×Close

Request to Republish Content

Last week, retail associations representing thousands of U.S. merchants asked Visa to clarify how the card brand planned to level the playing field for EMV adoption in the U.S. - especially for routing for EMV debit payments.

In a Nov. 16 letter to Visa, leaders from the Retail Industry Leaders Association and the Merchant Advisory Group claim that Visa has taken steps to "circumvent merchants' legal right" to choose the network over which a debit transaction will be routed. This, the retailers say, goes against a Nov. 2 "frequently asked questions" guide published by the Federal Reserve, which clarifies that no card network can inhibit merchant routing choices, even by requiring technical specifications that could inhibit merchant routing options.

Mark Horwedel, CEO of the Merchant Advisory Group, which represents 108 of the largest U.S. merchants, says a number of Visa's rules and practices are being called into question, with some being investigated by the Federal Trade Commission. He contends that Visa has unlawfully limited or eliminated merchants' ability to route debit transactions through other networks by forcing them to deploy a certain technology and/or adhere to certain technical specifications.

"We want it clarified by the card brands, Visa in particular, for all of the various constituents of the payment ecosystem, that debit routing is the merchant's choice and the merchant's choice alone," Horwedel says in this exclusive interview with Information Security Media Group. "The Fed has come out and said that. We've known it all along - that's always been our interpretation. ... And I think it needs to be very clear - and Visa, in particular, needs to say that it's the merchant's choice and nobody else's choice on how to route debit transactions."

Visa tells ISMG that it plans to respond to the Fed's FAQ and the letter from retailers later this week.

FTC Inquiry

In Visa's annual report, which was released Nov. 15, the card network notes that an inquiry launched by the Bureau of Competition, part of the FTC, into whether Visa's optional PIN Debit Gateway Service violates certain regulations is now closed.

"On July 28, 2016, the bureau notified Visa that the bureau is conducting an investigation into whether Visa's requirements for EMV chip inhibit merchant routing choice for debit card transactions," Visa states. "Visa is cooperating with the bureau."

MAG and other groups argue that Visa's dominant role in U.S. debit - Visa debit payments account for 52 percent of all U.S. debit transactions - has given it an unfair business advantage in the migration to EMV chip cards, which are designed to enhance security.

"The rollout of EMV technology has been woefully mismanaged by the card networks," retailers note in their Nov. 16 letter. "The Federal Reserve declaration is the latest in a long list of examples of that mismanagement."

In this interview (see audio link below photo), Horwedel discusses:

Why he contends the U.S. rollout of EMV is to blame for most of the routing concerns merchants face today; Why the Fed's FAQ was published in response to widespread merchant demand; and How the Fed's findings might help to level the debit routing playing field for PIN debit networks in competition with Visa and other card networks.

Horwedel has more than 30 years of experience in the payments industry. Before joining the Merchant Advisory Group, he was CEO of Money Network, a PIN debit network, and director of payments at Walmart. He pioneered shared ATM services, introducing PIN debit at the point of sale and successfully lobbied for the Durbin amendment to the Dodd-Frank Wall Street Reform Act.

Mobility

More Dodgy Firmware Found on Android Devices Deep Problems Persist in Low-End Android Supply Chain Jeremy Kirk (jeremy_kirk) • November 21, 2016    

BLU Products, a U.S. manufacturer of low-cost Android smartphones, has patched yet another vulnerability within Chinese-made firmware that shipped in its devices, albeit 11 months after security analysts first raised flags. It's another persuasive reason to perhaps steer clear of super-cheap, Android-powered smartphones from less established manufacturers.

See Also: 2016 IAM Research: Where Financial Institutions' PAM Programs Are Falling Short

Once again, the vulnerability is in FOTA, or firmware over-the-air, software, which manages the distribution of firmware updates to large numbers of mobile devices. Firmware is low-level code in an operating system that, if faulty, can be a risk to personal data stored on a device.

The code also shipped in devices from other Android manufacturers, including Infinix, Doogee, Leagoo, Iku, Beeline and Xolo, although it's unknown if some of those firms' devices are vulnerable.

Carnegie Mellon University's CERT says in an advisory that the software's behavior "could best be described as a rookit." The software comes from Ragentek of Shanghai, a mobile phone manufacturer and software developer.

Officials with BLU Products, which is based in Doral, Fla., could not be reached for comment, but CERT's advisory indicated that BLU issued a patch on Nov. 11. The company's devices are sold at retailers including Best Buy and Amazon.com.

AnubisNetworks, which is owned by BitSight, published a blog post on Nov. 17 describing its findings. Other researchers had flagged issues on Twitter with Ragentek's software in January.

BLU's Studio G

AnubisNetworks bought at Best Buy a BLU Studio G smartphone, which was first released in January 2015. The researchers set it up and then watched network traffic coming to and from the device. Oddly, they found it was trying to reach several domain names that had been hard-coded into the firmware.

Ragentek didn't control those domains. In fact, the domains weren't even registered. The BLU phone tried to reach the domains using an unencrypted connection, which opens up a range of possible attacks.

