Académique Documents
Professionnel Documents
Culture Documents
Steve Manning
August 25, 2004
1
Overview
2
Fundamentals of Online Transactions
How it works: Set-up
Shopper Merchant
Customer
Credit Lines
Shopper Merchant
X
authentication/authorization event
No money actually moves over credit card
23
networks (only auth/auth requests)
X Auth/auth data returned to merchant for
sale decision
X All risk brokering is determined by
23 auth/auth event
Customer
Credit Lines
Acquiring Bank
Issuing Bank Visa & MasterCard Backbone
4
Directories Processors
Fundamentals of Online Transactions
How it works: Settlement of Funds
Shopper X Consumer does not pay until end of billing cycle Merchant
Customer
Credit Lines
Acquiring Bank
Issuing Bank Visa & MasterCard Backbone
5
Directories Processors
Fundamentals of Online Transactions
Authentication and the input problem
X Limited risk
X Authenticated credential (card)
“Swipe” X Authenticated individual (signature)
(POS Terminal)
X Merchant rarely burned <.1% fraud
rate
Shopper Merchant
10010100010
X High risk
X No credential
X No identity authentication
X Merchant frequently burned >1%
fraud rate
6
Trends in Online Fraud
Trend #1: Web crime growing faster than web commerce
Vulnerabilities ’95-’02
5,000 Snapshots From 2002
X 99% of intrusions result from known
4,000 vulnerabilities or configuration errors
X Microsoft released 72 patches in ‘02
3,000
X Redhat released 38 patches in ‘02
X New vulnerabilities discovered per
2,000
week: 5 in 1998 to 50 in ‘02
X Published vulnerabilities notify
1,000 hackers as well as businesses
0
1996 1998 2000 2002
9 Source: CERT
Trends in Online Fraud
Trend #3: Automation, collaboration, internationalization
X Automation
– Use of software tools to speed up hacking process
– Tools lower bar for technical sophistication of hackers
X Collaboration
– Information sharing drives rapid evolution of hacking techniques
– Specialists easily recruited to hacker teams
– Businesses do not collaborate as effectively as hackers
X Internationalization
– Over 50% of payments fraud originates from overseas (from a short list of
politically instable countries)
– Current hotspots: eastern europe, asia
– Internationalization complicates police jurisdiction and prosecution
10
Trends in Online Fraud
Technology has greatly automated criminal activity
X Government regulation
– U.S. Patriot Act
– California Anti-Hacker Legislation: SB1386
– Graham-Leach-Bliley Act
– FTC sues Guess.com for database compromise
13
How Fraud Happens
All payments fraud is based on stolen identities and
access to payment networks
14
How Fraud Happens
Broadly speaking, payments fraud falls into 3 categories of theft
Web
Web
Cardholder
Cardholder Merchant
Merchant Processor
Processor
Gateway
Gateway
Infrastructure Hack
X Customer Lists
Issuing
Issuing Acquiring
Acquiring
Bank
Bank Bank
Bank
16
Protection Against Fraud
Businesses face both strategic and tactical challenges in
effectively combating fraud
Understanding Fraud X Lack broad visibility into ecommerce X Lack access to specialized data
events sources that inform decisions
Trends
X Business focus on retail– not X Budget for fraud operations
supporting security analysts
Choosing & Deploying X Identifying right technologies for X Deploying and operating specialized
Technology specific fraud problems risk systems
X Gauging efficacy of anti-fraud X Updating systems
technologies prior to deployment
Evolving with Fraud X Identifying and blocking new X Testing new technologies for new
patterns before they strike attack patterns
X Lack resources to manage “positive
feedback” fraud operations
17
Protection Against Fraud
Effective fraud management requires protection from a broad
scope of threats
2
2: Other Business Security
1 X Have other business’s secured customer lists?
X Have other business’s provided data validation?
Asia East Europe
3: Infrastructure Security
X Compromised ISPs (email spoofs and fake site
scams)
X Home zombie computers (attack launch points)
X Freight forwarders
X Anonymizing services
South Am
4: International
X Organized crime rings (Eastern Europe)
X International card issuers
18
Protection Against Fraud
True protection requires security solutions at 3 levels
X Transaction Level
– Authenticate buyers when possible
– Screen order content for fraud patterns
– Manually review suspicious transactions
X Account Level
– Lock down administrative access
– Monitor account level activity for suspicious patterns
X Network Level
– Lock down network access
– Monitor network level activity for suspicious patterns
– Update all patches on servers and operating systems
19
Protection Against Fraud
There is no software silver bullet– payments security requires an
orchestration of technologies and processes…
20
Protection Against Fraud
Verified by Visa and MasterCard SecureCode protect card
information at checkout
X Technology Requirements
– MPI (merchant plug-in) to initiate authentication from checkout
– Visa/MasterCard 3DSecure directories to route communication to issuers
– ACS (access control server) for issuers to execute authentication
– Processors (online & offline) must pass new data fields (ECI, CAVV, XID)
21
Protection Against Fraud
How it works
1. Consumer fills out checkout page, submits payment information to merchant
2. Merchant MPI checks Visa & MC directories for enrolled cards
Shopper Merchant
MPI
22 Issuing Bank
Merchant Liability for Fraud
How it works
3a. For non-enrolled cards, transaction continues to processor as usual
3b. For enrolled cards, issuer prompted to authenticate user
4b. Consumer gives password, ACS validates password
Shopper Merchant
MPI
23 Issuing Bank
Merchant Liability for Fraud
How it works
5. Authentication results passed back to merchant, proceed to authorization
MPI
24 Issuing Bank
Cool Tech Club
?
Questions
25