Tuesday, November 10, 2015

The Unintended Consequences of EMV (Pin and Chip) or The Water Balloon Effect

As of October 1st, 2015 merchants in the United States can potentially be held liable for fraud occurring on their PoS, if the EMV (aka Pin-and-Chip) systems aren’t rolled out. If you’re like most people you’ve probably received a new debt/credit card in the mail with the ability to use this new card at any EMV PoS at your favorite retail store. In my opinion this was a long time coming and I’m glad the legislation was made to have these systems pushed on retailors. Just like anything else, this doesn’t completely protect people, but its heads and shoulders above what we had in the past. My concern though, is that we’ll see adverse effects in other areas of the industry due to a direct correlation of securing a heavily targeted area.

Let me use the analogy of a water balloon for a moment. The water balloon can take on multiple oblong shapes depending on what area of the balloon is squeezed. If you pinch one area of the balloon the water will be pushed to another section, filling it in and changing the shape. If you release the section you’re applying pressure to on the balloon, the water will refill areas that were previously closed off, changing the shape again. At this point I think you’re wondering what EMV, cyber security and water balloons have in common with each other, let me see if I can make this clearer. The example of the water balloon shows that if something is being blocked, or not allowed to flow, it will be displaced to another part of the balloon, but won’t eliminate the fluid in the balloon. This is similar with EMV chip-and-pin cards and cyber theft. Attackers are going to come after you, they’re not going to stop, and if they’re having issues compromising the new PoS systems, they’ll attack elsewhere. Remember, they’re opportunistic. Whatever can give them the most bang for their buck is where they’ll focus their energy. They’re not going to disappear. 

With this being said, if we eliminate a very juicy and common target for attackers to feast on, what will they do? Will they invest money into breaking EMV systems; maybe. Will they attack retailers that don’t have these EMV PoS deployed in their network; most likely. Will they start broadening their horizons to untapped areas to keep making money; definitely. Think about that for a minute. By fixing an issue that people have been calling on to fix for years, could potentially cause other sectors, or areas of the industry to be brought under attack. That’s what I’m calling the “water balloon effect”, or the unintended consequences of directing malicious attention elsewhere, due to the remediation of a highly targeted area. There are many other sectors and areas of attack that we’ve seen grow over the past year (mobile malware, healthcare hacks, cryptolocker, etc.) and it would be interesting to see if these attacks grew exponentially over the next year, while PoS compromises decreased. If this is the case, what can we do going forward to alert other sectors of the “water balloon effect”? For the complete safety of the general community we should at least be aware that this theory is in place and that when we see a highly targeted exploitable risk remediated, we should start considering where that displaced water is going to end up.

This isn’t meant to be some type of fear mongering tactic to scare people into thinking bad things will occur, but the fact is we should be prepared over the next couple months to see where this goes. The old school PoS systems were such easy wins for hackers and if they’re not going to be easy to compromise now there’s the possibility of an attack shift towards other areas, or sectors. My only real advice is to determine what data attackers would want to compromise now and start getting your arms around it. I’m hoping you’re doing that now, but unlike other times in the past, this might be the calm before the storm for a few unsuspecting industries. Let’s embolden each other to take steps on preparing now while we still can.

No comments:

Post a Comment