AnubisNetworks registered the domains, which allowed it to get a rough idea of how many devices might be affected, a technique known as sinkholing.

"We have observed over 2.8 million distinct devices, across roughly 55 reported device models, which have checked into our sinkholes since we registered the extraneous domains," writes Dan Dahlberg, a BitSight research scientist, and João Gouveia, who is the CTO and co-founder of AnubisNetworks.

The researchers warned that if attackers had registered the domains instead "they would've instantly had access to perform arbitrary attacks on almost 3 million devices without the need to perform a man-in-the-middle attack."

Ragentek's binary also runs as root, a level of access that gives it complete control over the device.

Spotted Before

In January, the nonprofit research group MalwareMustDie published a post on Pastebin that came essentially to the same conclusion as AnubisNetworks. It's unclear why it took so long for the issue to be resolved, especially for such a serious vulnerability.

But researchers often have trouble flagging the interest of manufacturers and software developers, some of whom aren't terribly responsive to security reports. The lack of alarm often becomes more common down the software food chain where vendors compete largely on costs rather than other merits, such as security.

Last week, attention was focused on BLU Products after Kryptologic, an enterprise mobile security company, found one of its devices transmitted call logs and text messages every 72 hours to a server in Shanghai (see Why Did Chinese Spyware Linger in U.S. Phones?).

The FOTA software was made by Shanghai Adups Technology. Again, analysts had flagged the Adups software in the past for glaring software vulnerabilities.

BLU updated its products, and Adups apologized. The Chinese company said the version of the FOTA software that ended up on the BLU phones was actually intended for other of its clients.

The reason the software transmitted call logs and text messages was to enable better blocking of spam and unwanted marketing calls, Adups said. But the software just as easily could have been used to spy on consumers, an alarming finding given its origin in China, which closely monitors online communications of its citizens.

Data Breach , Fraud , Payments Fraud

Cardholder Data Was Stolen For Nearly a Year Before Discovered Jeremy Kirk (jeremy_kirk) • November 23, 2016    

Cybercriminals broke into the payment card processing system used by the Madison Square Garden Co., owner of Radio City Music Hall and other iconic entertainment venues, harvesting payment card details for nearly a year.

See Also: Secure Access in a Hybrid IT World

The company was notified after banks noticed transaction patterns that indicated a possible fraud concern. An investigation last month found malware that looked for payment card information as it was routed through the system for authorization.

"The program was designed to find data read from the magnetic stripe of a payment card - data that may contain the card number, cardholder name, expiration dates and internal verification code," according to a notice on MSG's website.

Stronger Defenses

MSG says it stopped the intrusion in late October with the assistance of security firms and put in place enhanced security measures. Law enforcement has been notified, the company says.

MSG didn't estimate the number of cards affected. The attack targeted cards that had been used to purchase food, beverages and other merchandise between Nov. 9, 2015, and Oct. 24, 2016, at Madison Square Garden, Radio City Music Hall, Beacon Theater, the Theater at Madison Square Garden as well as the Chicago Theater.

Not all cards used at those locations were affected, MSG says, and the breach didn't affect other purchasing systems. "This incident did not involve cards used on MSG websites, at the venues' box office or on Ticketmaster," the company notes.

Payment card breach notifications such as this one occur with regularity despite well-publicized breaches of major retailers including Target and Home Depot over the past few years (see Malware: Examining the Home Depot Breach).

In July, fast-food chain Wendy's said 1,025 U.S. restaurants owned by franchisees discovered that malware had been installed on their point-of-sale systems. Like other breaches, the cybercriminals likely used access credentials from other service providers who had access to Wendy's systems, which allow for the deployment of malware (see Wendy's Hackers Took a Bite Out of 1,000+ Restaurants).

PCI-DSS Challenges

For more than a decade, the payment card industry has pushed compliance with the Payment Card Industry Data Security Standards to better secure cardholder data and processing systems. But even if retailers follow the guidelines, it's no guarantee against a breach.

PCI-DSS is complicated, and a seemingly innocuous change to payment processing infrastructure can open up weaknesses to attackers. Plus, anti-virus software does not always catch specially crafted malicious software.

Last October, the payment card industry imposed liability on U.S. retailers that do not have compatible equipment to process cards with a microchip that provides stronger security. These so-called EMV cards make stolen card data more difficult to use (see Merchants Ask Court for Relief from EMV Liability Shift).

If criminals try to clone a payment card by copying stolen data, the network should recognize the card doesn't have the microchip and deny the in-person transaction. But the stolen data could still be used for card-not-present transactions. Regions where payment cards have microchips have typically seen that type of fraud rise.

Once stolen, the card details are sold on underground forums. Other fraudsters purchase the details based on the estimated value of the card. So much payment card data is stolen that the sale value of the cards can be low. Fresh influxes of newly stolen cards is needed, however, as banks move to cancel cards that have been used for fraud or are at high risk.