There is no denying that the safeguarding of banks' processing and payments' ecosystem is of fundamental importance to ensure the smooth running of daily commercial transactions and the overall health of a region's economy and investor environment. Zoya Malik investigates the weaknesses, threats and opportunities for the region's players to consolidate on security protocols
The supply chain for card processing and payments is a complex one involving numerous players: customer, cardholder, merchant, payment gateway, front end and back end network, acquiring bank, association and issuer, each in the link reliant on servicing and protecting its processes where collection, storage and transfer of customer information for authorising payment permissions and approvals is of paramount importance.
This month, institutions in the supply chain are understandably fraught with concern in the wake of the recent cyber attacks that have thrown the operational profile of two Middle East banks in major relief, causing the industry's banking and payments sector to shudder under the thought of the types of losses that may, potentially, be incurred at the hands of cyber criminals. The recent spate of illicit withdrawals totalling $45 million via Bank of Muscat and RAK Bank ATMs using stolen pre-paid cards data has served to highlight the immediate disruption of day-to-day operations and the ensuing scandal that can cripple a brand's image and loss of shareholder and customer confidence.
A number of theories on the modus operandi of the criminals have emerged based on the reporting in the wider media. All of this speculation merits the industry looking inward to assess, debate and develop resolves that can uncover the weaknesses through the network and promote a cooperative effort to combat and fortify the system. Particular to the two Middle East bank cases is the use of the pre-paid cards which requires some elaboration. Emmanuel Payraud, Vice President Banking & Retail for Middle East & Turkey at Gemalto is of the opinion that, "Magnetic stripes on the (pre-paid) banking cards store the user's credentials and account information with practically no security layers protecting this data. Magnetic stripe banking cards can easily be skimmed and the stolen data can be used to make fraudulent charges either online or with a counterfeit credit card. Skimming and cloning, however, are specific to magnetic stripe cards and various security measures are required across the entire payment operation, stringently certified by industry bodies."
The securer alternative has been the migration to EMV technology that incorporates chip and PIN. Payraud mentions, "Banks are continuously protecting themselves better with stronger and more comprehensive security measures across the entire payment chain. This encompasses protecting sensitive databases, securing issuance of payment cards, protecting cardholders with better technology like EMV and ensuring transaction validation at point of sales."
In defence of pre-paid cards backed with the EMV technology, Peter Majgaard, Business Director, Middle East, Oberthur Technologies which produces and personalises payment cards for financial institutions, governments, transport operators, corporate and conditional access system providers declares, "First of all, the prepaid debit card is a great and very popular product. It is easier to obtain over a conventional credit card, as you do not need a credit score. It can be used in teaching kids about money and curtailing over-spend. It can help prevent data from being stolen because it typically is not linked to any further personal data. It is safe when travelling. It can be used on the internet for payments without leaving more valuable credit card data." Majgaard reiterates, "It is not easy to commit fraud using pre-paid debit cards - it takes a combination of tools, skills and a criminal determination. For the typical customer it is safer than cash and could for example be blocked by the issuer, should your card disappear. With a prepaid debit card you can also only lose what is loaded on the card as it is not tied up with an account, limiting a potential loss. EMV cards are safer because the cards use algorithms and in most cases a personal identification number [PIN] to authenticate a transaction between the point of sale terminal and the issuers payment processing system. This makes card theft techniques such as skimming significantly more difficult. In simple terms, the data on the card is thoroughly scrambled. The technology is somewhat more expensive due to the chip and is optimal for multi-use cards, which are intended for longer term use than most prepaid cards."
Industry Compliance
Chief Marketing Officer Shahzad Shahid of TPS states that true compliance to PCI-DSS ensures very high levels of protection. It covers all aspects to protect cardholder data including security management, policies, procedures, network architecture and software design. Banks need to ensure regular information security audits are conducted and any vulnerability is immediately fixed on a real-time or near real-time basis. He states, "My advice to the industry is that - the roles and responsibilities have to be well defined among all the stakeholders at each turn. And it should be ensured that these recommended measures are properly put in place."
Majgaard stresses the importance on strong compliance throughout the Oberthur Personalisation Bureau, as a successful operational model. The network infrastructure of Oberthur, Dubai operates strictly according to VISA/MC payment schemes' security guidelines. Yearly external network penetration tests and quarterly scans are conducted by an authorised vendor and the results are frequently reviewed by auditors from different schemes as well as by customers. Oberthur's core systems are off line and can't be reached from the outside. Cards are manufactured and personalised in HSAs (High Security Areas) which have strong physical security systems.
b
Sami Lahoud, VP Communications, Middle East and Africa emphasises that MasterCard is committed to making the future of payment transactions safer and more secure for everyone. From its unique vantage point, within the payment card value chain, MasterCard is able to assess and balance the needs of various stakeholders to determine how to reduce fraud without sacrificing acceptance or overburdening one specific stakeholder. "The contractual and legal frameworks are an ever-evolving landscape that require close collaboration across the value chain and with regulators and this landscape is ever-changing with advancements in e-commerce, mobile payments, and other cutting-edge data technologies occurring at an unprecedented pace."
