online payment methods - steven murdoch · losses (£m) year 2004 2005 2006 2007 2008 2009 2010...

32
Online Payment Methods Dr Steven J Murdoch 1 Computer Laboratory

Upload: others

Post on 15-May-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Online Payment Methods

Dr Steven J Murdoch

1

Computer Laboratory

Page 2: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Visa and MasterCard

• What do they do?

• Some important tasks for online (and offline) payments:

• Run communication network

• Set standards

• Manage disputes between members

• Set contractual terms between members

2

Page 3: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Terminology

3

Page 4: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Terminology

4

Page 5: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Terminology

5

Page 6: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Loss

es (£

m)

Year

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

050

100

150

200

250

300

●●

● ●

●● ●

● ●●

●●

●●

●● ● ●

● ●

●●

●● ●

● ● ● ● ●●

●●

●● ●

●●

● ●

● ●● ●

● ●●

● ●

Card−not−present

CounterfeitLost and stolen

ID theft

Mail non−receipt

Online banking

Cheque fraud

Chip & PIN deployment period

Phone banking

How well does the system work?

6

Page 7: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

The EMV protocol

7

Page 8: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Counterfeit fraud

• Producing fake (typically magnetic stripe card) from harvested details

8

Page 9: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Liability engineering

9

Deployment of Chip and PIN• Chip and PIN was expensive for both all parties• Deployment was encouraged through “liability engineering”

Terminal

Card magstrip chip chip & PIN

magstrip Issuer Issuer Issuerchip Acquirer Issuer Issuerchip & PIN Acquirer Acquirer Issuer

• Liability pushed down the chain: acquirer ! merchant;issuer ! customer

• Led to rapid deployment, but this caused some problems• Still took 10 years

Page 10: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

The no-PIN attack

10

Page 11: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

The EMV protocol

11

Page 12: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

The no-PIN attack protocol

12

Page 13: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Online banking authentication

• Simple scam is to “phish” for account details

• Ask for username and password

• Low success rate, but just a few customers is enough to make investment worthwhile

• Actually moving money out is the high-risk part of the scam

• This is allocated to money-mules recruited supposedly to pay foreign staff

• Often the money mule will lose money and may be prosecuted for fraud

13

Page 14: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Hardening passwords

14

Page 15: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Replacing passwords (iTAN)

15

Page 16: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Man in the Browser

16

Page 17: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

MitB protection

17

Page 18: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Transaction authentication

18

Page 19: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Summary so far

• Counterfeit fraud

• Magnetic stripe fallback facilitated by Chip and PIN

• Lost and stolen/Mail-non-receipt

• no-PIN attack can bypass PIN protection

• Cheque fraud and ID theft

• Primarily not a technology problem

• Online banking

• Transaction authentication likely the way to move

19

Page 20: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Combining EMV with online banking

20

Page 21: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Combining EMV attacks with online banking

21

Page 22: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Card not present transactions

• Basic version: same as old card-present transaction

• Card number and expiry date sent back

• Can also send back CVV2 off back of card

• Can also perform address verification

• Every extra step will lose customers at check-out stage

• Some vendors will skip security measures

• Amazon don’t even perform CVV2 checks

• Leaves non-Amazon users at risk of fraud (though will eventually be refunded)

22

Page 23: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Acquirer interface for web based merchants

• Small web merchants will not deal directly with acquirer

• To allow international payments, many acquirers likely needed

• Merchants might like to avoid access to customer details as much as possible to reduce liability

• Examples of payment processors include

• Sage Pay

• Worldpay

• Paypal slightly different

• Hoped people would leave money in account; actually mostly ended up as payment processor

23

Page 24: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Example: Sage Pay (Form)

24

Page 25: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Example: Sage Pay (Server)

25

Page 26: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Example: Sage Pay (Direct)

26

Page 27: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

3-D Secure (Verified by Visa/MasterCard SecureCode)

27

Visa

Page 28: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

3-D Secure (Verified by Visa/MasterCard SecureCode)

28

American Express

Page 29: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

3D secure phishing vulnerability

29

Page 30: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

SOFORT Überweisung

30

Page 31: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Mobile payments

• May just be interface to online banking website

• mPESA and similar use mobile SIM as root of trust (serves underbanked)

• Barclays Pingit based around Direct Debit

31

Page 32: Online Payment Methods - Steven Murdoch · Losses (£m) Year 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Total, ex phone (£m) 503 491.2 591.4 704.3 529.6 441.4 410.6 463 518.9

Summary and conclusions

• For card-present transactions, Chip and PIN was supposed to help

• Reality was more complex and fraud went up

• Card fraud is now dominated by card-not-present transactions

• Merchant pays cost, but extra security loses customer conversions

• For small merchants, much of the work is delegated to payment processor

• Online payment systems typically run on previous rails

• Credit/debit card (optionally with 3D Secure)

• Online banking

• Direct debit

32