Wednesday, October 30, 2019

Surviving Payments in a Hackable World

I was once the Security Architect for a well-known payment gateway provider that served a wide variety of retail and hospitality customers.  Here’s how I changed my behaviors after being exposed to the payments world.

My Credit Online / Offline ToDo Checklist

  • Expect that your Credit card will be eventually be compromised
    • It's not the end-of-the-world.
    • But ...
      • Have a couple of credit cards: one you use routinely; the other as a back-up. 
  • Use cash where you can. 
  • Don't use Debit cards. 
    • Seriously, put your checking account Debit card away. 
    • Only use your checking account Debit card in emergency situations. 
  • Use Credit cards in place of Debit cards 
    • This will require some discipline, but not much more than avoiding that over-draft fee for using a Debit card too much. 
  • Don't count on EMV to protect you. 
    • EMV (chip-n-dip) provides Authentication, not Encryption. 
    • The rise in on-line CC theft is due to EMV. The hackers simply shifted to a different vector (e.g., workstations, servers), using existing attack vectors to skim CC data. 
  • Inspect card-insertion devices before you make use of them. 
    • Hackers can compromise the Point of Interaction (POI) device with skimmers, or attach in-line devices and get your account information 
  • Try to use merchants who have implemented P2PE
    • This is difficult for the average person to ascertain, but ask your vendor.
      • Encourage them to use only P2PE validated solutions.
    • Believe it or not, not every POI device encrypts CC account data.
    • Point-2-Point-Encryption is a PCI-SSC standard wherein the account information is encrypted by the POI device (magstripe/dip/NFC reader).
    • P2PE equipment is not small, so small-ish ear-phone-like devices generally are not P2PE enabled
    • Encryption performed by a Workstation or a Mobile device is NOT P2PE encryption.
    • P2PE encryption is ALWAYS performed by the Card Reader (magstripe, dip, or NFC).
  • Do not use "public" ATM machines. 
    • Use only the ATM machines attached to your bank, with your bank's logo, at your bank's branch. 
    • Old or cheap ATM means old tech, which means no magstripe reader encryption 
    • Even newer ATM machines may not perform card account information encryption at the reader. 
  • Be wary of gas pumps and very old technology at your favorite, In-Real-Life, places. 
    • Never use a Debit Card at a gas pump unless absolutely necessary. 
    • Gas pumps are expensive to build and replace. They have old tech: usually no encryption at the card reader. 
      • Mag-stripe readers that don't do encryption are cheap. 
      • They can be connected to windows & Linux machines that can do encryption, or not: perhaps they just use HTTPS to transfer your account information. 
      • Connect the dots here. 
  • Think twice about buying that item cheap, at that little known, online store. 
  • Avoid storing your CC account information online.
    • Use auto-pay services provided by your BANK, not the Retailer, Utility, or Service Provider. 
    • Avoid storing your CC account information at Utility Companies, local/regional Service providers, and other Retail companies.
  • Consider using a LOCAL (not cloud) password safe to keep your account information ready for that I-gotta-have-it-thinga-ma-jig-I-just-succumbed-to-buying. 
    • Absent that, consider putting your private account details in an encrypted ZIP file, on an encrypted USB stick that is not connected to your computer until you're ready to use it.
    • This is defense in depth 
      • The USB is not always attached 
      • The USB is encrypted 
      • The ZIP file is encrypted (never use original/default PK-Zip encryption!)
      • Use AES encryption in ZIP files 
      • Don't forget to back up your files. 

Here's what I do

  • Day-to-day
    • I have one, shared CC account that I and my Wife use. 
    • I never use my debit card. 
  • Sharing & Encryption 
    • We securely share and store our account information using 1Password and cloud filesystem services. 
  • Online Activities 
    • I allow a few companies I trust to keep my CC information online. 
    • I use ApplePay whenever I can.
    • When looking for online payment providers, look for wording like this:
      • Your card number and identity aren’t shared with the merchant, and your actual card numbers aren’t stored on your device or on our servers.
  • My Expectations
    • Through normal use (e.g., gas pump, dining, shopping), I expect my CC to be compromised. I don't care. 
    • It won't be my fault and either the Merchant or the CC company will bear the cost. 
    • I'll use my backup CC in the event my card stolen, overcharged, or is canceled due to fraud. 
    • It will be a minor inconvenience.
  • How I manage the CC 
    • I pay off the usage every couple of weeks. 
    • I receive an email from my CC provider every time a charge is made. 
    • When I don't recognize a charge, I call the CC company and report fraud. 
      • This occurred recently. An online, international charge was made using my Wife's (shared) CC. 
      • She got a new CC in a few days, the charge was removed from the account. 

There are probably other things that can be done.  Leave your best practices in the comment section.

No comments:

Post a Comment