Researchers Leigh-Anne Galloway and Tim Yunusov chat about their work testing the weaknesses in Visa's contactless payments security ahead of their Black Hat Europe Briefing.
Countless financial transactions are conducted every day by customers using contactless payment systems, and next month two security researchers from Positive Technologies will show Black Hat Europe attendees how vulnerable those transactions are to bad actors.
In their Black Hat Europe Briefing on First Contact - Vulnerabilities in Contactless Payments Positive's Leigh-Anne Galloway and Tim Yunusov aim to show how they successfully bypassed (among other things) Visa's £30 limit on contactless payments made via physical card in the United Kingdom. They'll also teach you about a few critical weak points in contactless payments, including flaws in key generation values, the unpredictable number, and more.
Here, the pair chat briefly about their work, what they've learned, and why they feel it's so important for Black Hat attendees to pay attention to the state of cybersecurity in the financial sector.
Alex: What do you hope to accomplish by giving this talk at Black Hat Europe?
Leigh-Anne: There are probably two outcomes that we'd like. The first is that payment security is just a very under-subscribed area, so by talking at a venue like Black Hat, it means we're hoping to interest other researchers in payments. There are incredibly high barriers, or at least it seems that way from the outside, but we want to show people that that's not quite the case, and that it is possible to work in this area.
That would be the first part. Secondly, one thing we noticed is that even though we have this big growth in the financial sector, where over the last year we've seen all these digital-only "neo-banks" spring up, and at the same time payments are being monopolized at the highest level. If you look under the surface of these new digital banks, a lot of them sit on the infrastructure of existing financial institutions. Like, other brick-and-mortar banks. And if you go higher up the levels of the payment infrastructure, it becomes more and more like a monopoly.
So one of the problems with that is, when you don't have much competition, you sort of stagnate in terms of the standards. So that means that people like Visa and MasterCard can dictate how they want to work and how they want to operate in the marketplace, and no one else regulates them, because they are the regulators of everyone else. And so that's a little bit problematic, from our perspective. Although it's quite hard to see how that would change without banks... so the issue requires us to apply a bit of pressure.
Alex: A Visa rep was quoted in a Forbes article responding to your research by suggesting it wasn't a threat worth addressing. How do you feel about that response?
Leigh-Anne: Initially it was a bit infuriating. That comes back to the reasons why they're able to do this, because they don't really have any competition at the highest level.
Visa and MasterCard have slightly different stances on how they approach things; it is rather infuriating, and I would imagine that some of the banks feel a bit similar, because it's sort of them saying "we can't be bothered to do anything about that,' whereas if you reported a security issue to a big corporation like Google, even if the issue wasn't so significant, they'd probably resolve it rather than saying "we don't want to do anything about it, go on your way."
So yeah, it's a little infuriating, because there isn't, for example, a formalized set of processes in the payment sector to deal with these things in the way that we see in bug bounty programs elsewhere, where you would formalize a process for how to categorize the risk of security issues, and how to resolve them.
But their stance is actually... in a lot of cases Visa says, based on their own data -- though they don't provide any clarity on what that data is -- but they say "based on our own data, we don't see applications of this attack in the wild, and therefore we're not going to do anything about it."
And it's not just us; there's been lots of other high-profile examples of researchers finding issues and having a similar response, specifically from Visa, where they sort of say "oh this is just an academic example, so we're not going to do anything about it. We don't see this as a real threat." So that's pretty challenging.
And when we look at this idea [banks promote] that contactless payment systems have resulted in fraud reduction, you find really different views on this. So Visa just published a statement, at the same time that we released information about our research, to say that they had a 40 percent reduction in fraud in contactless payments over the last two years. But if you look at the footnote, it says the source is just "Visa data" and there's no explanation of the actual source. But if we look at data in the UK, if we look at the actionable data collected by the police, which is probably gonna be on the conservative side because a lot of fraud doesn't get reported to police, there are some significant losses. So it's really hard to know what's going on, because [Visa] can just say whatever they want to say.
Alex: As I understand it, this vulnerability is a kind of man-in-the-middle attack which takes advantage of some weaknesses in Visa's security protocols. Is that on point, and if so, how could they fix it?
Tim: So back in the day actually, when there was 3 major giants, Visa, MasterCard and Europay... they agreed to follow some basic procedures to enhance the security on the NFC chips. And they agreed that they all would follow pretty much the same standards, but later when NFC was implemented, they were much much bigger companies, and no one actually can influence them, and they decided to take different approaches.
So MasterCard said okay, we're gonna keep the same security level on our NFC cards and we'll follow those measures, but Visa they ended up... so the NFC transaction is where it's slow, so it took literally seconds to hold the card near the terminal, and Visa decided that this was absolutely not business-oriented; it would kill their profit. So they tried to cut it down to the minimum necessity when it comes to security checks; they still have them, but it's not obligatory anymore; it's not mandatory. And they've decided that okay, as long as fraud will probably not hit us from this, we are alright with that. And we are going to cover all customers' expenses... that's basically how it ended up, by having different approaches and different security levels between these companies.
What are you hoping Black Hat Europe attendees will get out of your talk?
Tim: Leigh-Anne pointed out two main reasons to come to this talk. The first is that payments is a really under-explored area which really requires a lot of hackers to change the status quo. The other is that we obviously address things... it's not something which customers will suffer from, as long as they ask for any potential fraud to be reimbursed. That's why we decided to publish videos of our research before our presentation, back in August, and we've had so many requests from banks and different payment institutions to ask "guys, what can we do to address this, how can we make this more secure?" So this is sort of a warning for financial institutions, and if you trust your vendors that's okay, but you still can make some changes.
Leigh-Anne: In slightly more plain language, I always try to think of payments as something everyone interacts with every day, but yet we have very little knowledge about, broadly speaking.
I mean we have a lot of assumptions about how they work, so with the work that we do, and the presentation we're giving, we're hoping to remove some of that mystery and reveal a bit about how payments work. And encourage people to get involved in this area, because it is massively undersubscribed, and there is a lot of work to be done.
Do you think more financial institutions should be implenting bug bounty programs, the way many tech companies do?
Leigh-Anne: I think it could be helpful. I think there's a different view among some of those newer banks, the neobanks, where we're finding some of them have adopted a bug bounty approach. But most of them don't have any sort of formal framework, and if you look at the larger institutions, like HSBC, if you want to report a security issue to them, it's almost impossible to work out how to do that.
I remember actually contacting customer services on chat and they said "oh you can just tell us, and we'll pass along the information." Which... isn't the appropriate way to share that information. But these are some of the challenges that we face. So I think it would probably accelerate a security standard; I mean of course the financial industry is pretty heavily regulated, but those standards don't necessarily correlate strongly with security, as we know. You can be fully compliant and still be breached.
So yeah I think it would probably change that, and it would probably get a lot of people more interested in banks, because they would feel like "okay, here's a proper framework in which we can work". I think some people look at the work we're doing and question whether they can do the same thing; where it sits, neatly.
Learn more about Leigh-Anne and Tim's Briefing (as well as lots of other cutting-edge content) in the Briefings schedule for Black Hat Europe, which returns to The Excel in London December 2-5, 2019.
For more information on what's happening at the event and how to register, check out the Black Hat website.