Brian Pennington

A blog about Cyber Security & Compliance



Mobile Payments Data Breaches will Grow

An ISACA survey of more than 900 cybersecurity experts shows that

  • 87% expect to see an increase in mobile payment data breaches over the next 12 months
  • 42% of respondents have used this payment method in 2015

The 2015 Mobile Payment Security Study from global cybersecurity association ISACA suggests that people who use mobile payments are unlikely to be deterred by security concerns.

Other data from the survey show that cybersecurity professionals are willing to balance benefits with perceived security risks of mobile payments:

  • 23% believe that mobile payments are secure in keeping personal information safe.
  • 47% say mobile payments are not secure and 30% are unsure.
  • At 89%, cash was deemed the most secure payment method, but only 9% prefer to use it.

Mobile payments represent the latest frontier for the ongoing choice we all make to balance security and privacy risk and convenience,” said John Pironti, CISA, CISM, CGEIT, CRISC, risk advisor with ISACA and president of IP Architects. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks. This shows that fear of identity theft or a data breach is not slowing down adoption and it shouldn’t as long as risk is properly managed and effective and appropriate security features are in place

Reports say that contactless in-store payment will continue to grow. Overall, the global mobile payment transaction market, including solutions offered by Apple Pay, Google Wallet, PayPal and Venmo, will be worth an estimated US $2.8 trillion by 2020, according to Future Market Insights.

ISACA survey respondents ranked the major vulnerabilities associated with mobile payments:

  1. Use of public WiFi (26%)
  2. Lost or stolen devices (21%)
  3. Phishing/shmishing (phishing attacks via text messages) (18%
  4. Weak passwords (13%)
  5. User error (7%)
  6. There are no security vulnerabilities (0.3%)

What Consumers Need to Know

According to those surveyed, currently the most effective way to make mobile payments more secure is using two ways to authenticate their identity (66%), followed by requiring a short-term authentication code (18%). Far less popular was an option that puts the onus on the consumer installing phone-based security apps (9%).


People using mobile payments need to educate themselves so they are making informed choices. You need to know your options, choose an acceptable level of risk, and put a value on your personal information,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA and group director of information security for INTRALOT. “The best tactic is awareness. Embrace and educate about new services and technologies

Understand your level of risk: Ask yourself what level of personal information and financial loss is acceptable to balance the convenience of mobile payments.

Know your options: Understand the security options available to manage your risk to an acceptable level. Using a unique passcode should be mandatory, but also look into encryption, temporary codes that expire and using multiple ways to authenticate your identity.

Value your personal information: Be aware of what information you are sharing e.g., name, birthday, national identification number, pet name, email, phone number. These pieces of information can be used by hackers to gain access to accounts. Only provide the least amount of information necessary for each transaction.

Security Governance for Retailers and Payment Providers

In the emerging mobile payment landscape, ISACA notes that there is no generally accepted understanding of which entity is responsible for keeping mobile payments secure—the consumer, the payment provider or the retailer. One approach is for businesses to use the COBIT governance framework to involve all key stakeholders in deciding on an acceptable balance of fraud rate vs. revenue. Based on that outcome, organizations should set policies and make sure that mobile payment systems adhere to them.

Members of the IT or information security group taking part in the discussion should also ensure they are keeping up to date with the latest cybersecurity developments and credentials. A joint 2015 ISACA/RSA study shows that nearly 70% of information security/information technology professionals require certification when looking for candidates to fill open security positions.

The full ISACA Press Release can be found here.

PCI Security Standards Council announces new board of advisors

The PCI Security Standards Council (PCI SSC), announced election results for the 2013-2015 PCI SSC Board of Advisors.

The Board will represent the PCI community by providing counsel to SSC leadership.

