Data security provider Foregenix is in the thick of the endless war on cybercrime. And the payments industry's biggest weapons are no deterrent to fraudsters, says Andrew Henwood, CEO of U.K.-based Foregenix.
The Target breach may have shocked U.S. merchants into wanting to deploy EMV-chip cards, but it's an episode that has played out globally in a nearly identical manner, says Henwood, who was promoted to CEO on April 3.
Prior to his promotion, Henwood lead the company's investigative teams in South Africa and Latin America. He previously worked as vice president of Trustwave's SpiderLabs forensics research in Europe, the Middle East and Asia.
Foregenix is a qualified security assessor for the Payment Card Industry Security Council.
Henwood shared his thoughts and fears with PaymentsSourceabout the ongoing fight to protect payment data. This interview has been edited for length.
PaymentsSource: Some in the payments industry were surprised to hear the Target breach occurred when criminals got access to third-party vendor credentials and pulled payment card data after access from an entirely different part of the retailer's network. Does this type of access guarantee that fraudsters can get out with something of value?
Henwood: We see a significant amount of custom-written malicious software for the environment these guys are gaining access to. Its sole purpose is to extract as much valuable card data as they can get their hands on and extract it in some sort of automated fashion.
PaymentsSource: The malware stays until someone detects it?
Henwood: The malware stays to obtain any extra card data that comes in. The hackers never have to access the environment again. I don't want to call it a risk-free crime, but it's darn near close to it.
PaymentsSource: Other than tighter security on the network and third-party access credentials in the first place, what does a merchant do once the malware is infecting a system?
Henwood: The card anti-virus vendors, generally, cannot detect this malware. The good guys will detect it when they get their hands on the code and actually reverse-analyze it and provide the samples to the vendors. Until that point, this malware is not detectable. It is good at hiding itself and masquerades as a legitimate payment processor. If you were an IT person scrutinizing a box infected by this parasitic malware, it's very hard to tell it was infected.
PaymentsSource: When a breach results in millions of card accounts being compromised, should every cardholder figure it is only a matter of time before they are fraud victims?
Henwood: Not really. We worked on a big case recently in South Africa, though not as many cards as the Target breach. But these guys are very selective. They get more card data than they can use and will focus on corporate, business, platinum and gold cards. Those are the cards with really high limits. It's a significant trend for them to be picking and sorting the types of cards they want to use for the greatest yield.
PaymentsSource: Just to be clear, we are talking mostly about cards still using magnetic-stripe technology?
Henwood: Yes, because mag-stripe is very valuable to a criminal looking to clone cards.
PaymentsSource: Since they were first introduced years ago in Europe, have any security problems unfolded with EMV chip cards?
Henwood: You have to remember that an EMV card still has a mag-stripe as backup. Generally, the EMV card data is protected, but the primary account number can still be compromised because it is not encrypted. The PAN is not as valuable to a hacker as the full track of data, but it is a misconception that the PAN is in the clear. EMV certainly mitigates risk, but the 16-digit number on the front of the card is still unencrypted.
PaymentsSource: If the PAN alone is not of tremendous value, are there any other gaps in EMV that you have noticed?
Henwood: Yes, merchant behavior needs to change. In many cases we have worked on, we discovered that merchants, either by habit or because the payment software was not operating properly, did what we call "double-swiping." They take the EMV transaction and also swipe the card. They are insisting on taking a mag-stripe swipe off the card, and that is not necessary in an EMV environment.
PaymentsSource: Can we just get rid of the mag-stripe once and for all?
Henwood: Even if we could wave a magic wand and say a vast portion of the world has gone to EMV, we would still have the requirement for back-up compatibility. If you go somewhere not accepting EMV, you would be frustrated in not being able to use your payment card. We are going to have mag-stripe for years to come.
PaymentsSource: It is general knowledge that EMV chases fraudsters away from the point of sale and into e-commerce. I am sure you have watched that trend closely.
Henwood: Now, 95% of our forensics work is in card-not-present cases. Fraud has moved to other channels that are vulnerable.
PaymentsSource: What lies ahead for the U.S.?
Henwood: Things will get a lot worse in the U.S. before it gets better. The bad guys know there is a short window of opportunity because of the move to EMV. They are going to want to get card data while they can because there is so much mag-stripe still out there. The best answer is point-to-point encryption in tandem with EMV. That would be a fantastic achievement because that would come close to eliminating all types of fraud scenarios.