Contactless payment: curse or blessing?

FEATURE nature of their simplicity. It becomes significantly easier for groups or individuals to deploy new servers or services, modify access to applications, alter how and where data resides.” He adds: “Thus, a second type of risk is introduced – that caused by well-intentioned groups that now have the capability to make rapid changes that may inadvertently undermine or bypass in-place security policies or safeguards.”

Conclusion Data migration does carry with it fraud and security issues. But addressing these need not be a drain on resources if the issue is approached as an opportunity to improve practice and revalue data – and the worth of those securing it. “Data migration can be an opportunity as it forces data owners to reassess the value of data and the effectiveness of IT security controls,”

says Peter Allwood, manager in Deloitte’s Enterprise Risk Services practice. While there are risks that need to be addressed, the risk remains relatively small. Databarracks’ Thomas points out: “Unless someone knows you are moving a specific set of data at a given time by a specific method to a specific site, it’s probably relatively small. The risk increases with the net worth of the data, the more profitable the data the higher the likelihood of an attempt to steal it. But really the biggest threat is not technology but the people involved.”

About the author Tracey Caldwell is a freelance business technology writer who writes regularly on security issues. She is editor of Biometric Technology Today, also published by Elsevier.

References 1. ‘Data on the Move’. Varonis, 2012. Accessed Nov 2012. www.varonis.

com/assets/reports/en/Data-on-theMove-Report-en.pdf. 2. Data Liberation home page. Accessed Nov 2012. www.dataliberation.org.

Resources UÊ iœÀ}ˆiÛ]ÊÆÊÞi˜}>À]Ê-ÆÊ>˜>]Ê-ÆÊ Anubhai, R; Boneh, D; Shmatikov, V. ‘Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software’. Accessed Nov 2012. www.cs.utexas. edu/~shmat/shmat_ccs12.pdf. UÊ iÀ˜>˜]Ê-ÆÊ>“LiÀÌ]Ê-ÆÊ"ÃÌÜ>`]Ê T; Shostack, A. ‘Uncover Security Design Flaws Using The STRIDE Approach’. Accessed Nov 2012. http://msdn.microsoft.com/en-us/ magazine/cc163519.aspx. UÊ ¼ ÊqÊ œÕ`Ê …>˜}i`Ê/Ê Forever and Will Now Do The Same for Businesses, says IDC’. 29 August 2012. Accessed Nov 2012. www.idc.com/getdoc. jsp?containerId=prAU23667012.

Contactless payment: curse or blessing? Calum Macleod

Calum MacLeod, Venafi When sensitive information is misused or compromised, organisations not only face monetary penalties but loss of customer trust and loyalty. As brand reputation is the retailers’ most valuable asset, it can be devastating – just ask TJ Maxx. But with the ways in which consumers pay continuously evolving, how do you keep up and remain secure? Retailers realise that customers have more shopping choices today in both online and physical storefronts and have adopted more integration in delivery of loyalty programmes, merchandising and marketing to attract and retain customers. Evolving payment technologies are the latest weapon that can be deployed in the battle for market share, giving retail merchants the freedom to craft the type 10

Computer Fraud & Security

of experience and relationship they want with their customers.

Easier ways to pay EMV smart cards, more commonly referred to as ‘chip and pin’, were introduced in the UK and Ireland in 2004 in an effort to tackle fraudulent transactions. While EMV technology

helped reduce crime at the tills, when it came to telephone, Internet and mail order purchases – known in the industry as Card Not Present (CNP) transactions – the fraud figures were still growing. In an effort to combat this trend, a three-digit number on the back of the card, below the magnetic stripe, was introduced. With many guises – the Card Security Code (CSC), Card Verification Data (CVD) or Card Verification Value (CVV or CVV2), to name just a few – is meant to afford the retailer and cardholder additional protection by ensuring December 2012

FEATURE that the person has the card in their possession. Then, in 2008, Radio Frequency Identification (RFID) meant that credit card transactions could go contactless. Instead of physically putting the card into a terminal and entering a PIN, users could simply wave the card near the reader and payment of £20 or less would be automatically taken. It’s fair to say that uptake of this option has been slow to date – both from consumers and merchants alike.

