- PROJECT HELP
By Thorston Held, co-founder and managing director, whiteCryption
In the past, hackers have most often gone after specific merchants when seeking cardholder information. Recent attacks on point-of-sale (POS) vendors, however, may signal a drastic shift in how these cybercriminals operate, and certainly signal a need for application security for mobile payments.
More than 10 POS vendors, including MICROS, have been compromised within the last few weeks. Some of these attacks may be linked to two specific forms of malware: Carbanak and MalumPOS. However, no definitive link between the hackers behind these programs and the recent attacks is certain.
The damage that these attacks can cause are best exemplified with the story of the HEI Hotels & Resorts company. It recently reported a POS-related breach of security at 20 of the properties it manages (which includes major hotel chains such as Marriott and Sheraton). Card numbers, cardholder names, expiration dates, and verification codes used between March 2015 and June 2016 may all have been exposed.
A shift in security attention
As these breaches indicate, past cyberattacks have mostly been directed at merchants. Mobile devices, however, are now advanced to the point where using your device at the POS is more frequent. Mobile payments are just another way that hackers are seeking to gain control of sensitive data. Hackers are not simply changing to new specific targets; they're targeting multiple points of vulnerability at once – including mobile payments. It is not enough to focus on protecting merchants as security must now be applied to the entire infrastructure supporting merchants, POS systems and mobile devices.
Increasing security measures to withstand mobile-payment attacks
NFC technology has been gaining traction with many device manufacturers as they introduce their own payment solutions. However, NFC-based applications use a secure element (SE) on the mobile device to store credentials whereas Host Card Emulation (HCE) is an easy-to-deploy alternative that does not require a physical secure element on mobile devices. That enables NFC devices to perform the same transactions but instead store credentials somewhere other than the SE, such as in the cloud. With all the benefits that HCE provides, there are associated security risks such as identity theft, fraud and privacy. If these risks aren't addressed, cybercriminals can reverse engineer sensitive code that transmits or processes encryption keys within the mobile device.
Merchants need to take security for HCE to the next level by providing application hardening to protect apps and devices with:
In addition, white-box cryptography solutions secure data within mobile applications and ensure the keys are always encrypted. This protects static keys, dynamic keys and sensitive user data. In addition to securing mobile payments, it's always good to brush up on protecting other parts of the overall POS infrastructure.
Here are some basic tips:
The shifting of cyberattacks from merchants to POS vendors and the infrastructure supporting them is exposing vulnerabilities in those systems, including mobile payment applications. However, companies are quickly learning ways to prevent these and other recent attacks from happening again.
About the author
Thorsten Held is a co-founder of whiteCryption and its managing director. In this role, Held is responsible for driving the growth of the company and ensuring high satisfaction among whiteCryption customers who are in need for enterprise-grade security solutions. He is an experienced business development executive with over 20 years of experience in the Software and Information Technology industry and holds a Diploma in Electrical Engineering from the University of Applied Science in Hamburg, Germany.