As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.
Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.
As many of you know, my colleagues at Consult Hyperion have unrivalled and detailed knowledge of the EMVCo and Payment Scheme specifications that underpin face to face and remote card payments. As an aside, one of my memories of driving along Route 66 prior to lockdown was that my colleagues with me in the car spent the time debugging a faulty card personalization profile which was delaying the launch of a new payment card service by a major player in Silicon Valley.
Our internal discussions about such news stories identify the attack as not particularly scalable BUT one that should not be ignored. EMVCo and Payment Scheme specifications usually include cost-effective countermeasures against such frauds, however, on closer inspection many of these countermeasures are not being correctly implemented. Issuers are:
- Using older cards whose designs are close to being sun-setted as, say, they use static rather than dynamic authentication.
- Not updating their card personalization profiles to take advantage of new countermeasures included in the latest version of the specifications.
- Leaving sensitive data elements from the cards vulnerable to manipulation by excluding them from the data signed by the card.
- Not sufficiently validating the chip card data received by their authorization systems to catch those messages that have been manipulated by the fraudster.
For instance, in the man-in-the-middle attack, data from a contactless card is altered between the card and the terminal. Instead of indicating that a PIN should be entered at the POS, it indicates that the cardholder has been authenticated by the card e.g. using an on-card fingerprint reader. This allows a fraudster with a stolen card to transact without PIN even when the card attempted to indicate to the terminal that PIN is required.
As the cards in question did not support on-card cardholder authentication, the issuer’s systems should have been able to determine that this was likely to be a fraud attempt, declined the transaction and escalated it for additional analysis by the fraud team.
Recently Consult Hyperion has seen a rise in demand from the bigger Issuers for “negative” testing of their authorization platforms. This validates that they correctly handle transaction messages which have been manipulated by the fraudsters to fall between the cracks between rules that have only been tested to handle correctly formed messages.
So why are we seeing more of these errors?
Whilst EMV technology is ubiquitous and implemented worldwide, the specifications that underpin it are complex with some differentiation between the various Payment Schemes. For instance, hundreds of data elements are configured when the payment card is personalized, which determine how the card manages risk, how the transaction data passed to the Point of Sale (POS) is secured and how the card performs at a POS or ATM.
In the past banks assembled small teams of technical EMV experts with the required knowledge to ensure that their services were compliant and error free. In recent times these in-house teams have diminished with no real succession plan, as the banks assume that EMV is ‘business as usual’ and have chosen to sub-contract such expertise to their suppliers. In our experience those suppliers are focused on the factors that impact the successful operation of their service. They assume that someone else is checking the end to end operation of the card and associated systems.
Security needs a holistic view. The data exchange between the card and terminal should be secure; the issuer system should check that authorisation data is fully legitimate. Without expert teams looking after end to end security, weaknesses and vulnerabilities enter into the system over time, which in turn could be exploited by nefarious parties. Whether the damage done is financial or reputational, traditional Banks and Fintechs alike need to take steps to ensure they and their customers are protected by using the EMV technology correctly.
How can we help?
Over the last 20 years Consult Hyperion has helped some of the world’s largest banks, processors and Fintechs to use the EMVCo and Payment Scheme specifications to deliver market changing services, such as Transit Open Payment Ticketing, contactless and Mobile Payments. The security of our clients’ and their customers’ data at rest and in flight within the system is paramount in everything we design and deliver. Our consultants are experts in the implementation of all the countermeasures within the EMV and Payment Scheme specifications as well as other countermeasures commonly used across the global financial services market.
We recognize that we can use this unique experience and knowledge to provide new and existing cards issuers with assurance that their payments cards:
- Will work first time in the current global card payment ecosystem.
- Support their short to medium term objectives for their business.
- Make use of all the cost-effective countermeasures required to protect their business and their customer’s personal information.
Our consultants can add the EMV knowledge and experience to your development teams to ensure the successful launch of your new financial card service. Working only when required by your internal teams, they can
- Develop card personalization profiles that are robust, support your requirements and take advantage of all the latest countermeasures within the EMV and Payment Scheme specifications.
- Work with personalisation bureaus and review personalisation bureau designs artefacts.
- Test sample cards and validate that settings are correct and that cryptographic functions are performing as required.
- Mitigate the risk of incorrectly functioning cards being issued, saving you time and money.
If you are considering launching a new payment card program, I strongly recommend that you talk to one of my colleagues.