Today's Greatest Online Payment RiskInsights on Fixing Inadequate Authentication
The financial services industry is not collaborating effectively to address online payment risks, says Scott Dueweke of Booz Allen Hamilton.
"There's a huge opportunity for collaboration, but it hasn't even started," Dueweke, a payments processing expert, says in an interview with Information Security Media Group [transcript below].
Organized crime, on the other hand, has developed an incredible array of relationships and tools to steal information online, Dueweke says.
The financial services industry is far behind its adversaries, and that won't change until organizations begin collaborating and cooperating, he says.
"You can help share the information to shore up your defenses," Dueweke says. "I think that's key."
During this interview, Dueweke discusses:
- Why account takeover is a greater concern than distributed-denial-of-service attacks;
- How money laundering is an increasing concern in account takeover incidents; and
- Why emerging payments, such as mobile, are compounding payments risks.
Before joining Booz Allen, where he oversees the consultancy's payments trends division, Dueweke was appointed to the U.S. Agency for International Development at the U.S. Department of State, where he helped pioneer the field of e-commerce. Dueweke also led marketing for IBM's Internet Payments group, and went on to develop peer-to-peer and non-traditional payment systems at a dot-com startup.
TRACY KITTEN: What are some of the greatest security challenges facing online payments today?
SCOTT DUEWEKE: The answer is clearly identity, identity and identity. It's all about knowing your customers, partners, their customers, maybe even their customers' customers, and also about knowing your employees. Without a mastery of identity, losses because of fraud, attacks and resulting lack of confidence are going to constrain growth as companies move into this space.
KITTEN: Would you say that banks or e-commerce merchants are at greater risks?
DUEWEKE: Organized crime has developed an incredible array of relationships, tools and forums where they communicate, private marketplaces, where they go and sell what they have stolen, whether it's PII, credit card information or whatever; and these are enabling a global criminal enterprise. ...We've seen a lot of breaches, whether it's Global Payments, LexisNexis or Experian, who have been the target of these approaches. They immediately go and try to sell this information in these forums, and they're using alternative payment systems as the life-blood to fuel this economy. That's how they sell and receive value for their stolen information.
KITTEN: What would you say is the greatest worry for banking institutions as well as some of these e-commerce merchants?
DUEWEKE: At the end of the day, the account is the customer and the customer is the account. ... So, I've got to say the account takeover should be the greatest concern. You can counter DDoS attacks through technical means, prevention and awareness. Being able to prevent account takeover, however, requires better identity management, especially user verification. Too many companies today are relying on outdated and weak identity verification techniques such as CAPTCHA. ...
Knowledge-based authentication in an age of social media sharing is a joke as well. There's so much information out there that you're going to be able to guess or learn about a person well enough that you're going to be able to beat those knowledge-based authentication access controls. In fact, it's believed to have been what played a key role in the Global Payments fiasco, where they have hundreds of thousands of credit cards numbers stolen and sold in these underground marketplaces. Some point soon, multi-factor authentication and strong biometrics, probably facial recognition, will begin to close the advance that the criminals currently have, but we're behind the curve.
Payment Processor Concerns
KITTEN: What would you say about the security of payments processors?
DUEWEKE: ... Quite simply, they're ignoring the criminal use of the shadow Internet - this economy that has grown and has a ready marketplace to sell the information that they can steal from these reservoirs of PII and credit card information. They need to understand that they have to be more proactive, both in understanding their customers and their customers' customers. Increasingly, as they try to adapt in this new emerging payment marketplace, they're going to be making business relationships and building new supply chains and value chains with clients, customers and partners that they don't know who they are; they don't really understand their business models. They're going to be globally dispersed. Some of them are going to be quite shady and there's going to be immense pressure on these processors to connect with these companies in order to get access to the millions and millions and millions of new customers that are out there. They've got to be more proactive in understanding these environments, understanding the risks and figuring out how to adapt.
Defending Against the Unknown
KITTEN: The Financial Services Information Sharing and Analysis Center recently conducted a panel session about what a cyber-attack against an online payments processor might look like. Is not knowing how to identify a cyber-attack a concern for the industry?
DUEWEKE: Simply, you can't defend against that which you do not understand. ... I've personally spent, a lot of time in online forums [of] criminals and other users of these systems, whether they be the criminal forums or online payment systems, which are often very anonymous and fuel this underground economy. You can learn a lot about what the attack vectors are and where the threats are coming from much better than is currently being done. To understand this quickly changing world where the threat vectors are changing based on how effective the defenses are, you've got to be able to adapt. And understanding the motives and mechanisms that are being used lets you be more proactive. Right now, this industry is very reactive. That needs to change.
KITTEN: Would you say more regulation or oversight from regulators, as well as industry groups such as the FS-ISAC, is something that's needed?
DUEWEKE: Regulation can have a local effect. If it's an internally-facing regulation where you're saying, "You've got to do a better job of identifying your customers," certainly that can have a positive effect. There are limits to how positive an effect regulation and new structures can have in preventing these types of criminal enterprises from being successful in penetrating the organization and attacking your customers. Because these systems are global in nature, they don't need to reside in the country of the attack, obviously. Even the alternative, often anonymous, payment systems are spread around the world and create conduits for siphoning that information out for selling it and then for transferring that value beyond the reach of law enforcement. There are limits.
