conejota - Fotolia

Cyber threat to payment industry demands multi-layer defence

No industry is immune to cyber attack, and Mastercard believes the threat to the payment card industry demands a multi-layered approach, with a new fraud prediction tool in its arsenal

Although the payment industry is targeted by relatively few cyber attackers, they are becoming increasing sophisticated, according to Ajay Bhalla, global security chief at Mastercard.

“These attackers are mostly organised crime groups who have the potential of doing a lot of damage because they are carrying out a very high volume of these attacks,” he told Computer Weekly.

As the industry has tightened security around physical payment cards, criminals have moved into the digital space. “Although only 20% of card payment transactions are online, this space accounts for 50% of all our fraud cases,” said Bhalla.

To counter the increasing sophistication of cyber criminal attacks, he said that working together and deploying multiple layers of security – both physical and digital – is the only way the payment card industry will prevent attackers from having an impact even if they breach issuers’ systems.

“In the payments industry, we have a thoroughly thought-out strategy, which actually secures the payment ecosystem very well,” said Bhalla.

“Our strategy is to put multiple locks in place to close all the doors to criminals in the cyber domain as we have done in the physical world, with security being in the design of all products,” he said.

A key component of physical card security is the EMV global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions.

Read more about Mastercard security

Bhalla points out that with the US moving to EMV in the past two years, the industry has closed all the doors to criminals seeking to compromise physical payment cards.

Mastercard has a long history of investing and innovating across multiple layers of technology – like EMV, tokenisation, physical and behavioural biometrics, and artificial intelligence to protect every transaction.

With the move to more digital transactions, the EMV cryptographic technology developed for physical card security is also being used by the ApplePay, AndroidPay, SamsungPay, and Masterpass smartphone payment apps.

Mastercard is working to close all the doors in the digital world, adding to the existing prevention, detection and identity tools already in place.

These include the SafetyNet tool introduced two years ago to detect and block hacks in any issuers’ processing systems and the IdentityCheck tool that uses biometrics such as fingerprints, facial recognition, iris scans and heartbeat monitoring.   

Mastercard’s latest initiative in the digital security space is a predictive tool to combat card fraud after data breaches that is aimed at reducing the cost of fraud and protecting at-risk cardholders.

According to Bhalla, it can take as little as nine minutes for stolen card and account data to be used via the dark web, so to counter this, the Mastercard Early Detection System (EDS) provides banks with an alert for high-risk cards and accounts that are exposed in in security incidents or data breaches.

Read more about card payment security

The announcement of Mastercard’s EDS comes less than a month after credit rating agency revealed that as a result of a cyber breach, the personal details of 143 million US consumers and the Visa and Mastcard details of around 209,000 US consumers may have been accessed by cyber attackers between mid-May and July.

Knowing that not all compromised accounts will be used fraudulently, and every second counts, Mastercard developed the EDS to help banks take action faster, and pre-empt more serious attacks.

Bhalla said the number of cards from Mastercard affected by the Equifax breach is still being determined, but history has shown that not all compromised cards are used to commit fraud.

“Typically, it is only 3% to 5%, so the EDS is aimed at helping banks identify those cards, saving them from replacing all those affected by the breach,” he said.

The EDS will also benefit consumers because by identifying the cards most at risk, many card holders who otherwise would have had to get new cards issued will not have to do so.

The EDS uses Mastercard network insights, predictive capabilities and a combination of internal and external data sources to determine if a card or account is at risk – without even knowing about any specific breach - and sends an alert to the relevant bank, quantifying the level of risk.

Prioritising according to level of risk

The bank then uses the level of risk to more accurately prioritise what action to take – from monitoring transactions more closely to proactively issuing a replacement card.

“Knowledge is power, and this service helps banks act significantly faster and with greater precision to stop potential fraud before it occurs,” said Bhalla.

“Our card issuers can now proactively target the fraudulent activity resulting from previously breached or hacked data, helping them reduce costs and maintain the best possible cardholder experience.” 

The system is designed to capture all types of fraud across all transaction channels and identify everything from active criminal trading of account data and cards being tested prior to being used for fraud, to account data that appears at-risk, even if there is insufficient evidence to declare an account data compromise.

“This provides issuers with alerts on a much broader set of at-risk accounts at least six to 18 months ahead of traditional alerts, because breaches in which payment card details are exposed often go undetected for a long time,” said Bhalla.

Cyber fraudsters bide their time

Another reason fraud is not detected until months later is that cyber fraudsters will sit on data such as payment card details for months until they have collected enough personal data linked to the cards from other sources to execute a fraudulent transaction.

The EDS, which is available to issuers globally, is designed to be implemented quickly.

“If it were to take banks a long time to implement it would defeat the purpose, so a key part of the design is that it uses existing connectivity with card issuers and is reasonably quick and easy to turn on and get it up and running,” said Bhalla.

Although there’s some work to be done to add the new service and there are “some costs” to implement and run the EDS, he said the costs are “minimal” in comparison with the savings in terms of fraud prevention, issuing new cards and alerting customers, so Mastercard expects most banks to sign up.

Read more on Hackers and cybercrime prevention