As of October 1st, 2015
merchants in the United States can potentially be held liable for fraud occurring on their PoS, if the EMV (aka Pin-and-Chip) systems aren’t rolled
out. If you’re like most people you’ve probably received a new debt/credit card
in the mail with the ability to use this new card at any EMV PoS at your
favorite retail store. In my opinion this was a long time coming and I’m glad
the legislation was made to have these systems pushed on retailors. Just like
anything else, this doesn’t completely protect people, but its heads and
shoulders above what we had in the past. My concern though, is that we’ll see
adverse effects in other areas of the industry due to a direct correlation of
securing a heavily targeted area.
Let me use the analogy of a water
balloon for a moment. The water balloon can take on multiple oblong shapes
depending on what area of the balloon is squeezed. If you pinch one area of the
balloon the water will be pushed to another section, filling it in and changing
the shape. If you release the section you’re applying pressure to on the balloon, the water will
refill areas that were previously closed off, changing the shape again. At this point I think you’re
wondering what EMV, cyber security and water balloons have in common with each
other, let me see if I can make this clearer. The example of the water balloon
shows that if something is being blocked, or not allowed to flow, it will be
displaced to another part of the balloon, but won’t eliminate the fluid in the
balloon. This is similar with EMV chip-and-pin cards and cyber theft. Attackers
are going to come after you, they’re not going to stop, and if they’re having
issues compromising the new PoS systems, they’ll attack elsewhere. Remember,
they’re opportunistic. Whatever can give them the most bang for their buck is
where they’ll focus their energy. They’re not going to disappear.
With this being said, if we eliminate
a very juicy and common target for attackers to feast on, what will they do?
Will they invest money into breaking EMV systems; maybe. Will they attack retailers that don’t have these EMV PoS deployed in their network; most likely.
Will they start broadening their horizons to untapped areas to keep making
money; definitely. Think about that for a minute. By fixing an issue that
people have been calling on to fix for years, could potentially cause other
sectors, or areas of the industry to be brought under attack. That’s what I’m
calling the “water balloon effect”,
or the unintended consequences of directing malicious attention elsewhere, due to the
remediation of a highly targeted area. There are many other sectors and areas
of attack that we’ve seen grow over the past year (mobile malware, healthcare
hacks, cryptolocker, etc.) and it would be interesting to see if these attacks
grew exponentially over the next year, while PoS compromises decreased. If this
is the case, what can we do going forward to alert other sectors of the “water balloon effect”? For the complete
safety of the general community we should at least be aware that this theory is
in place and that when we see a highly targeted exploitable risk remediated, we
should start considering where that displaced water is going to end up.
This isn’t meant to be some type of fear
mongering tactic to scare people into thinking bad things will occur, but the
fact is we should be prepared over the next couple months to see where this
goes. The old school PoS systems were such easy wins for hackers and if they’re
not going to be easy to compromise now there’s the possibility of an attack
shift towards other areas, or sectors. My only real advice is to determine what
data attackers would want to compromise now and start getting your arms around
it. I’m hoping you’re doing that now, but unlike other times in the past, this
might be the calm before the storm for a few unsuspecting industries. Let’s
embolden each other to take steps on preparing now while we still can.
No comments:
Post a Comment