“By 2014, it is thought that half of all smartphones will have integrated NFC chips, and that £3bn of purchases will be made with mobile phones in the UK in 2016” However, today we’re on the cusp of a very different revolution. Near Field Communication (NFC) enables customers to use their smartphones to make purchases. A ‘secure element’ chip provides similar functionality to a mobile phone as the EMV chip does for credit cards. Some 30 million NFC handsets were sold in 2011 with projections to grow 87% annually to 300 million in 2016. The user simply touches the phone to an NFC Point of Sale (POS) terminal to complete the transaction. In addition, NFC mobile phone payments systems can also be used for online transactions. Because they are connected to the Internet, and are software based, they can generate single-use codes for online merchants. Launched in the UK in April 2012, the Barclaycard PayTag is a NFC credit card sticker that users can attach to their handsets, or any other item, to complete transactions. In August, Mastercard and Everything Everywhere revealed they had signed a five-year deal that included support for Orange’s Quick Tap service. Then, in September, Orange revealed it had joined forces with Barclaycard to allow Samsung

December 2012

Galaxy S3 owners to make contactless payments, also using the Quick Tap service. By 2014, it is thought that half of all smartphones will have integrated NFC chips, and that £3bn of purchases will be made with mobile phones in the UK in 2016. The advantages of going contactless speak for themselves – both for merchants and consumers. They include: UÊ -«ii`ˆiÀÊ ÃiÀۈViÊ >˜`Ê VœÃÌÊ Ã>ۈ˜}Ã\Ê convenience grocery retailer SPAR claims it costs around 40% less for contactless debit transactions than chip and PIN debit card transactions.1 UÊ œ˜Ì>V̏iÃÃÊ ÌÀ>˜Ã>V̈œ˜Ê V>«>LˆˆÌˆiÃÊ are growing fast: contactless payments at convenience food retailer EAT have grown at 75% year on year and currently account for 60,000 transactions a month, making up half of all card payments, with many benefits to consumers. Upgrading POS terminals is costly, but once upgraded it may be several years before it occurs again.

Remaining secure is a little more complex Underlying these advances is an IT infrastructure that manages extensive financial, customer and missioncritical business data. These systems must comply with industry mandated security requirements if retailers are to avoid high-profile breaches and the repercussions they bring. Payment Card Industry Data Security Standard (PCI DSS) compliance is an important component in protecting the security of customers’ transactions. Through incentives, PCI is encouraging merchants to employ encryption with their entire transaction processes. What are now incentives will soon be requirements. To ensure compliance with PCI DSS standards, the management of encryption keys and security

certificates is essential. With mobile devices and supporting infrastructure leveraging security certificates to ensure solid authentication and encryption, this is causing an exponential growth in the numbers of certificates needed in retail.

Encryption management PCI DSS compliance requirements apply specifically to the use and proper management of SSL certificates and the private keys they rely on to ensure protection of data in transit. Effective encryption management results in a reduction of downtime, improves security of sensitive and often regulated customer information and card data and enables timely response to problems, resulting in an increase in customer satisfaction. There are eight steps to effective Enterprise Key and Certificate Management (EKCM): UÊ ˆÃVœÛiÀÞÊqÊ>vÌiÀÊ>]ÊޜÕÊV>˜½Ìʓ>˜>}iÊ certificates if you don’t know about them. UÊ -ÕL“ˆÌÊ>Ê iÀ̈vˆV>ÌiÊ-ˆ}˜ˆ˜}Ê,iµÕiÃÌÊ (CSR) to either an external or internal Certificate Authority (CA). UÊ >ŽiÊ ÃÕÀiÊ ViÀ̈vˆV>ÌiÃÊ >ÀiÊ VœÀÀiV̏ÞÊ installed, configured and working properly. UÊ 1ÃiÊޜÕÀʈ˜Ûi˜ÌœÀÞÊÃÞÃÌi“Ê̜ʓœ˜ˆÌœÀÊ important events, such as impending expiration dates. UÊ œÌˆvÞÊ Ài뜘ÈLiÊ «>À̈iÃÊ ˆ˜Ê ̈“iÊ to replace soon-to-expire certificates, or certificates that have inadequate key lengths, weak algorithms or were issued by a compromised CA (a condition that requires immediate notification). UÊ 7…i˜Ê Ài뜘ÈLiÊ «>À̈iÃÊ ÀiViˆÛiÊ notifications, they must remedy the issues that engendered them. UÊ ,i«œÀ̈˜}]Ê̜Ê`i“œ˜ÃÌÀ>ÌiÊVœ“«ˆ>˜Vi° UÊ ,iۜŽiÊiÝ«ˆÀˆ˜}ÊViÀ̈vˆV>ÌiÃÊ̅>ÌÊޜսÀiÊ replacing, or that compromised CAs have signed, so they don’t become targets for hackers. Simple, yes? The problem is

