How Secure Are Our Online Shopping Transactions?

MasterCard is looking for technological solutions in Israel, and Ronald Green, MasterCard's Chief Information Security Officer (in charge of cyber and physical security) for the past two and a half years, has visited Israel recently. We managed to get him for a one-on-one chat at the Citibank Fintech Accelerator in Ramat HaChayil, Tel-Aviv, and spoke about cyber aspects in the world of credit.

Just to clarify, MasterCard is a technology company that provides a global infrastructure for credit transactions. Its business turnover is close to US$ 10 billion. It operates in 210 countries and supports 150 different currencies.

Do the EMV chips on the credit cards make payment safer?

One of the primary changes with regard to information security MasterCard has been leading over the last few years is the transition to cards with smart chips. The chip is, in fact, a miniature processor embedded in the credit card which solves one of the primary problems associated with credit cards – the attacker's ability to read the card number off the magnetic strip.

"Firstly, please bear in mind that payment by credit card, even without the chip, is safer compared to the use of cash," says Green. "Using the card, we can guarantee the payment between the supplier and the customer. The chip adds a new layer of security.

"A credit card works in such a way that the magnetic strip contains the card number and other identification data regarding the card. These data are kept in a non-secure format as clear text. As far back as the 1990s, all sorts of devices known as 'skimmers' were introduced, which allowed attackers to read the data off the magnetic strip. In the same way, hackers managed to read the card data from the Point of Sale (POS).

"The POS reads the data and saves the number of your card in its own database. Some points encrypt their databases, while others transfer the data up the chain of supply of the business. As far as information security is concerned, this is a problem, and attackers have exploited this infrastructure. In all of the hacks of the last few years, the attackers managed to access the databases where the card numbers are stored or access the POS itself and collect card numbers. Even if you encrypt the data from the POS onward, if the attacker sits at the POS he will have access to the card data available in clear text format.

"The EMV chip changes the process by sending an encrypted packet (cryptogram) from the credit card to the POS. The POS transfers the data to a computer that communicates directly with the servers of the MasterCard Company in encrypted format. Throughout this transaction, none of the links in the chain will expose the card data. In this kind of process, the POS serves as an antenna that receives and transmits encrypted data, namely – even if the attacker sits at the POS, he will receive encrypted data that are useless to him."

The Attackers Switch to Online Shopping

Green says that the introduction of the chips has not stopped the attempted attacks. According to him, attacks are being staged against the chip, but they do not amount to the same scope as the attacks of the past. "When you steal numbers off the magnetic strip, you can steal a lot," says Green. "In the attacks against the chip that we have experienced, the attackers attempted to sabotage the chip reader at the POS in order to force the POS to revert to the previous method of reading the magnetic strip (Fail Over). That way, they can collect the numbers of the cards. Once again, these are sporadic spot attacks – not on a large scale.

"We have realized that the more extensively we use cards with chips, the more the attackers will switch to on-line shopping, where the card itself is not required as it is in the physical payment stations. Crime simply goes to an environment where no physical cards are used."

Biometric Identification Gains Momentum

As crime migrates to on-line shopping, MasterCard are looking for new ways to improve security for shopping transactions in the digital medium. One of the methods is multidimensional biometric verification.

"In the on-line environment, we started using biometric identification in the form of a 'selfie' photograph," explains Green. "In fact, this is a verification service using facial identification that also includes an indication of the user blinking to establish that the user is actually a living person and not a fake. But this is just one method. In the future, we will be able to use fingerprints and other vectors. The world is heading toward multi-stage biometric identification. We also have a project involving a smart bracelet that identifies your pulse pattern and serves as an identification component that proves it is really you. Every person has an injective pulse pattern."

Green stresses the fact that MasterCard does not save the user's biometric data, but rely instead on the cellular telephone. Supporting phones feature a secure and encrypted environment that saves the user's biometric data as a mathematical equation.

"In the future, we may implement biometric identification technologies that are not based on the cellular telephone. In that case, we will only save a mathematical function of the biometric data (like HASH), but not the data proper," says Green. "This is an algorithm that helps us recognize something about you in a mathematical way. In this way, we will be able to identify you according to that function.

"Another method we are implementing is Tokenization, namely – we convert the credit card data into a token, and then that data may be used with such on-line payment services as Masterpass, Apple Pay, Google Wallet or others.

"The token is a new data entity we created that is attached to the user's cellular phone. This attachment enables us to determine two information elements regarding the user – the token and the cellular telephone. We know they always go together at the time of payment. We save this attachment as we were the ones that had issued the token."

The Name of the Game: Risk-Dependent Verification

In the new reality, in order to make a fake payment, the attacker will have to be familiar with the victim's cellular telephone (MAC + IMEI + other data), his token and over a certain transaction amount – with his biometric data and behavior pattern elements as well. Admittedly, this is not a magic solution, but it definitely increases the cost of the attack and reduces the potential space for an attack against the transaction.

"If you make a US$ 10.00 transaction, I will only require your biometric identification. If you purchase a flight ticket, however, you will have to add your mobile phone, behavioral identification parameters and other identification vectors," explains Green. "This is risk-dependent verification. That is the name of the game. A part of the behavioral identification is already available. We know what you normally buy. If you keep buying coffee and books all the time, and suddenly purchase a flight ticket, we will demand a more solid identification process as this purchase is a different behavior on your part."

How do you deal with the internal threat?

"We achieve a major advantage by combining physical security and cyber security under the same hat," says Green. "In the past, cyber specialists addressed whatever was important to them and physical security specialists addressed their own priorities. When we combined these two worlds, they all think together. This helps identify threats within the company. We already had some success stories in this context."

There have been some rumors lately about such cellular manufacturers as Apple, Google and others aspiring to compete with you and Visa in order to 'cut a coupon' on payments made through (mobile) phones. Do you regard that as a threat?

"The clearing infrastructure is based on trust, and we have built this trust over many years," says Green. "To understand this, you need to understand how the clearing infrastructure works worldwide. When you pay with a credit card, behind the scenes there is an infrastructure that is made up of at least two authorizing elements. One is your bank. The other is the bank of the business you are buying from. We as MasterCard need to ask both parties if they authorize the transaction. The authorization process includes such questions as 'Are you the owner of the card?', 'Do you have enough money to make the transaction?', etc. All of this takes place behind the scenes through a very fast process that takes nanoseconds to complete.

"If, in addition to the banks of the two parties there are companies that issue cards in that country, like the separation that exists in Israel, other elements will be involved in the process. The ability to authorize a transaction so fast is built, to a considerable extent, on acquired trust. Admittedly, this is a technological operation, but it 'sits' on the many years of our experience opposite the authorizing elements. It will not be easy for the telephone manufacturers to enter this world. The entrance threshold is high. So, even if initially there were such aspirations, at the present time we are cooperating with such major manufacturers as Google, Apple and others as well as with other major technology corporations such as Facebook."

Do you intend to assimilate the Blockchain technology?

"We are currently reviewing this technology. It will be introduced where it would add value," says Green. "Please bear in mind that for us, the speed of the transaction is a critical factor. We measure it by nanoseconds, otherwise the customer will not use the credit card. In comparison, an average Bitcoin transaction currently takes about 10 minutes."

How do you assimilate new technologies?

"We run strict trial environments. Introducing new technologies into the operational environment of the transactions is a complex event," explains Green. "When we find new technologies, they enter a testing process in a trial environment. After a certain period, when they are sufficiently mature, we attempt to introduce some of them into an almost-operational environment. After that, some of them will make it to the operational environment. Those that eventually make it to the operational environment will be assimilated in a way that would enable us to remove them if something fails to operate properly. Once again, the speed of the transactions is our topmost priority."

"I do not wish to make a specific commitment as to the time it takes us to introduce a new technology into the operational environment. I will say that generally, it takes about a year until we feel comfortable with the new technology. Remember that we test new technologies in our trial environment all the time, including technologies that do not make it to the operational environment eventually."

What technologies are you looking for?

We are constantly looking for new technologies," says Green. "Among other things, biometric identification, encryption, behavior analysis and ways to accelerate our transactions. Anything that would make us more efficient and our transactions safer."

What do you regard as the primary challenges in cyberspace?

"The primary challenge is the unknown threats in cyberspace. We are a target for hackers from around the world," says Green. "As we only deal with defense, the other side, the attacker, normally has the advantage. We, as defenders, do not determine the time and place where we will be attacked, so we defend everything, all the time. The attackers have to succeed only once.

"We examine ourselves constantly. We carry out penetration tests and have our own independent cyber intelligence department. Bear in mind, however, that these tests do not cover the entire range of threats. Even if we take the best white-hat hackers in the USA and repair every fault they find, if any, in our network, this will still fail to guarantee our immunity. Tomorrow some other hacker might attack us in a different way we had not thought about.

"Another important aspect of cyber security is sharing information with competitors in our field of activity. We share information and cooperate in this field more than people may think, the business competitiveness notwithstanding. Everyone in our line of business understands that if we are being attacked, tomorrow they might be attacked and vice versa. In reality, the attackers are organized and cooperate with one another. If we do not cooperate on the defensive side, we will not be able to defend ourselves against attacks on our infrastructures."