The Council’s more than 690 Participating Organizations selected individuals from the following organizations to represent their industry’s unique perspectives in the development of PCI Standards and other payment security initiatives:

  • Bank of America N.A.
  • Bankalararasi Kart Merkezi
  • Barclaycard
  • British Airways PLC
  • Carlson
  • Cartes Bancaires Cielo S.A.
  • Cisco
  • Citigroup Inc.
  • European Payment Council AISBL
  • FedEx
  • First Bank of Nigeria
  • First Data Merchant Services
  • Global Payments Inc.
  • Ingenico
  • Micros
  • Middle East Payment Systems
  • PayPal Inc.
  • Retail Solutions Providers Association
  • RSA, The Security Division of EMC
  • Starbucks Coffee Company
  • VeriFone Inc.
  • Wal-Mart Stores, Inc
  • Woolworths Limited

Board of Advisor members provide strategic and technical input to PCI SSC on specific areas of Council focus. Past board members have provided reach into key industry verticals and geographies to help raise awareness and adoption of PCI Standards; have shared their experience with implementing PCI Standards in presentations at the annual Community Meetings; and have contributed guidance on training product development and led Special Interest Groups (SIGs).

Active involvement from our Participating Organization base is critical to ensuring the PCI Standards remain at the front line for protection against threats to payment card data. Once again I am impressed by the turn out in the election process. It’s particularly encouraging to see new markets looking towards open global standards like the PCI Standards to help secure payment card data worldwide,” said Bob Russo, general manager, PCI Security Standards Council.

The Council and wider stakeholder community will benefit from the breadth of experiences and perspectives that this new board represents.” The board will support the Council’s mission to raise awareness and drive adoption of PCI Standards worldwide and will kick off its work in June with its first face-to-face meeting with Council management. “This year saw more European involvement than ever in the Board of Advisors election process. Although Europe contains mature EMV markets, this level of involvement in the PCI SSC confirms that the combination of PCI Standards and EMV chip is a powerful force for protecting payment card data,” said Jeremy King, European director, PCI Security Standards Council. “Our new board is a truly global group, and the Council will benefit greatly from its input as we continue to drive awareness and adoption of PCI Standards worldwide.


RSA’s March Online Fraud Report 2013, with a focus on Email and Identity takeover

RSA’s March 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information from them. Compromised credentials are then typically sold in the underground or used for actual fraud attempts on that user’s bank/card account. Financial institutions have all too often been the most targeted vertical with phishers setting their sights on monetary gain, followed by online retailers and social networks.

Most understand the purpose of targeting financial institutions, but online retailers and social networking sites? Why would a fraudster target them? In most cases, they use an email address to authenticate their users’ identities, and they are not the only ones. Of course the user is made to choose a password when opening any new online account, but as research reveals, password reuse across multiple sites is a huge issue. A typical user reuses the same password an average of six times, or the same password to access six different accounts.

Access Phishing campaigns have already been targeting webmail users for years now with campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the shape of OWA (Outlook Web Access) for business users.

Trojan operators followed suit and have not remained oblivious to the potential that lies in gaining control over victim identities through their email accounts. In fact, almost all Trojan configuration files contain triggers to webmail providers as well as to social networking sites. This is designed with the purpose of getting access in order to gain more information about potential victims in order to take over their online identities.

Since email accounts are an integral part of user identities online, they have also become the pivotal access point for many types of accounts. When it comes to online retailers and merchants, the email address is most often the username in the provider’s systems or databases. When it comes to bank accounts, the customer’s email is where communications and alerts are sent, and sometimes even serve as part of transaction verification.

Beyond the fact that email is part of customer identification and point of communication, the compromise of that account by a cybercriminal can have more detrimental effects. Email takeover may mean that a hostile third party will attempt, and sometimes succeed, to reset the user’s account information and password for more than one web resource, eventually gaining access to enough personal information to enable complete impersonation of the victim.

Although some webmail providers use two-factor authentication for account password resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it simpler for criminals to access and sometimes attempt to reset access to accounts.

Fraudsters will typically probe the account for more information and sometimes lock it (by changing the password) in order to prevent the genuine user from reading alerts after a fraudulent transaction was processed on one of their accounts.