Certainly, the FinCEN guidance on treating digital currency exchangers in the United States like MSBs, the first regulatory attempt on this emerging payments space in the world, is having an effect, some positive and some negative. Some of the negative is coming from a lack of understanding of what this industry really is like and what needs to occur to put the proper limits in place. But at the same time, that will have a positive effect in putting the limits in place on especially consumer use, people that want to use these anonymous payment systems to buy dangerous items, whether illegal drugs, weapons or child pornography. It will make it more difficult, but it won't prevent it because people will be able to go outside the U.S. and use the digital currency exchangers that are the ingress and egress points into these systems without having to do it locally. It will have some effect, but you're not going to solve this through regulation.
Improving Attack Detection
KITTEN: What steps would you say banking institutions and others, such as payments processors, should be taking now where attack detection is concerned?
DUEWEKE: You've got to look at it from a different perspective, I think. There are a lot of ways to detect and determine if somebody is manipulating their identity coming in - if they are who they say they are. Some of those solutions have been employed; others haven't been. Some of the more effective biometric systems have not been employed because of concerns about people not using them or neglecting them because of privacy concerns.
However, this kind of leaning forward that I was talking about - using a predictive intelligence approach to start to understand and research your adversary so that you can understand what types of approaches they might be using on you before they use them - is something that isn't currently being done as far as I can tell, at least not on any type of large scale. [It's] being able to employ those same types of approaches and ... understanding the intelligence that's out there that you can gather about these groups and attack vectors as they're being prepared. That will help you be able to defend yourself in a much more effective way than you're currently doing by just being reactive and trying to put your finger in the dike as that hole develops. It would be nice if you could fortify the dike before it occurs so that they're not able to punch through it.
KITTEN: We've talked so much about information sharing in the industry, and it sounds like this is part of the area that would benefit here, as well as big data.
DUEWEKE: Yes and there's a lot of data out there that you can use to verify the identities of your customers and look for indicators that somebody is not who they say they are and that there might be information out there about people that are planning to do you harm. I think it's all part of this predictive intelligence approach where you collect the data that you can out there in the places that these people that are trying to do you harm are congregating and the places that they're using to sell what they've been able to gather or prepare for the next attack. Using the data that's out there - call it big data, call it open-source or a mixture of the two - there's a legitimate way that you can use these systems without impacting privacy or any other concerns like that. This is really about understanding your adversary and being able to not only respond but be proactive about it.
KITTEN: How are emerging payments instruments, such as mobile, complicating payment security as well as compounding the risk?
DUEWEKE: Mobile and Internet-based payment systems both give you the ability to have access to huge new numbers of the world's customers, a billion-plus un-banked and under-banked that are becoming part of an economy for the first time where they can use these payment instruments. It's a huge carrot and a lot of companies are responding quickly to this. There's competition. You've got the local providers that are probably in the better position. But as Thomas Friedman famously wrote, "The world is flat." The Internet has made cybercrime the great equalizer as well as being able to access these billions of new customers. This has grown from what may still seem to many to be the traditional payments world, and the dangers that they presented by a collection of lone hackers, into what really has become the threat presented by a global criminal enterprise.
You've got to understand how that global criminal enterprise - which is sophisticated, coordinated and efficient - can impact your market plans to move into these international markets to deal with the unbanked and to deal with remittance payments using mobile platforms and Internet-based platforms. Remember that these are now merging. Internet-based platforms and mobile-based platforms are becoming indistinguishable. They're really part of one spectrum, that global network of alternative, often anonymous, payments systems, such as the now defunct liberty reserve. But in its place we have perfect money, web money, Bitcoin and other related companies that have really become an enabler for this ecosystem that's global in reach.
Trends on Horizon
KITTEN: Do you see some of these alternative payment systems merging with existing point-of-sale systems at some point in the future?
DUEWEKE: Absolutely; it's already happening. Look at the market moves by PayPal and Google to get alternative payment systems accepted at the point-of-sale. I went to a Dollar General with my family recently and there they had it at the point-of-sale device. Right on the VeriFone device they had "PayPal accepted." You entered in your username, password and you can pay directly from your PayPal account. That merging of the alternative payment space, the Internet and mobile payment space, with the traditional point-of-sale marketplace is already happening and it's just going to accelerate.
Another example I'll give, I was recently at the Money2020 Conference with one of the guys that works for me, and he went off with a bunch from of his Libertarian Bitcoin crowd and they had a great time driving around Las Vegas in a stretch limo that they paid for through their mobile devices with Bitcoin. That's the future, and that's the way the young 20-somethings growing up today are expecting to be able to use their Internet-enabled phones to be able to do those types of very alternative payments in real-time, when they need to use them on a Saturday night when they want to go out partying. That's the future and it's now.
KITTEN: How would you say that the industry is collaborating to address some of these payment security risks from a global perspective?
DUEWEKE: Quite simply, they're not. There's a huge opportunity for that type of collaboration, but it hasn't even started. We're in the middle of a land rush where companies are predominately concerned with just getting to market, grabbing customers and grabbing as many of them as they can. They're going to worry about the security risks later.
The problem is, in doing so, you're enabling a period of time where the criminal enterprises of the world, who have incidentally been using these systems quite effectively for at least 10 years, are having an opportunity to further extend that infrastructure that they're using to rip off your customers, to penetrate your defenses, steal your information and sell it in this global marketplace.
We're far behind our adversaries on this, and I think it's going to have a negative effect on the growth of this industry if there isn't some kind of collaboration and cooperation to try to limit the threats that are posed by the use of these alternative, often anonymous, payment systems. How much effect that collaboration and additional regulation could have I'm a little dubious over just because of the predominant and pervasive anonymity that exists in this Internet space, this alternative anonymous payments world. But you can have some effect and you can help share the information to shore up your defenses. I think that's key.