Sunday, March 8, 2015

Repairing the Apple Pay Vulnerability

The Apple Pay architecture works; financial institution (FI) validation of its users once again fails miserably. FI must protect all their customers better and Apple Pay users far better. There is no excuse for retail FI to continue to live in the stone ages. There is no excuse for FI not evolving with continuously changing attacks on accounts in their care. The FI approach: “this vault worked for our founders and we will not change it now” is bankrupt. FI need to continuously review their security posture and create architectures that evolve with attacks or everyone will pay increased fees to cover FI unnecessary losses.

The Apple Pay vulnerability allows thieves to enter stolen payment card data to use as payment. FI receive an initial request to validate the user of the payment card data. FI need to improve their validation techniques for this preliminary non-financial transaction and use these techniques for all their varied cardholders, regardless of the payment initiation methods they use. 
At a minimum if FI customers plan to use a personal electronic device (PED), then the FI needs to send a text message or an email to their customer on receipt of a validation request. If the card holder does not respond appropriately to the validation request within reasonable time then the FI denies the validation request. FI cardholders with greater value at risk need better protection. FI should store a picture taken while the customer is present in the FI and compare it to the same picture stored in the customer’s PED during the initial validation of  payment card data stored on a PED.

These techniques in today’s  Wild West require that Apple and its competitors create standards for validation of cardholders and the PED applications. Once again greed prevents the development of standards to protect the paying public so FI fees increase to cover preventable losses. Government cannot create laws to protect users from FI incompetence without creating significant greater costs to FI. Perhaps a patchwork of differing FI techniques to validate its users will serve until the techniques becomes routine and therefore non-proprietary and therefore ripe for a standard.

Regardless of the uniformity of approach, FI, and financial application developers need to consider vulnerability posture before releasing payment solutions to the paying public. Whether the validation request comes from Samsung Pay, Apple Pay, or Google Pay, FI need to prove the request comes from their customer and not an impostor. FI know how to compare data from a transmission to one stored on their processing platform. FI know how to create response transmissions. FI know how to set a timer to expire if there is no response from a cardholder. Knowledge is worthless however if FI continue to think that a physical vault protects their customers from attack.

Next Blog: Removing the Security Standard Development Obstacles

Tuesday, March 3, 2015

Samsung Pay Changes Everything

The Samsung Pay application gives retailers the chance to control their destiny in the payment space. However, big block retailer predilection for restricting consumer choice instead of expanding consumer choice, likely will let this great opportunity pass by them unused. It is difficult to imagine the logic of angry retailer executives under siege by the payment services industry but their actions show their infantile understanding of something typically right in their wheel house: pricing.

The Samsung Pay application allows consumers to pay for purchases by sending a magnetic wave to the reader heads of a point of sale (POS) device. Thus a well designed POS device can process a wide range of transmissions including allowing consumers to choose a method of payment other than a payment card. Simple code changes within current deployed base of POS devices has the possibility of allowing consumers to change their method of payment to an e-check or ultimately a crypto currency and require their customers to pay them for more expensive payment choices.

The payment services industry will not sit idly if retailer surcharges soak cardholders, but the payment industry allows retailers to offer discounts for customers using cheaper methods of payment such as cash.  If retailers announce a convention such as track 2 beginning with digits not used by payment cards (such as 000) followed by financial data such as a routing and account numbers then  a POS device can originate a real time authorization request followed by fast settlement, without swipe fees, charge backs, or liability for the theft of a consumer account.

The best retailers will present a POS device that allows consumers to enter data that establishes proof of identity as a form of protection that separates a retailer from its competitors. Consumers though will ultimately react to lower prices for cheaper payment methods. If there is not a percentage plus fixed fee attached to the price of a purchase (such as a donut dipped in chocolate and peanuts accompanied with Hawaiian coffee with real sugar and cream) then all (including hospitals specializing in cardiac services), but the payment services industry, will rejoice and pay lower prices by using non-proprietary methods of payment.

Of course Samsung Pay presents the same risks of attack as Apple pay (see ) and there is no antidote for electronic theft at the least secure point of its transmission, however the price of admission for electronic theft continues to increase and the Samsung payment application raises the bar higher.  Fraud will decrease because of the ubiquity of magnetic stripe readers and not from the EMV boondoggle.

Will retailers use the capabilities of magnetic transmission to their advantage? Perhaps retailers will use pricing to combat the torment of the payment services industry. Perhaps financial institutions will offer portals for e-check approvals without acquirers. Perhaps pigs will fly.

Next Blog: POS architecture for Magnetic transmission