Since email is a convenient way for service providers to communicate with untold numbers of customers, online merchants will, in the name of ease of use, reset account credentials via email. Hence, if a cybercriminal is in control of the email account, they will also gain control over the user’s account with that merchant.

From there, the road to e-commerce fraud shortens considerably, either using that person’s financial information, or attaching a compromised credit card to that account without ever having to log into their bank account in order to access their money, and in that sense, email access equals money.

Another example is transportation companies, which are part of any online purchase and those who provide shipping service to companies as well as governmental offices. They also use email addresses as their users’ login identifiers and will reset the account via email.

A takeover of a user’s email account in this scenario will also mean takeover of that person’s/business’ service account with the transport provider. For fraudsters, this type of access translates into purchasing labels for their reshipping mules, charging shipments to accounts that don’t belong to them, and providing an easier route to reship stolen goods and even reroute existing orders.

Email account takeover may appear benign at first sight, but in fact it is an insidious threat to online banking users. The first issue with email account takeover (due to credentials theft or a password reset), is that users re-use passwords. When fraudsters steal a set of credentials, they will likely be able to use it to access additional accounts, sometimes even an online banking account.

The second issue is that fraudsters will use victim email access for reconnaissance with that person’s choice of financial services providers, bank account types, card statements (paperless reports delivered via email), recent online purchases, alert types received from the bank, contact lists (often including work-related addresses), social networking profile and more.

How Risky Is Email Account Takeover? Email account takeover can be a route to identity theft that only requires access to perhaps the least secure part of the online identity used by financial and other organizations and is perhaps one of the least evident elements that can become a potential facilitator of online fraud scenarios.

Email addresses can serve as a “glue” that binds many parts of a person’s online identity, connecting a number of different accounts that interlink. A typical online banking customer may use a Gmail address with their bank account, use that same address for a PayPal account, shop on eBay using that address, and receive their card statements at that address from their card issuer. All too often, that address is also their Facebook access email, where they have saved their phone number, stated where they work and for how long, and mentioned a few hobbies.

RSA’s Summary

Account hacks of this type happen all the time, and often make the headlines in the media. In some cases, there are a few hundred potential victims while in others, there are millions. The value of an email address to a cybercriminal should not be underestimated. This element of an online identity must be treated with added caution by all service providers that cater to consumers.

The line that crosses between ease of access and user experience always passes very close to security redlines, but sometimes very slight modifications in the weight customer email accounts can have on overall account access can turn a fraud attempt into a failed fraud attempt.

Phishing Attacks per Month

In February, RSA identified 27,463 phishing attacks launched worldwide, marking a 9% decrease from January. The overall trend in attack numbers when looking at it from an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In February, 257 brands were targeted in phishing attacks, marking a 12% decrease from January. Of the 257 targeted brands, 48% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide bank brands were the prime target for phishing campaigns, with 69% of total phishing attacks, while regional banks saw an 8% increase in phishing attacks in February.

Top Countries by Attack Volume

The U.S. remained the country that suffered a majority of attack volume in February, absorbing 54% of the total phishing volume. The UK, Canada, India, and South Africa collectively absorbed about one-quarter of total phishing volume in February.

Top Countries by Attacked Brands

In February, U.S brands were targeted by 30% of phishing volume, continuing to remain the top country by attacked brands. Brands in Brazil, Italy, India, Australia, China and Canada were each respectively targeted by 4% of phishing volume.

Top Hosting Countries

In February, the U.S. hosted 44% of global phishing attacks (down 8%), while the UK and Germany each hosted 5% of attacks. Other top hosting countries in February included Canada, Russia, Brazil and Chile.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.

PayPal, Payments and PCI

The logo of Ingenico SA

Ingenico has announced a partnership with PayPal which will enable merchants with Ingenico POS devices to accept PayPal payment options, read the press release here.

