Mobile: The New Weak Link
Written by Mark RaschAttorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Cybersecurity Director for CSC in Virginia.
Want to destroy your network infrastructure, grab all your customer’s unencrypted credit card numbers and drive your business into bankruptcy? There’s an app for that. As retailers of all sizes migrate to mobile-type payment systems and leverage existing mobile technologies (e.g., Android, IOS platform devices), the problems of PCI-DSS compliance and protection of credit card information increase. That is because these mobile platforms are inherently insecure, making the payment systems that reside on them insecure, too.
Increasingly, retailers are looking at mobile payment systems that do not require their own dedicated infrastructure. Using ubiquitous handheld devices over regular Internet connections, these devices are cheap, easy to maintain and hold great promise for line-busting, inventory management, offsite purchases and a host of applications we haven’t even thought of.
An example of such a device is the Square payment system. This small cube-shaped device plugs into any iPhone’s audio plug and, with the downloadable software and a square processing account, allows anyone to process credit cards. The device contains a magnetic code reader, along with the ability for customers to use their fingers to “sign” their names on the iPhone itself.
(Related story: The CIOs of Pizza Hut and Ann Taylor—plus the SVP/IT at Home Depot—discuss the advantages and dangers of turning part of their revenue flow to mobile payments.)
The iPhone camera can act as both an authentication device and a barcode scanner to obtain product information and current pricing and inventory information. Pretty slick. The device itself is promoted as PCI-DSS Level 1 compliant, so it is secure, right? Not so fast.
The problem for mobile computing in general and mobile payment systems in particular is not that the application—or the POS devices attached to it—is not secure. The problem is the same as that with ordinary POS terminals, only multiplied exponentially. A regular POS terminal, out of the box from the vendor, may be advertised as “PCI-DSS compliant,” but in most cases, this just means that the device is capable of becoming DSS compliant.
Out of the box, the device contains the manufacturer’s default passwords and configurations (look ’em up on the Internet, and you are in) and, generally, must be connected to the retailer’s internal network and external Internet connections.
What is worse, the contracts with the POS vendors, payment processors and issuing and collecting banks generally impose both the responsibility for and the liability for security on the merchant. Thus, the merchant must take this insecure device, change the passwords, configure it securely, connect it securely to its network, ensure that its network is itself secure, ensure that only valid people can get on its network and essentially protect the credit card information. That’s a lot to expect of a company in the business of selling staple guns or T-bone steaks.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
