Chester Wisniewski of Sophos Talks About Secure Credit Card Transactions (Video)

Video no longer available.

Chester Wisniewski's nakedsecurity describes Wisniewski's specialty thus: "He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics." So he's obviously someone who might know a little about preventing future Target-style security debacles. We've also interviewed tech journalist Wayne Rash about this topic, and will probably interview another security expert or two. Many Slashdot users may find all this credit card security talk boring, but for those who handle security matters for a living, especially for retailers, it's vital information. So here's Tim Lord talking with Chet, who is a recognized security expert for Sophos, one of the big dogs in the IT security field, when Chet was in Texas for the latest iteration of Security B-Sides in Austin. (Alternate video link.)

Tim:So, Chet we are here at BSides in Austin talking. Right now I want to talk to you a little bit about credit cards chip-and-PIN, what is the security problem that we are suddenly facing even more this year than before?

Chet:Well, I’m not sure that we’re facing it more now than before, but certainly these high profile situations have drawn everybody’s attention to it, which is a pretty common thing for the media to glom on to something once finally something really large happens and we’ve been tracking criminal gangs that are stealing credit data like it happened at Target, Neiman Marcus, Michaels; all the stuff that’s been in the news in the last three or four months. And when we look at that stuff, we’re seeing maybe close to a hundred companies a quarter of some variety or another, small, medium, big size, getting hit with this type of stuff. So it’s not exactly new, although largely been a bigger problem in the last three or four years and I think it’s a public awareness thing that we just didn’t know about this stuff and I guess 40 million credit cards helped that along a little bit.

Tim:It’s a much bigger PR problem now than it was not too long ago?

Chet:Well it is and when you consider something like Target where so many Americans shop, you also have to realize that congressmen shop at Target, senators shop at Target and that also is drawing extra attention to this and hopefully that’s one of the things that can help reform the system to fix things in my opinion is, regulation is a very dirty word in the banking industry, I don’t like regulation and so the fact that a lot of very important people were impacted by such a large breach means this isn’t just about gamers and Sony and Anonymous like it was three years ago, now it’s about our groceries and so it’s a bigger focus for Americans in particular.

Tim:What are some examples of regulation that you think would actually be effective or what will be the most bang for the buck when it comes to regulation that would actually keep people’s online information, offline information in the form of cards. What would be the best kind?

Chet:Well, American has fallen behind the rest of the world in our credit card technology in that we’re still relying on the stripes on the back of these things, right, like we’ve got these cards on our wallet, which is this simple magnetic stripe, which is 1960s technology, that we are depending on for security of our transactions when we are purchasing our groceries and I think that’s probably one of the focus areas that may happen if regulators get interested, which is what is the minimum amount of diligence required of both the payment card industry, the merchants, all the people involved in a credit card transaction, to really safeguard that information, is that magnetic stripe enough, and I think clearly it’s not.

When we look at the western world, the United States is one of the only countries that still has not implemented cryptographic security measures in our card payment systems, and that’s coming, but the question is, do you want the government involved or do you do it voluntarily and I suspect that similar to the movie industry deciding it’s better that they decide what’s rated ‘R’ rather than the government that perhaps the payment card industry also would rather decide how to implement chip-and PIN technology rather than the government prescribing it.

Tim:Now one thing I have heard you talk about before is that there is a considerable difference between what is projected to be implemented in the U.S and what is already in place in some other countries, can you talk about that?

Chet:Sure, I’m American, but I’ve been living in Canada for more than 10 years and here’s an example of a credit card that is no longer valid, but you see the chip that’s located on the card and that chip does not necessarily – people associate that with this concept of chip-and PIN, meaning just like your debit card or your ATM card when you use that chip in a payment terminal, that you have to enter in a secret ID code in order to authorize a transaction.

It looks like the United States is actually working towards something called chip-and-signature where we still depend on this – I’m going to partially obscure the signature on the back here, it’s my wife’s signature, she would not be very happy with me if I show the entire thing on camera – but the signature on the back of our cards still being used but with the cryptographic chip and I personally have a problem with this, in that it seems a bit odd to me because as a merchant, as the local flower shop or the Pizza joint, I’ve got to buy a new terminal to read that chip, costs me some money or I have to do a lease with my company I do my payment transactions with. It’s going to be of somewhat a burden on me to accept credit cards.

