In the past, hackers have most often gone after specific merchants when seeking cardholder information. Recent attacks on point-of-sale (POS) vendors, however, may signal a drastic shift in how these cybercriminals operate, and certainly signal a need for application security for mobile payments.
More than 10 POS vendors, including MICROS, have been compromised within the last few weeks. Some of these attacks may be linked to two specific forms of malware: Carbanak and MalumPOS. However, no definitive link between the hackers behind these programs and the recent attacks is certain.
The damage that these attacks can cause are best exemplified with the story of the HEI Hotels & Resorts company. It recently reported a POS-related breach of security at 20 of the properties it manages (which includes major hotel chains such as Marriott and Sheraton). Card numbers, cardholder names, expiration dates, and verification codes used between March 2015 and June 2016 may all have been exposed.
A shift in security attention
As these breaches indicate, past cyberattacks have mostly been directed at merchants. Mobile devices, however, are now advanced to the point where using your device at the POS is more frequent. Mobile payments are just another way that hackers are seeking to gain control of sensitive data. Hackers are not simply changing to new specific targets; they’re targeting multiple points of vulnerability at once – including mobile payments. It is not enough to focus on protecting merchants as security must now be applied to the entire infrastructure supporting merchants, POS systems and mobile devices.
Increasing security measures to withstand mobile-payment attacks
NFC technology has been gaining traction with many device manufacturers as they introduce their own payment solutions. However, NFC-based applications use a secure element (SE) on the mobile device to store credentials whereas Host Card Emulation (HCE) is an easy-to-deploy alternative that does not require a physical secure element on mobile devices. That enables NFC devices to perform the same transactions but instead store credentials somewhere other than the SE, such as in the cloud. With all the benefits that HCE provides, there are associated security risks such as identity theft, fraud and privacy. If these risks aren’t addressed, cybercriminals can reverse engineer sensitive code that transmits or processes encryption keys within the mobile device.
Merchants need to take security for HCE to the next level by providing application hardening to protect apps and devices with:
Integrity protection
Code (application) obfuscation
White-box cryptography
Jailbreak detection
Anti-debug protection
In addition, white-box cryptography solutions secure data within mobile applications and ensure the keys are always encrypted. This protects static keys, dynamic keys and sensitive user data. In addition to securing mobile payments, it’s always good to brush up on protecting other parts of the overall POS infrastructure.
Here are some basic tips:
