Are Connected Devices Threatening Payment Security?

Cybercriminals are looking at a new point of entry to cause major damage to both consumers and businesses — the Internet of Things. Michelle Tinsley, director of mobility and secure payments for Intel, joined Karen Webster to discuss why merchants shouldn’t underestimate the backdoor connected devices may leave open for hackers.

When one door closes, another (connected) one opens.

At least that may be the mindset for the cybercriminals reportedly flocking to connected devices as an entry point into the networks and systems of businesses.

From Wi-Fi hotspots to printers, unsecured routers to digital video recorders — connected devices can be vulnerable to hacks and, when compromised, are being used by hackers to launch significant distributed denial-of-service (DDoS) attacks.

While it’s not uncommon for these Internet of Things (IoT) devices to be accessed by attackers looking for a stealthy way in, it’s also not uncommon for merchants to overlook these as a point of security vulnerability.

Intel Director of Mobility and Secure Payments Michelle Tinsley noted that, oftentimes, businesses are so hyper-focused on safeguarding payment data and PCI compliance that they easily lose sight of the other places where consumer data is left unprotected.

“There’s no way the guest Wi-Fi at a retailer is going to let you into the point of sale; however, it would let you into the system, which then may be able to get to where the consumer data is,” Tinsley explained, “because they’ve thrown that consumer data on the other side of the firewall from the payment.”

With massive cyberattacks like the recent Yahoo data breach — which compromised the personal data of an estimated 500 million user accounts — it’s clear that payment data isn’t the only information that needs to be protected.

When hackers have access to emails, usernames and the answers to a person’s security questions, it presents the opportunity for them to not only perpetrate account takeovers but also create entirely new unauthorized accounts.

“I can’t tell my mom to go get a new maiden name,” Tinsley pointed out, emphasizing that, once that piece of authentication is compromised, there’s no going back.

 

Going Beyond PCI

During an upcoming panel at Money20/20 titled “Payments Security: Taking a More Holistic Approach,” Tinsley will discuss why the constantly changing payments security landscape is in need of a new approach to protecting the flow of data.
While POS solutions certainly have their place, Intel is encouraging a bigger dialogue around industry-wide standards that can do more than just check the box of PCI compliance to truly help protect consumers against identity theft and payments fraud.

One piece of this more holistic picture is consumer presence as a factor of authentication, using biometrics, such as fingerprint, eyeball scan, etc., to provide additional layers of security. Tinsley explained that, while there’s no bulletproof solution, the addition of multiple factors is necessary to expand beyond just safeguarding systems with passwords or network keys.

But the minute malware makes its way into a system, it’s already too late.

Intel’s data shows that roughly 80 percent of data center traffic takes place within a data center itself, providing the perfect environment for malicious attacks to spread like wildfire.

“Once you get in, it’s like putting a virus into a petri dish; it can just multiply, expand and set up shop, and it’s not going to get checked by the firewall anymore because it’s already inside,” she explained.

“At Intel, we have future technologies that are being built into the CPU on every server to start doing random sample checks of traffic and make sure that it’s copacetic.”

Intel’s Data Protection Technology (DPT) is aimed at not just delivering encryption but presenting it as an approach that is suitable as a standard industry approach to data protection.

“The approach we’ve taken is to try to not only increase security and protect the consumer data but, at the same time, create a flexible architecture for the retailer that will enable them to reduce complexity over time,” Tinsley said.

She explained that Intel is advocating for two levels of security — the software-driven security and the hardware root of trust. The idea is to not just verify the software but also make sure it is connected back to trusted hardware for authentication.

At the upcoming Money20/20 event, Intel will be demonstrating some of the security solutions it has at play — one of which was just launched a few weeks ago in partnership with Lenovo and the release of its new Yoga laptop in China to provide users with access to secure shopping with UnionPay.

Tinsley explained that, right out of the box, users of the new laptop can enter their credentials and, from that point on, simply tap their fingerprint on the laptop’s biometric reader to use that personal and protected data for eCommerce transactions.

 

Covering All The (Data) Bases

Though it varies based on demographic, Tinsley said that most consumers want to be active in the protection of their credentials.

While data shows millennials tend to be somewhat loose with their data protection, the increasing number of identity thefts — an estimated 13 million Americans falling victim last year — is beginning to quickly change that perspective, she added.

Merchants are also starting to better understand the risk that is posed to the consumer data passing through their systems.

Though some IT departments are adamant about their end-to-end encryption protection, it can be easy for them to overlook the many places in their networks where personal data is going unprotected.

Tinsley noted that some retailers have customer registries that they don’t think to protect but that collect and store names, addresses, phone numbers, emails, etc.

Even a retailer’s barcode for scanning licenses for age verification to make sure a customer is 21 years old can still have that data compromised by malware scraping the memory out of the POS, even if the data is only there for a quick moment.

“There’s a lot more data out there that, when retailers start thinking about it, they probably realize that they are passing PCI audits year after year on security for payments but haven’t done any type of audit for data for privacy,” Tinsley said.