If I’m the bank, I’m Bank of America, I’m Chase, I’m Wells Fargo, I’ve got a issue, everybody, brand new cards now, they have a chip and then that’s certainly more expensive than cards that don’t contain a chip. And yet, we’re only getting half the benefit if we are still relying on the checkout people say at our local supermarket to check our signatures and I know most of you have not seen that in a long time. I mean, here we’re at this conference, I actually have my ID checked for being allowed to drink a beer today, I’m a bit old for that, but strangely in America, right, we check ID to buy a beer in Texas, but yet, I made credit card transactions all over Austin in the last two days and no one asked for my ID to check my signature or even looked at the back of my card. So, relying on signature as a verification method seems to me to be a mistake, but moving towards chip does still help solve the problem, so anything that moves us forward from where we are at today with the stripes is a good thing.

Tim:One thing I’ve seen you demonstrate before is, how relatively simple it is to extract a lot of information that is actually in fairly plain text or on the back of cards, so what does it cost right now if you want to criminally extract some information, how easy is that process?

Chet:It’s incredibly easy. I mean, if we’re looking at – I have got all these cards here and if we are looking at the stripes on these cards and we’re just looking at reading those stripes, on eBay you can pick up a reader for about $15, it depends on which country you’re in, actually I think I paid about $12 for the one I use in the demonstration and my talk here at BSides.

Tim:Square will send you one for free?

Chet:Well, to a degree the Square readers do not output a plain text or unencrypted, well it’s not encrypted but it’s obscured and so it’s not exactly useful as a criminal compared to a pocket skimmer as what most criminals would use, say if you’re a waitress that’s not quite making enough making at – whatever the minimal wage for waitresses is now, $4 an hour or something, right.

Tim:I think that’s high actually

Chet:May be $3 something, I don’t remember. But you can have something in your pocket very easily, scan cards from people and pocket skimmers can be upwards of $40 or $50, the one like I used in my demonstration like $12 or $15, unfortunately because I’m in Canada and shipping is outrageous, it cost me like $25, big burden in order to steal credit cards. But, it’s cheap, right, this is trivial and unfortunately to a degree, the chips in our cards if we implement them, don’t necessarily solve that particular problem. But what they do is, they make it difficult to reproduce, so if you go to a merchant and you’re expected to insert your card with that cryptographic chip, it’s very difficult as a criminal to reproduce that chip and make one or stealing data off the chip, what good does it do you; if you can’t make a chip, you’ve just got the data, but they still can’t do a transaction.

Tim:Whereas for online transactions I don’t have a reader on my desktop or laptop?

Chet:Yeah, that’s still an unsolved problem, in Europe in particular some banks actually have introduced USB based little readers that you are supposed to insert your card with a chip into to do online transactions. It’s totally flopped, people don’t like the thing, it’s inconvenient, who carries that with their laptop, how do I buy it for my iPad, like there’s a million problems with it. So I don’t think it’s an unsolvable problem, but it is still an unsolved problem in that there’s not been a good method of doing that.

Now, the fraud we’re talking about in particular is what we call retail fraud and in countries like the United Kingdom that have had chip-and-PIN for some time, retail fraud was reduced 80% by the introduction of the chip instead of the stripe. So it’s addressing one problem, but it does a pretty good job of addressing that problem, and that’s the way we need to approach most problems in life, right, like we have to chip away, we never have an total solution to any given problem, how do we eliminate the password, right, I mean, nobody wants to have 50 million passwords for 50 million websites. And the way we deal with this is keep trying to find better and better ways to make it a little easier to do the right thing.

Tim:I’ve had my card in the chunk machine at least once in the last year where it’s actually physically just rolled over the carbon?

Chet:Really. Yeah, I mean that still happens. And the alternative to that are things like Square, and I don’t necessarily want to criticize any given brand or a company for – I don’t think Square does anything wrong, but it’s another one of those things. I get in a taxicab here in the U.S. and I’m always torn when it’s Square because I’m like that means it’s a small business guy who probably owns his own car, and I really want to respect that, that he is not part of yellow cab with a fancy $400 credit card machine built into his car. He’s just making a go of it with his iPhone and that’s pretty cool.