Visa International has been working closely with the industry towards developing a suite of fraud detection tools and industry debates over 2013. Visa's centralised network, VisaNet, processes about 71 billion transactions a year, in nearly 200 countries and more than 175 currencies. This network enables Visa to analyse, in real-time, every transaction it processes and provides risk scores accurately, helping banks to prevent fraud from occurring in the first place, rather than reacting to fraud after the fact. Marcello Baricordi, General Manager UAE at Visa explains, "When a breach does occur, regardless of the network on which it occurred, we work with the breached entity and other stakeholders to ensure steps are taken to investigate a potential data compromise, detect the root cause, and reduce the vulnerability going forward. We work with all of our clients to ensure their risk management assets are oriented to the new threats, and their systems geared to resist similar attacks." Visa also hosts regional risk executive council (REC) meetings across Asia Pacific, Middle East, and Central Europe twice a year to share the latest information and trends in payment system risks, fraud and security.
Monitoring and Testing
Network International maintains a "defence in depth" model with multiple layers of technical and management security controls. NI ensures that state-of-the-art fraud risk management systems are in place for all their products to protect customer interest. For instance, NI practices 'ethical hacking' which involves security experts taking on the role of a hacker and trying to break into Network International's security framework. Claims Hisham Hammoud, Executive VP and COO at Network International, "This allows us to assess our security posture against the latest security threats and vulnerabilities and have our security framework regularly tested for any loopholes and possible weaknesses. In this way, we ensure that our security systems are in a constant state of preparedness against security attacks."
WatchGuard is a company that creates perimeter security appliances that provide many layers of network security (firewall, IPS, GAV, and much more) and can also encrypt data in motion. These appliances can protect the individual networks of banks, financial institutions, payment processors, or even end-points, like ATMs.
John Spoor, Regional Manager, WatchGuard, MEA and Philippe Ortodoro, Vice President, WatchGuard, EMEA observe that hackers look for a weak link in the supply chain cycle when trying to infiltrate a network, but in many cases it is a combination of data, storage and transfers protocols. In the more recent regional case, it has been linked to hackers breaching two specific computers that are used for credit card processing. The information was shared with a large network of hackers, with malware that allowed a fast transfer of data. This data included changing credit card limits, as well as specific bank account details that were then used to develop counterfeit cards.
Call to Action
The banking sector is heavily reliant on technology. Encryption when sharing data and storing sensitive information ensures that if a network is breached, the hackers are not able to decode the data. While this covers the transfer of important information, general information shared via email should also be encrypted for the sake of precaution. Regular logging allows for the software to notify users when there is a possible risk or threat identified.
"Our advice" conclude Spoor and Ortodoro, "to the banking industry is to focus on data loss prevention and encryption of at-rest technology. Of any industry, the banking and financial industry needs the most rigorous defences which means that you absolutely need to implement many layers of security controls (such as the UTM appliances provided by WatchGuard.) Banks are fairly good at providing encryption in motion (since it's mandated by standards like PCI.) Sensitive materials should always remain encrypted, even when they are sitting on some hard drive, just in case an attacker gets past the organisation's defences. Also, Data Loss Prevention (DLP) technology can help alert you to any breaches or accidental data leaks."
Legal Recourse
Industry operators concur that compensation for enterprises that have been cyber attacked can vary. In many cases, if it is found that there was not sufficient security in place to prevent the attacks, compensation will not be given. This can differ depending on the country and the relationships that the banks have. As many of the attacks cross country borders, it is often the offenders' state that is responsible for legally managing the situation.
In most jurisdictions, the financial sector is already well-regulated and has to conform to specific laws and rules in order to protect its customers. As long as banks are privately held and supported by other privately held companies, the interaction between the parties will be based on commercially sound agreements, which balance risk and reward. In order to limit cyber crime, it would make sense to increase the competencies on the policing side of the law, which historically have been running behind the skills and creativity of the cyber criminals. Most countries have regulated the potential risks customers run, by using the services their banks offer. Normally the customers will only be liable for minor losses, occurring because of their own possible unsafe behaviour.
The onus remains on the industry as a whole to block the myriad opportunities and weaknesses that criminals may wish to exploit. Although Bank of Muscat and RAK Bank have been reluctant, understandably so, to reveal much information about how the misdeeds against them were perpetrated, leading to much speculation and conjecture, the fact remains that these incidents have served to highlight the complex yet fragile nature of the industry's payment and processing ecosystem and the on-going need to remain vigilant whilst developing innovative systems and techniques to stay one step ahead of the criminals.
Case study
Arab Bank Revolutionises Security
Arab Bank (Switzerland) Ltd. is focused on delivering high-quality banking and financial services within the Swiss banking tradition, which prizes integrity, discretion and confidentiality. To ensure absolute security of customer data and financial accounts, Arab Bank (Switzerland) Ltd. adopted the SafeNet eToken, an advanced authentication solution that supports both certificate-based (PKI) and OTP technology on the same device.
The eToken proved ideal for Arab Bank's need to deploy a comprehensive security solution for both employees and strategic customers. For Arab Bank employees, eToken NG-OTP enables multi-factor certificate-based strong authentication for remote access via VPN, network access, digital signing, password management and physical access to the Arab Bank building - all on a single USB token. For Arab Bank strategic customers, who need to easily access their bank accounts from remote stations, eToken NG-OTP offers OTP two-factor authentication from any end-user computer.
The Safenet eToken changed the whole concept of security when it comes to password management and access. Arab Bank implemented it for physical access control as well as digital data access. Without the eToken, employees can neither access the bank facilities nor can they logon to their workstation, and finally all data stored on the laptops are encrypted.
© Banker Middle East 2013
