Whether it's Target, Neiman Marcus, Michaels Stores or JCPenney, a whole host of big-name retailers have recently...
been the victims of data breaches. The aftermath affected the retailers and their customers, as well as the banks and credit unions that issued the affected customers' credit and debit cards.
Financial institutions have a vested interest in protecting customers' personal and financial information, and it should be clear now that that effort extends beyond protecting the data within the networks of the banks themselves. However, therein lies the challenge; it's not sufficient to merely ensure data housed within a financial institution's own networks is secure.
Consider how much personal and financial information about customers is housed on the Internet. Then consider just how many online retailers store their customers' payment card data. Now add in the overabundance of sharing of personal information online. Out-of-wallet questions -- such as, "What is the name of the grade school you attended?" -- aren't secret if they can easily be found on Facebook.
In many instances, financial institutions already apply what are called out-of-band security controls to protect credit card data. For example, when customers are required to activate new credit cards, it generally involves a phone call, during which the consumer is asked several "out-of-wallet" questions that require not only information printed on the card itself, but also knowledge known only to the legitimate cardholder.
However, many financial institutions today face challenges in protecting payment cards after the registration process and when the cards are being used at any number of online and brick-and-mortar retailers.
Below are six out-of-band security considerations that should be kept in mind when looking to extend data and credit card protection beyond the mandates of PCI DSS.
Points of vulnerability for online retailers
While industry standards such as PCI DSS were created to optimize the security of card transactions and protect cardholder data, financial institutions simply can't ensure the security of every online retailer that could potentially house the credit card data of its banking customers.
It is important to also bear in mind that an HVAC vendor was an entry point for the Target breach. Vulnerabilities extend far beyond the retailer's own network; risks are not just limited to the primary retailer where the actual point of sale occurred.
On April 16, 2014, at a presentation in Washington, U.S. Comptroller of the Currency Thomas Curry stressed the importance of ensuring due diligence and stated that ongoing risk assessment of all third parties must be a part of every bank institution's vendor management program.
Every organization should audit all the internal and external individuals and organizations that have access to payment data or systems that can be used to access payment data. Many will have a legitimate need for access, but some won't; don't hesitate to revoke or restrict access wherever possible. This includes overly broad or privileged access, which goes beyond what is actually required to meet legitimate business functionalities. Validate that strong, multifactor authentication is in place for all users and systems. Then, on an ongoing basis, ideally at least quarterly, continue to audit that access.
Single point of failure for protecting credit card data
Relying on a single band or control to help ensure data privacy and impede hackers, such as resetting a forgotten password online, leaves online retailers with a single point of failure when it comes to protecting information. It's akin to a company having its primary and backup data centers located in the same city; the risk being that a single event, such as a huge winter storm or an earthquake, could impact both locations.
Reducing the risk of single point of failures is critical. Part of the decision-making process in choosing a backup data center is its location. It's not uncommon for data centers to be in different states or even different parts of the country altogether. This makes a single event less likely to impact both facilities.
For instance, if you allow a customer to reset their password online, with no out-of-band confirmation, the single point of failure is your website. Sending a code or a confirmation to either a cell number or an email account provides that second level of security. The same goes for ATM cards; most ATMs require only the card, and a four-digit numeric PIN to access a customer’s account, hence the single point of failure. Requiring an out-of-band approval for any unusual activity protects both the customer, as well as the financial institution.
Impact of social networking sites
Most online retailers, particularly those that collect and store credit and debit card data, have a certain level of security awareness. Compare that with social networking sites, whose main focus is not security.
Nonetheless, numerous online retailers let customers log into their sites and apps with Facebook, Twitter, Instagram and Gmail accounts. This means fraudsters don't have to hack accounts at the online retailers; they just have to get past the security of a social networking site.
In the case of access control, enterprises must be aware that accepting the credentials of any third party, including from a social media provider, means defaulting to that partner's security controls, hence a thorough understanding of/trust in any partners' security controls is essential. Also, enterprises must encourage customers not to use the same username/password combination for online banking or making online purchases as they do for social networking sites.
If you’re an online retailer, rely on your own network access controls. If you allow customers to access your site using credentials from a third party, while you’re outsourcing security, you still own the liability. If your site is hacked, you’re the one dealing with the repercussions, and simply blaming the login credentials from a social networking site won’t protect you.
Secure the asset
Remember that it's not the security of each and every online retailer we're trying to protect, but the security of credit and debit card customers.
Consider, then, the security advantage of requiring an out-of-band approval to register a credit card with any online retailer. For example, when attempting to use a credit card on a site for the first time, an alert could be sent to the registered cardholder's email address or cell phone. With established online sites, attempting to have a product shipped to a new or not previously approved address could also trigger an out-of-band approval requirement.
Such controls would be tied to the card itself, independent of the online retailer being used. This would mimic the type of alerting used when a credit card purchase on the east coast is attempted by a customer that lives on the west coast.
Debit cards and ATMs
Out-of-band security is by no means limited to protecting credit or debit card account information online or at brick-and-mortar retailers. Most banking customers use a limited number of ATMs, generally near where they live or work. Customers also generally withdraw similar amounts of money each visit. Using the concept of "know your customer," if a withdrawal is attempted from an "out-of-network" ATM, or if an unusual amount is requested, or even if withdrawals come at an unusual frequency, an alert could be sent to a preregistered email account or cell phone number. The legitimate card holder would simply need to acknowledge that the transaction is appropriate.
Staying with the concept that nothing is totally hack-proof, this out-of-band security measure would force the fraudster to clear another hurdle.
Effective use of out-of-band communication
Alerts to a cell phone number rather than to an email address are both more real-time and more secure. This is particularly true with free Internet email accounts. With a username and password, a hacker can access an online email account from anywhere in the world. It's more difficult to intercept messages sent to a cell phone worldwide.
As numerous data breaches have demonstrated, financial institutions can't ensure the security posture of every online retailer or brick-and-mortar store where customers may shop. Therefore, a security measure that can be tied to the asset can be effective no matter where it's used.
About the author:
Philip Alexander has over 25 years of IT security experience in both the private and public sections. He has published three books on IT security and data privacy, and is an operational risk manager for a major U.S. financial institution.
Merchants are under pressure to implement Chip and PIN technology, which could boost payment transaction security, but won't make PCI compliance any easier.
Check out SearchSecurity's latest PCI DSS advice and news.