How to secure your wireless network from the top 3 mobile payment threats
Mobile payments can reduce transaction costs for buyers and sellers, and reduce the costs of circulating a cash supply – hence the growing popularity. However, this new payment technology presents many security challenges that must be addressed by merchants to keep customer data safe.
It’s not just goodwill driving security initiatives for payment technology, compliance with the Payment Card Industry’s Data Security Standards (PCI DSS) mandates that organization protect consumers. PCI DSS applies to any organization that stores, processes, or transmits cardholder data, and consists of a minimum set of security requirements and testing procedures designed to encourage and enhance cardholder data security.
Merchants in violation of PCI DSS can face hefty fines from payment brands (e.g., American Express, MasterCard, and VISA) and even lose the ability to process payment cards for goods and services. Additionally, if a consumer does make a purchase via mobile payment and their information is compromised (i.e., cardholder data), the merchant may be liable (especially if they do not proactively comply with standards).
Further, if adequate safeguards are not followed to meet PCI standards, consumers may perceive that payment card information is at risk and choose not to use a merchant’s infrastructure. If people lose faith in the security of a payment system, they will stop using it and the system will eventually become useless. Merchants accepting payment cards need to comply with the PCI DSS to ensure they have implemented proper safeguards to protect cardholder data and secured their points-of-sale from attackers and intruders that put customer data at risk.
Today, there are three main types of threats that attackers use to capture and exploit mobile payment cardholder data. Fortunately, with a strong wireless intrusion prevention system (WIPS), merchants can detect and combat these threats and keep themselves and customers safe. Here are the top 3 most frequent and dangerous attacks and what merchants can do to protect their wireless LAN (WLAN) network:
1) DoS Attacks on WLANs
Denial of Service (DoS) attacks flood data networks with malicious data that can infect mobile devices with malware that may destroy, modify, or compromise cardholder data. DoS attacks are designed to disrupt wireless services by exploiting vulnerabilities in wireless connections at the physical and data-link layers. For example, RF jamming devices with powerful antennas can disrupt a mobile payment system from inside or outside the boundaries of a store.
Wi-Fi Point of Sale Terminals (POSTs), whether they are smartphones or vending machines, are susceptible to DoS attacks because the RF communication that sets up and maintains network and device connections can be spoofed – it has no encryption mechanism. Wireless attackers disrupt services to mobile devices by continually transmitting disassociation or de-authentication notices to phones that appear to be from legitimate access points. In effect, the phone will try to re-establish services, or re-authenticate, only to get immediately disconnected, over and over again.
Combatting WLAN DoS attacks: Organizations can deploy wireless intrusion protection systems that monitor and detect critical intrusions that may compromise cardholder data security or disrupt wireless payment operations. These systems detect attacks by continuously monitoring the Wi-Fi communication, tracking wireless connections and associations to store access points, and analyzing the RF environment for transmission sources that could disrupt communications or are from malicious devices. When attacks are identified, the WIPS will generate an alert so that IT security operations can immediately remediate the problem.
2) Skimming Cardholder Data
Skimming is the theft of credit card information from observing a legitimate payment transaction. Although there are a number of ways to "skim" credit card information, the process for POSTs is similar to ATM skimming: a thief attaches a third-party card-reading device on the outside or inside of the payment terminal to capture customer’s credit card information processed during a payment transaction. Many skimming devices use Bluetooth transmitters to transfer the skimmed information to thieves on demand. Note that Bluetooth devices can communicate from a distance of one meter (class 3) to 100 meters (class 1).
Detecting if cardholder data is being skimmed: Like many Wi-Fi devices, Bluetooth is a networking protocol that operates in the 2.4 GHz band. Although it is difficult for WIDS/WIPS to identify Bluetooth transmissions in the WLAN, its presence creates RF channel noise. By tracking the noise level for RF channels, WIDS/WIPS can identify channels with sustained, high levels of noise. Once identified, vendors can use a Wi-Fi analyzer with a directional antenna to track down the source of the noise and take action.
3) Unauthorized Devices on WLANs
Thieves may also set up their own Wi-Fi POST, masquerading as a vendor’s POST, or even masquerade as a store clerk and offer up a point of sale on their own Wi-Fi smartphone. These devices operate as unauthorized or rouge devices on a vendor’s WLAN or attempt to set up their own WLAN.
Identifying and protecting WLAN from unauthorized devices: To identify unauthorized and rouge devices, organizations need to be vigilant and monitor the wireless network for unauthorized POSTs, access points, and wireless clients. This is best accomplished with a wireless intrusion prevention system. With a WIPS, organizations can track the security status of every wireless device in the WLAN and see if there are any unauthorized or rogue devices that may put mobile payments at risk.
These systems can also generate alerts when authorized devices deviate from a security policy, e.g., to use encrypted communications. Once unauthorized devices are identified, they can be easily located and removed with location information provided by the system.
How merchants can secure mobile payment cardholder data
Mobile payments are a cost-effective, convenient payment solution for both consumers and merchants. But if merchants choose to accept payments over Wi-Fi, they need to ensure PCI-DSS compliance or be subject to fines or worse. Investing in a dedicated WIPS that provides comprehensive Wi-Fi protection against the introduction of unauthorized devices and dangerous attacks, as well as spectrum analysis for detection of RF threats, will provide the necessary security to enable adoption of mobile payment technology while meeting PCI DSS requirements to ensure consumers and merchants get the most bang for their buck in mobile payment transactions.
About the author
Milind Bhise has over fifteen years of high tech and networking industry experience. Currently, he is responsible for product management and product marketing of the wireless LAN portfolio at Fluke Networks. The portfolio includes market leading WLAN deployment, design and analysis tools and AirMagnet Enterprise, a scalable WLAN security and performance monitoring solution. He has a Masters in Engineering and a MBA.
For PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (October 2010) see: www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