Ingenico and PayPal have each made statements on the relationship:

“Today’s savvy shoppers want the option to choose how they pay for goods and are agile enough to easily switch between multi-shopping platforms. Our goal, as one of the key POS device and solutions providers, is to equip merchants with a versatile secure platform capable of accepting and handling diverse forms of payment,” said Thierry Denis, president of Ingenico North America. “By working with PayPal to bring their payment solutions to offline retail, we will naturally empower both the merchant, by providing a better way to connect with its shoppers to generate incremental sales, and the shoppers by adding speed and convenience at the checkout combined with expanded payment options. This relationship enables us to offer the most advanced solution for today’s practical shopper”

“PayPal’s vision for the future of shopping includes people making purchases anytime, anywhere and over any device. Ingenico is helping PayPal realize this vision by putting PayPal in stores and at the point of sale,” said Don Kingsborough, vice president of retail and pre-paid products. “Millions of PayPal users will soon have several innovative ways to make purchases at many of their favorite retailers, including using Ingenico terminals to swipe their PayPal payment cards or to enter the mobile phone number and pin associated with their PayPal accounts.”

Walt Conway a prominent QSA and manager at 403Labs commented:

The first question is, if a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? The follow-up question is, if the PayPal account is in scope, is it necessarily a big deal?

I read the piece about Home Depot letting shoppers pay in-store using PayPal:

“On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.”

Separately, I saw where Ingenico launched a new PayPal offering. It enables PayPal users to make retail purchases (using Ingenico terminals, of course) by swiping their PayPal payment cards or entering the mobile phone number and PayPal PIN. Because many (although not all) PayPal accounts are tied to an underlying payment card, which is in scope for PCI, and because using such a PayPal account ultimately triggers a payment-card transaction, would PayPal in this case fit the PCI Council’s definition of a high-value token?

A high-value token is a new concept the PCI Council introduced and defined in its PCI DSS Tokenization Guidelines. Specifically, the Council defines a high-value token as one that “could potentially be ‘monetized’ or used to generate fraudulent transactions.” The guidance goes on to say: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data.”

PayPal accounts were not designed to be tokens. However, because a stolen or compromised PayPal account could be used to generate fraudulent transactions, that PayPal account appears to act like not just any old token but a high-value token. The PCI Council states that high-value tokens may be in scope for PCI and, at the least, they require “additional controls in place to detect and prevent attempted fraudulent activities.”

Let’s move on to the second question. If a retailer (or its acquirer or QSA) considers PayPal accounts to be high-value tokens, does it matter? For many merchants, the PayPal transactions will use the same devices, networks and procedures that are already in scope for PCI.

Therefore, there might be no significant impact of PayPal acceptance for a retailer with a PCI-compliant POS system. Things might get complicated when the merchant stores the cardholder data, in which case the PayPal account information may expand the scope of data to be protected.

Thank you Walt for permission to use your excellent work.

Can Tokenization help to reduce the risk of fraud involving Credit Cards?

When it comes to protecting sensitive data, especially credit card data, an organisation needs protection in place because it is a constant battle against a variety of attacks with the two greatest foes being:

  • Social Engineering (e.g. preying on employees or customers)
  • Technology (hackers, viruses, etc.)

Social Engineering can be addressed by implementing regular training, professional management and monitoring, but Technology is a different story.

Technology is an on-going battle with thousands of new attacks being developed every week, e.g. viruses, Trojans, code breaches (e.g. SQL injections), etc.

New attack vectors require new defences, just like in fencing as one fencer makes a move the other needs to counter.

Security moves and counter moves cost time and money, especially when you consider that potential weakness could be in any device on the network e.g. phone systems, servers, BYOD, printers, etc. In a flat or non-segmented network one breached device could potentially lead to the breaching of all devices.

If multiple devices and applications require access to credit card data, e.g. CRM and Customer billing, the scope of risk is far greater which is why reducing the scope of the risk is so important.

Tokenization can dramatically reduce the scope by changing credit card data, and other sensitive information, into usable data that contains no Personally Identifiable Information (PII) or Credit Card data. The original data is then stored in a “data vault” which has strong encryption wrapped around it.

For some companies Tokenization has reduced the risk-points from several dozen to one and if placed in the “cloud” could place the organisations technology and infrastructure out of PCI DSS’s scope.

For details on reducing the scope of PCI DSS see my other post Eight Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder Data

For a copy of the guide “Tokenization for Dummies” click here.


Cybersource’s 2012 UK Online Fraud Report

Cybersource have produced their eighth UK Online Fraud Report– 2012, a summary of the report is below.

The respondents to this year’s report came from a balanced group of merchant, classified as:

  • Medium business (annual online revenue of £500,000-£5m)
  • Large business (£5m-£25m)
  • Very large business (more than £25m)
  • Small business respondents (less than £500,000) accounted for 23% of the survey base

Respondent base

  • 20% Travel (excludes airlines, which are covered by a separate global fraud report)
  • 28% Physical goods
  • 28%. Services
  • 24% Digital goods

Looking forward to 2012, the largest proportion of merchants (42%) expects to see fraud rates unchanged. On average, 37% foresee higher rates though there is a noticeable difference between expectations of the digital goods market versus the other sectors covered by this report; a lower proportion of digital merchants (31%) expect rates to grow.

Cards Remain Prevalent with Small Merchants

Credit and debit cards remain the most popular form of payment acceptance by some margin (nearly double the next most prevalent payment method). Whilst PayPal is less popular amongst larger merchants it is accepted by 52% of the very smallest merchants; furthermore 65% of digital goods respondents stated that they offer this payment method. Bank transfers have also gained in popularity, now accepted by 61% of small merchants and particularly prevalent in the services sector (64%) where direct debit (42%) is also popular.

Cash on delivery or, more importantly, in-store payment/pick-up is now an option for 26% of merchants, and is more common amongst the middle tier than the very largest. The biggest merchants are more likely to offer gift cards and certificates, accepted by 43% versus 11% of the smallest businesses (larger organisations may have their own programmes or be part of wider industry initiatives).

Mobile operator billing now forms part of the income stream for 8% of merchants, and is focused on the top end (online revenues more than £25m) where 15% of companies now accept payments this way. Overall, 38% of companies have a mobile-optimised commerce site, with the travel sector leading the way (56%). 26% of respondents have their own mobile app, rising to 30% for the physical goods businesses. Given the potential development costs, it is the largest companies that are much more likely to have an app (43%) versus the smallest (7%).

 Over a third of businesses expect their total losses from fraud to grow in 2012

Percentage of orders rejected on the fear of fraud

  • merchants are rejecting on average 4.3% of incoming orders due to suspicion of fraud
  • 31% of merchants report that they are rejecting more than one in 20 orders on suspicion of fraud

Martin Pearce Head of Loss Prevention at was quoted in the report saying:

“The role of fraud prevention is an ever changing one; as the fraudster adapts so there is a need for the merchant to change in line with that behaviour. Key to this is the ability to detect fraudulent behaviour as close to real time as possible and then adapt, making changes quickly to counteract the latest threat. I liken fraud prevention to a game of chess; taking skill and strategic planning to get it right, especially when you are potentially playing a few moves behind the fraudster. Customer needs are ever changing too, with merchants looking to ensure that order and delivery/collection mechanisms are as easy and convenient as possible. Mobile devices have been playing an increasingly important role in transaction growth over the last few years, with a wide, and evolving, array of devices now on the market, all with internet access. Apps are also evolving; shifting from information stores to become purchasing and fulfilment instruments.

My view is that fraud hasn’t changed, but fraudsters have. They are more organised and being given new platforms through which to conduct activity. Any new purchasing process or platform is of real interest to the fraud community and will receive a lot of attention. You should ensure that your business is prepared, and able to manage such transactions (good and bad). Any success on behalf of the fraudster is likely to lead to further abuse at some stage.