But on the other hand, I also know the protections and the ability to commit fraud that way seem in my opinion larger, right, because one of the problems in particular with stripes on cards like we have here in the U.S. is a replay attack. The ability that I can take that information that was used for a transaction and play it over-and-over again and repeat that transaction, because cryptographically there’s nothing to prevent that, and that’s another benefit of things like the chip where it’s using a digital signature which conceptually is of similar in mind to the way SSL works in your web browser, in that there is public and private keys and transactions are signed and replaying them does you kind of no good as a criminal.

I haven’t tried this, but I suspect Square is making an audio sound into the microphone in your iPhone, so what’s stopping me from swiping and recording that on the recorder sound app on my iPhone and replaying it when I want to make it to purchase again and then changing the amount or something else, because all the information coming in through that connection is simply what’s called the PAN or the 16 digits on the front of your card, and the expiration date and a little bit of other data. So it’s got nothing to do with what I’m buying, so it might have been a taxicab ride today, but later tonight it might be a $200 bottle of scotch and I don’t know anything about that. Trust me I know nothing about the scotch.

Tim:A few minutes ago we were also talking about the perception difference when it comes to a place like the giant Target breach. That seems like a company that really should, just for its sheer size and salaries they are paying, probably lot of people who are working hard, large security staff, you think that that wouldn’t be the place compared to your corner store. But that’s not necessarily how it actually is?

Chet:Yeah, unfortunately I mean it does play out across the board, I don’t want to give the wrong impression and say that the flower shop that’s owned by your sister’s cousin actually is safer than Target, because all of these organizations have been victimized and actually I didn’t point it out in my talk which I usually do when I talk about these things, which is kind of – how do you if you are a target, the way you know you are a target is that you accept a credit card, like that’s how you know you are a target, right. Criminals are indiscriminate. They don’t care. They don’t discriminate. Wherever they can steal money, they’re going to steal money. And this is for easy money for them.

But on the other hand, this perception also that you’re a Fortune 500 company and you have the security staff of 100, you obviously are more secure and safer than the local pizza shop. And that’s not necessarily true either, right, and in particular we actually advice if there’s people out there that accept payment cards are concerned about these problems, use a payment card terminal that directly communicates with your payment card processor, that does the encryption inside the payment card terminal, put a sticker on the seams to make sure nobody is modified it, or can modify it without your knowledge, and then this whole problem goes away.

You don’t have to worry about regulation, you don’t have to worry about compliance, let your payment card processor worry about it, and they truly are professionals at it, and a few of them have made mistakes in the past and then breached, and they’ve all learned a very expensive lesson from that problem and have really shaped up security, and clearly with Target in mind I’m sure there’s lots of changes of course at Target as well, but probably one of the safest places to shop moving forward considering what happened. But this idea that it’s a big brand, right.

Sony was breached by Anonymous. Who is Anonymous? I mean, a ragtag group of hackers, if you will, right. We don’t know who they are, but you could call them political activists. They weren’t necessarily even skilled hackers. The fact that a Sony can fall to this and a Target can fall to this means, that brand doesn’t have that much to do with it, and strangely I guess to a degree, I also kind of ignore it, which May seem like bad advice, but you got to get on with life. We can’t be obsessed with worrying about our credit card all the time. Fortunately we have great protection from the banks. They usually cover fraud when it happens, but you need to be vigilant, you got to watch that statement knowing that $200 bottle of scotch showed up that you did not buy, I did not buy that. And if you do know that, report it to your bank, they’ll generally cover you.

So you got to get on with life, but do watch for the suspicious. When you go to the ATM, my advice is, give it a wiggle, check the thing where you’re putting the card into the slot, make sure it doesn’t move because it could be a skimmer. If it moves, go find another one that’s probably only 10 yards over, just use a different one, right. And when I’m at a restaurant and the waitress wants to take the card in the back. No, sorry, you are not taking my card out of my sight, like if you need I can walk with you over to the terminal where you do this and just swipe the card, I’ll sign it and then I could be on when I’m ready and I’m finished with my drinks with my friends, whatever it is. Be smart, be vigilant, but don’t be paranoid. You are protected largely and these things are a little scary. I mean, 40 million people being impacted is a big deal. We’re all learning lessons from this, and we’re getting better at it.

Tim:Good words to end on.

Chet:Thank you.

Tim:Thanks a lot.