The many technological advancements since the time card based payment systems were introduced have made the systems defenseless. Fundamentally, card based systems require every machine and all intermediaries involved in the transaction to be secure
Have you ever been asked by a waiter at a restaurant for your card’s PIN and watched him write it down on a piece of paper? Ever noticed a CCTV camera watching you enter the PIN at a shop? Maybe you’ve used an app to buy something, and got redirected to your bank’s web page to enter your PIN. You’ve probably also given permission to an app to read all your SMS messages, some of which may contain payment OTPs.
By now, you should have guessed that your PIN and OTPs are easily compromised.
The many technological advancements since the time card based payment systems were introduced have made the systems defenseless. Fundamentally, card based systems require every machine and all intermediaries involved in the transaction to be secure. There are way too many of those machines and intermediaries across the world to ascertain how secure they are. Many people who use those machines, like merchants, have little idea about their role in securing the entire system. Any breach at any one machine can cause unrecoverable damage to several users. The card details once captured can be reused several times for many transactions.
To overcome some of the limitations of the payment cards, a PIN is mandated for every transaction. A 4 digit PIN offers protection against many trivial threats. But given the reusable nature of the PIN and also the poor choice of PIN made by users, it is not a strong enough defense.
In case of personal devices like phones, users will have far better visibility and control on tampering. However, most of these devices and the software that’s running on them are also vulnerable to a range of threats. Android users can easily notice that many programs can read the SMS messages on their phone. These programs can also export the OTPs in messages to a fraudster’s machine without user’s knowledge. Also, almost all mobile apps that accept card and netbanking payments can read and store the passwords, OTPs and PINs entered by the user. It may appear to the user that she is entering the PIN on the bank’s payment page. It is nearly impossible for the user to know if her password or PIN is captured and stored by the app.
To overcome vulnerabilities in operating systems, applications, hardware components and to defend against powerful machines and programs that can exploit the minutest of the vulnerabilities, it is essential to make security a foundational aspect of the system. The payment system providers should be relentless about security.
Secure Foundation for a Modern Payment System
Payments systems needs to built on strong foundations of security. Strong foundations need ground rules:
- 3rd party devices: System should not rely on any non-personal devices of the user for transaction security. The card reading machines, POS machines, ATMs or any other machines that don’t belong to transacting user be assumed as vulnerable.
- User provided data: Users are prone to use easily retrievable personal data for passwords, pins or for such other key material. System should not solely rely on such information to secure transactions.
- Data Persistence and Transmission: Every transaction must require information that is never persisted on any device involved in the transaction. Information transmitted for a transaction should not be reusable to do any other transaction.
- Visible Information: If information is visible to user, we assume that it can be shared or can be stolen through techniques like social engineering. No data the user may be able to share during the course of a transaction or otherwise should be sufficient to do a new transaction.
- Data Location: Data from a single location (data center) alone should not be sufficient to complete a transaction.
- Hardware Security Modules (HSM): Always use HSM. They are physical computing devices that allow for a strong authentication process.
Summing up the Card Payment Security
We must acknowledge that the card based payments can be made significantly more secure than how they currently are. We must constantly strive to earn the confidence that our users place in us. In the payment industry, it is extremely hard to win back a user’s trust after it is lost.
Authored by Ramki Gaddipati , CTO & Co-founder of Zeta