Finally, whilst much focus is placed on identifying fraudulent behaviour, it is just as important to recognise the behaviour of good customers. Fraud identification is similar to looking for needles in haystacks; if you are adept at identifying good behaviour then you can substantially reduce the size of haystack at the start of the process; cutting your manual review workload and making the needles (or fraudsters) easier to spot and handle. In my experience, utilising tenure thresholds and monitoring on-going transaction behaviour can certainly help to identify genuine buyers. Furthermore, encouraging customers to manage their online activity via a dedicated user account area on your website not only provides you with valuable marketing data; you also gain much deeper insight into who your trusted customers are and how they behave.”

Find the full report here.

See CyberSource’s 2011 report on UK Online Fraud, summary here.

Also, CyberSource Brings World’s Largest Fraud Detection Radar to Online Merchants  post here.


PCI Standards Council Announces New Board of Advisors

On the 20th May 2011, the PCI Council announced its new Board of Advisors. More than 600 Participating Organisations elected the Board of Advisors. Participating organisations include merchants, financial institutions and processors from around the world.

The 2011-2013 PCI Board of Advisors will provide strategic and technical guidance to the PCI Security Standards Council that reflects the varied and unique industry perspectives of those across the payment chain. In addition to advising on standards development, the Board of Advisors plays a critical role in soliciting feedback and ideas, leading Special Interest Groups (SIGs); and helping the Council fulfil its mission to raise awareness and the adoption of the PCI Standards.

More than 76 organisations from across the payment industry were nominated for their direct experience and leadership in the field. The 21 seats were distributed within the categories of:

  • Financial Institutions
  • Merchants; Processors
  • Vendors,
  • Others (Industry Associations, etc)

 The new Board of Advisors is comprised of representatives from the following organisations:

  1. Barclaycard
  2. British Airways
  3. Cartes Bancaires
  4. Cielo
  5. Cisco
  6. Citi
  7. Disney
  8. European Payments Council
  9. First Data Corporation
  10. Heartland Payment Systems
  11. Ingenico
  12. International Air Transport Association (IATA)
  13. JPMorgan Chase & Co
  14. McDonald’s, PayPal
  15. RSA
  16. Tesco Stores Limited
  17. TSYS
  18. VeriFone Systems
  19. Wal Mart Stores
  20. Woolworth’s

“Industry participation is crucial to our work here at the Council. I am ecstatic to see the record number of people who were involved in this year’s election process and the breadth of experiences and perspectives that this new Board represents,” said Bob Russo, general manager, PCI Security Standards Council.

“As we continue to strengthen the standards and their adoption globally, this group will play a leading role in the protection of cardholder data against security threats worldwide.

“I am thrilled about the increase in European representation on the Board this term. It is a testimony to the excellent work and collaboration that is taking place in Europe to drive payment security forward,” said Jeremy King, European regional director, PCI Security Standards Council. “With their input, I’m confident that we can continue to make great strides in engaging European stakeholders in this important global initiative.”

 For more information on PCI DSS visit the PCI Resources page here.


Lush Cosmetics is once again trading online

Lush the company that has suffered “security issues” over the last few months is up and running again.

The Lush website states “The Lush IT team have worked with our security advisers and bank providers

The site also states “Should you choose to make a purchase, you will see that our payment page now takes you away from the Lush website and directly to our card providers site, where your payment is safely in the hands of the big boys at the money institutions. You can shop with confidence knowing that your details will be safe.”

Hopefully, the lessons have been learnt and they will be trading as well as they did in the past.

Read about the original UK and Australia Hacks here

Lush confirm their Australian Website has been hacked

Credit cards
Image via Wikipedia

In a statement on the Lush Australia website Lush have confirmed that hackers have gained access to the site and that customer data “may” have been obtained (hacked). Lush advice customers to contact their bank about their credit cards.

They point out that the Australian website is not directly connected to their recently hacked UK site. The hacked UK site has a similar announcement to the Australian site

Create a free website or blog at

Up ↑

%d bloggers like this: