Card skimming moves online | TECH(talk)


That’s what I was gonna ask
is you mean if you’ve got these scripts that are sort of tucked away in code on
pages that you know companies may not know that they’ve been infected yeah I
mean how can a company guard against this how can an e-commerce company you
know fend this off or I mean is there is there some how do you know I guess how
would a company know that it’s checkout page has been infected in that you know
financial information is being stolen how does this how does this come to
light right so there are a couple of things first first of all you need to
keep keep your software up-to-date keep your CMS up to date because CMS
like CMS is like Magento which is a very popular e-commerce CMS issue regular
security updates and and they discover vulnerabilities and they patch them so
obviously you need to keep those up-to-date then there are some some web
technologies one of them is called content security policy and this allows
you to define or whitelist domains from which your website is allowed to load
script right so in case an attacker gets access and they try to load the script
inside that’s loaded from one of their custom domains one domain they control
if that domain is not in the list of whitelisted websites that client
browsers will just refuse to load it so that is content security policy another
such technology is called sub resource integrity or CRI and this allows this
would protect against the supply chain attacks because this allows the website
website operator when they put a script inside their code to also provide the
cryptographic hash or that script right so if the browser then this is the
website and get that script it verifies the cryptographic hash and if the hash
does not match it means that the web’s the script has been modified on its
original location which is the third party provider so if the attackers gain
access to that or either modify the script that script will have a different
hash or different people graphic hash and
browsers will refuse to load it so that’s another way you can protect your
customers obviously and of course security regular security audits there
are web scanners that d’être detect obfuscated code and and unusual code in
your pages there are web application firewalls that can detect and down
infections or can block known infection by using patterns there are different
technologies but most importantly have a clear contact page
security contact page because there there have been many cases where
security researchers or security professionals have discovered these
infections and have tried to notify the affected parties and they they got no
response or it took weeks to get a response or longer or they never got a
response which is bad because if your website is your is compromised in your
risk suffering the reputational damage because of breach your you have to
notify all your customers you want to do it as quickly as possible that’s an
interesting point that people who the companies there that that are hosting
their own websites that’s interesting to think that there are security
professionals that have found these flaws and tried to reach out and it’s
been difficult that’s something that I never that has me was kind of scary that
yeah I reach out and no one was yeah that wouldn’t even occur to me so that’s
really interesting that that would be an issue but go ahead okay okay now I
wanted to mention some upcoming changes in the in the payments industry that
might mitigate some like some of this fraud to some extent yeah so head if you
want it was something okay so there is a payment revised payment services
directive in Europe and it has strong customer authentication requirement and
this will go into effect in Pluto in September this year this requirements
basically say that for every online card transaction that over 30 euros there are
some some some acceptable limits but transactions of
thirty euros you have you need to have multi-factor authentication so in
addition to the card security code you will get asked a second second code
either code generated by a mobile app or a biometrics like your fingerprint your
face face ID and this will make it it will not stop these attacks but it will
make it harder for attackers to abuse those cards right especially in regions
where this will be implemented and even though this is a European regulation it
is expected and my sources have told me that it is expected the US will adopt it
as well by the force of the industry because merchants if you are a merchant
and you are selling goods to both US and European customers you are going to
implement this for your European customers and if you are going to
implement this you are going to implement it for all your customers
you’re going to have this capability and if you use this capability and your bank
let’s say you the u.s. your US bank or the US bank does not support this then
the US the bank becomes liable for the fraud so this will be reason for US
banks to adopt is as well and this is a security standard known as three bs
secured three ds2 because they’re the preferred version of this hasn’t seen
much adoption because it created a lot of friction and merchants didn’t want to
use customers during the checkout process by having having them perform
additional steps but this second version is something that banks will have to
implement so your bank will ask you to install an application on your phone and
you’ll be able to authenticate transactions through that so it’s not
something that merchants have to force upon customers anymore is the bank that
will force it upon customers so that will make it more appealing for
merchants to implemented and it is expected this will be implemented in the
US and compared to the chip-and-pin which require the investment
in new point-of-sale system so hardware it was very complicated a very long
process this all that’s required for this is already there this is software
this is an API it should be easily implemented and it won’t take as long as
it did for chip-and-pin so we should see it in in one year a couple of years but
what probably less adopted by us banks and the US merchants as well you sort of
touched on in solution but I’m just curious is there any sense whether in
terms of like say Europe versus the US whether whether one area is a little
more proactive on the security side than the other it seems to me you know when
you think about last year with gdpr that Europe sort of leads the way and the US
and us-based companies merchants ecommerce sites whatever tend to sort of
fall in line because they are they have a global presence do you have any sense
it is is that the way it’s sort of evolving that it sort of starts in
Europe and kind of spreads to the US by default right now it is yes I mean for
the past ten years or so Europe has been kind of leading in in privacy and
security regulation and US companies are forced to adopt some of them if they do
business business in Europe as well so it drives adoption in the US as well the
regulations in the US are much more fragmented
because you have the state level regulations and then you have the
federal regulations and the federal government and tries to avoid over
regulating or enacting new new federal regulations and they leave the states to
to enact their own regulations which creates a bit of a fragmentation I know
that California is ahead of most states when it comes to data protection and
other types of security and privacy related regulations okay that’s
interesting and sort of the the difference like you mentioned can sort
of the EU pushing some of these security regulations
and that a little bit reverberating in the United States it also sort of brings
up to me the difference of risk tolerance in the EU in the u.s. I know
in the u.s. here if we were if I were the victim of a hacked transaction I
would probably get my money back right it’s it’s that whole thing in the US
about making it as frictionless as possible
exactly people don’t have to think about it as much in the US and therefore they
don’t whereas in Europe you know the possibility that they might actually
really lose a serious amount of money and not be able to get it back for weeks
or months or you know long or ever makes you much more risk-averse
then you might be if you’re just shopping on Amazon or somewhere in the
u.s. yeah absolutely and right I mean that’s that’s true for for a physical
card in Europe because you do have to file a police report and then go to the
bank and it will this new regulation this new direct directive the revised
bourbon services directive actually if strong identification has been used and
there’s fraud the customer must get his money or her money back as soon as
possible so it it will speed up the process that’s good to hear it’s really
interesting to think it’s just something that I don’t think about as much I feel
like I have it’s been ingrained in my mind to be worried of physical ATMs or
if I’m buying gas and it’s happened to me I’ve had my card info swipe from an
ATM but if this is an this is an interesting way of thinking about card
skimmers that just didn’t really occur to me before as a consumer there’s a
reminder that even when you’re shopping online and you’ve got your card and
you’ve got your CCV number and everything and you haven’t inputted it
you know you do it manually each time given these you know injectable ways of
getting your information even then you may not be safe yeah it’s really
interesting and some of these groups I’d like to mention that some of these
groups do not target only card information they have evolved into
targeting all types of sensitive information personal information and
other types of information basically any data personal details and data they can
monitor and solando on the black market for
involve or depends they might even sell it based on how
high-value the target is how if you are a rich individual your data might be
worth more because if become a victim or attackers use it they might gain more
more money or so it seems like in short this the cards gaming has really sort of
evolved rapidly and briefly Lucien if you wouldn’t mind letting us know where
do you sort of foresee this evolving further I don’t see this attack stopping
anytime soon this will this will go on because there are so so many easy
targets out there and yes there are ways to protect
against it but the reality is just as with companies in general insecurity in
general it requires investment it requires skilled employees to do these
things and a lot of companies do not prioritize security over other aspect of
their business and this will continue to go on
there are thousands and thousands of web sites compromised every every single
week every single month through known vulnerabilities that have been patched
and just because they they did not patch their own their own software and case in
point the Equifax breach the large equivocal reach which was was due to a
vulnerability that had been known for months and there have been reports out
there even before the site got compromised of widespread attacks
against websites through that vulnerability so it wouldn’t have taken
a lot for Equifax to to know about it or ATF oxide is department to know about
great interesting well thank you so much Lucien we really appreciate you being
with us and calling in all the way from Romania it really interesting yeah I had
to I just had to get in there that he’s calling from Romania it’s so impressive
we’re global for everything oh absolutely thank you so much Lucien
thanks for having me thankfully you guys yeah could we talk
to you and thank you so much for watching this episode of tech talk if
you liked this video be sure to give it a thumbs up and subscribe to our Channel
we will link Lucien story in the descriptions you can read a bit more
about these types of cards gaming attacks it’s pretty interesting and it’s
interesting even just as a consumer to make sure that you’re staying safe or at
least your your can a healthy amount of worry just be aware of it yeah that’s a
lot to learn thanks so much for watching and we’ll
see you next time thanks

, , , , ,

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *