used, is that they re extremely Q: Let s talk about contactless payments and Apple Pay, which has been launched today PT: Apple Pay runs on the same infrastructure rails as contactless payments. When contactless was first launched back in 2007, there was a lot of talk and scare stories [such as] you could walk within 10 metres of a contactless terminal and your card would be debited because the terminal would somehow recognise and charge the card. What has proven to be the case is that contactless is a very secure method in terms of the ability to hack into the point of sale. There have been certain issues with double charging of certain transactions that need to be addressed but that isn t a cyber security issue. Fundamentally, when we talk about Apple Pay, it s as secure as any other contactless transaction the card itself and the device (whether a phone or a watch) have gone through extensive testing. There is no additional fraud implication from accepting a contactless payment now than there was at the time of launch. Q: Hacking is in the news and there was the story about keyless cars. How would you apply that theory to what we re doing here? PT: It s the same kind of principle we ve spoken about where a cyber criminal could gain access

5 QUESTIONS AND ANSWERS to a network and [then] be able to take control of the end device in question. There s a story that has come out that Land Rover are looking to recall a number of models because of the security of the keyless entry system. It s the same principle. Q: We use a 3D Secure system for our internet sales portal. Can you recommend a way for us to implement a 3D Secure system for telephone sales, as this is the cause of our chargebacks? PT: 3D Secure has been designed for purely e-commerce transactions, so there s no 3D Secure for phone payments. There are other methods of securing phone payments; there are existing standards, such as the address verification system that we currently offer. As we move into the realm of biometrics, we will see things like voiceprints become more the norm as a way of securing those types of transactions. Q: Would it be safer for our business to accept fewer kinds of payments? PT: Not a week passes without talk of a new payment method, be it via mobile, tablet or other devices. But I think the simple answer is no. It s not as simple as saying fewer payment types equals fewer aspects of fraud. We talked earlier about the VISA token service and that s been designed for all types of new payment methods, be it a mobile contactless transaction, an e-wallet or scanning a QR code at point of sale. The nature of tokenization is to cover all those different methods and provide a single standard that can be used across those examples to secure payments. Q: How rapidly is technology likely to change with updates and do I need to worry about my tech becoming obsolete shortly after I ve bought it? PT: We would very much hope not. Technology in terms of payments has been evolving at a huge pace in the last decade. What we would say, working with the range of vendors that we do, is that they re all very mindful of keeping up with that pace of change. Points of sale are now based on fairly lightweight APIs that [make it] very straightforward to integrate new payment methods. It s a concern we hear quite a lot of if I m going to invest in this or that point of sale method, will I have to change it in 12 to 18 months? All the indications we re getting from our suppliers are no - that it will be adaptable and flexible to meet the needs of customers as the market develops. Q: How likely are cyber criminals to be caught and prosecuted? PT: It s a question, to an extent, of how long is a piece of string because a lot of these attacks are rumoured to be cross-border, not within a specific market. There are a huge number of instances of individuals being prosecuted and quite often it s relative youngsters with the kit they ve got in their bedroom. There s no way, realistically, that every single attack is going to result in a successful prosecution. [But] it s something both government and businesses are now taking much more seriously. Police now have dedicated cyber crime units to tackle these kinds of issues. Q: If most problems are caused by human error, how do we solve this? PT: The best thing we can do is around processes - making sure they are in place and ensuring there is sufficient oversight within businesses and ensuring you are prepared for these kinds of attacks and able to rehearse different scenarios. Human error is never going to go away and nor should it because we want people at the centre of our processes. But through preparation and rehearsal, there s a way of mitigating partially against that. Y2K obviously had huge amounts of attention and caught the public imagination. It was almost an Apocalypse Now scenario and obviously it didn t amount to much. We would say that we don t want it to turn into the boy who cried wolf just because that didn t result in the cataclysmic scenario some were predicting, it doesn t mean we can be complacent as an industry or in our relations with customers. Q: Do you think customers and businesses are wary or afraid of [biometric] technology and if so what can Lloyds Bank Cardnet do to combat those fears? PT: When we talk about biometrics, there s always the perception that it s a little bit sci-fi, the common response is to say we saw things like that in Minority Report and Mission Impossible. When people start using those

6 QUESTIONS AND ANSWERS types of technology they ll realise it marries up convenience with security. It s something that will take time to bed in and there will probably always be that concern around privacy that may prevent it from becoming ubiquitous. When we talk around Apple Pay and new payment technology, the same applies. As people become more used to it, the likelihood is that there will be increased advocacy of these types of method. I think Cardnet will increasingly focus on topics like this through these webinars and other things we re doing within thought leadership. [We want] to keep our customers, and in turn hopefully their customers, up to speed with what s going on and why it isn t something to be feared but something that will make their lives as they transaction shop on a daily basis easier. Q: Are there other types of common cyber attack that retailers need to be aware of? PT: The two we ve spoken about today, around phishing and getting into a network through things like rogue s and malware, are the most common. The other type of card-not-present fraud, used particularly in a call-centre environment, is keystroke login - being able to read what is entered into a keyboard through an infection in a PC. It can be done by attacking the hardware directly or through electromagnetic or acoustic analysis and wouldn t show up in the way a standard malware would. It can be picked up through some of the scanning of rogue bots on the device itself, so it s important that businesses keep up to speed with anti-virus software. Q: Is there anything consumers can do to protect themselves against fraud as when we are asked to constantly store our card details on numerous devises it makes us vulnerable to attacks? PT: It s a case of being vigilant in relation to where you store card details. On mobile devices, it s critical to set strong passwords and install appropriate security software in the same way you would on a laptop. Where there is the option to set a biometric ID on your mobile (such as with Apple s Touch ID), it s a good idea to do so. It s also worth noting that when shopping at an online store, you should always check the website has a padlock in the browser bar and begins with https: as both of these denote the security of the website. More general advice would be to check search engines for reviews of stores you haven t purchased from previously to monitor for concerns from other customers. Q: These webinars are really useful for staying up-to-date but how else can I ensure I know the absolute latest? PT: We, as Cardnet, are seeing that we need to share information more readily with customers around these kinds of topics. We will keep our own website updated and we ll ensure our relationship managers, who many of our listeners will be very familiar with, have the latest information. We d also ask for it to be two-way. We re focusing on a number of topics that we think are of most interest to customers. But where there are follow-ups or specific niches that customers want more information on, please get in touch via your Cardnet Relationship Manager and we will certainly make sure we share the latest information in as practical a way as we can. Important Note: The information shared during our Changing Payments Regulation webinar was accurate at the time of recording but many of the regulations we discussed are subject to change. Lloyds Bank Cardnet encourages clients to remain up-to-date on regulations and we will continue to use a range of communications platforms to help you navigate the changing payments landscape.