Computer Fraud & Security

11

FEATURE that manual approaches to SSL certificate and encryption key lifecycle management are difficult due to the proliferation of certificates and keys throughout the enterprise. Automation of security management ensures more cost-effective compliance and deployment while reducing the risk of customer data exposure and subsequent loss of customer trust. The use of contactless payment is set to explode over the coming years as both retailers and customers embrace the ease and immediacy that NFC provides. It is up to retailers to put measures in place now that ensure data is kept under lock and key. In the hyper-competitive retail

environment, the question is not whether you should implement certificate and key lifecycle management and automation, but when. Do you want to be reactive after a major website or transaction server goes down, or a data breach impacts your customers and reputation?

About the author Calum MacLeod is EMEA director at Venafi (www.venafi.com). He has over 30 years of expertise in secure networking technologies, and is responsible for developing the company’s business across Europe as well as lecturing and writing on IT security. Before joining Venafi, he managed the channel market across

EMEA for Tufin and previously held similar positions at Cyber-Ark and Netilla Networks (now AEP). MacLeod has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.

References 1. ‘SPAR first to lead the way with integrated contactless payment’. Spar press release. Accessed Nov 2012. www.spar. co.uk/AboutUs/PressCentre/ SPARfirsttoleadthewaywithIntegratedContactlessPayment.aspx.

Routes to security compliance: be good or be shamed? Mark Harris, Integrated Information Technology, University of South Carolina, Columbia, South Carolina, US; Steven Furnell, Centre for Security, Communications and Network Research, University of Plymouth, UK It is widely recognised that security cannot succeed through technology alone and therefore won’t work unless people are on board. Many organisations consequently face the questions of how to get staff to understand their roles when it comes to security, and then to enact their security responsibilities. This, of course, presents them with a situation for which there are multiple right answers, as well as several techniques that are less likely to be successful in some contexts. As such, it is worth understanding the techniques that are likely to have value. In some cases, users can be encouraged to be security compliant by being given little more than the instruction to do so, while in others they might need some initial evidence to convince them, but will then make an effort to achieve the perceived benefits. For some, however, the main incentive to comply is the fear of possible sanctions or bad feeling if they fail to do so. For this group, then, security is not being pursued for its own sake, but rather because of the way it could affect them personally if they were not to do what’s asked or required of them. This would 12

Computer Fraud & Security

include how they feel about themselves, and how others will perceive them, if they are seen as having failed to uphold security or to have been responsible for a breach – both of which may prompt them to feel shamed by their actions. While not the most positive premise from which to mount a compliance strategy, it is nonetheless a route that organisations may be able to leverage in getting their staff to buy in. With this in mind, this article considers the potential of shaming as a means of encouraging security compliance. It begins by looking at

some related background, including the natural variations in security behaviour that an organisation may witness, followed by the theories that support shaming as a possible route for shaping it. The discussion then continues by examining the results of a user study that was conducted to assess the potential role of shaming from a staff perspective, including their perception of its likely effects and any actual effects from prior experience. From this, consideration is then given to the potential for success, set against a series of possible downsides and constraints that using such an approach to security compliance may introduce.

Security behaviour and awareness raising There is ample evidence to show that lack of security compliance causes December 2012