Visa, Mastercard: When Business Issues Trump Security

Of all of the threats that make security executives sweat at night—including terrorism, profit-hungry cyberthieves, careless employees, and the so-called disgruntled workers—the one that is the most dangerous and the least feared is simple capitalism. Put even more directly, the companies that have the greatest ability to impact security generally have the least financial incentives to do so.

The most obvious examples of this are payment card procedures. Retailers have begged the banks and card brands for years to take over card security. Given a choice between’s Myron’s House Of Gravel (one location) and Chase Manhattan, which do you think is better positioned to secure payment card information? But the banks and the brands have the power to refuse, so it’s merchants who have to house and protect the data.

With mobile, this economic issue becomes even more apparent. Where should payment card data be saved during a mobile transaction? Retailers are deciding this issue, and the debate is not focused on what’s the most secure method. It’s focusing on the approach that will cost the least.

Biometrics is a less obvious proof point. Of all the many biometric approaches (fingerprint, voice print, retina/iris scan, facial shape, DNA, palm geometry, scent and even behaviorals such as typing rhythm and gait) available today, the one that is overwhelmingly chosen is fingerprint. And fingerprint is widely considered the least accurate of any biometric option. There are plenty of people whose fingerprints are too shallow to scan accurately. But fingerprint is the cheapest approach, so that is the decision. It’s not merely a factor. It’s the deal closer.

Yes, it’s certainly true that economics always has to play a crucial role. After all, what’s the point of deploying a secure system if it forces the company to go bankrupt 10 months later? But we’re not even seeing retail chains giving security ef fectiveness a strong influencing effort.

What brings this to mind now is some very interesting analysis from Cambridge University about the 3DS protocol, which is branded as Verified by Visa and MasterCard SecureCode. The report concludes that the protocol is terrible and insecure, but is not economically-bulletproof. Therefore, it will almost certainly remain. Once again, in the battle between economics and security, there’s not a lot of reason for security to even bother showing up.

“It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent,” wrote Cambridge University’s Steven J. Murdoch and Ross Anderson.

But they got the economics right and that’s all that retailers seem to care about. Although “other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts.”

One of our readers, a senior security executive with one of the largest retail chains, pointed the finger of blame at Visa, albeit via an anonymous comment posted the story. (We know who our posters are or else we wouldn’t publish their comments.)

“As long as Visa can continue hand-waving, blaming security faults on retailers, processors, web sites, and everybody but themselves, they can keep raking in the interchange fees. They don’t even accept responsibility for the losses due to fraud because of these weak protocols: those flow to the merchant or to the bank. Visa has every financial incentive to keep the current confusing, insecure model around as long as possible,” the retail exec wrote. “No single retailer (except possibly WalMart) is large enough to orchestrate a change in protocols. A single bank could bring out a secure system for its customers, but it would be more complex than a simple credit card, and customers have incentive to stay with ‘simple’ mag stripes as the mandated $50 limit protects them from liability. And no government agency is going to mandate a security change, as those would be railed against as ‘expensive’ or ‘anti-business.’ It won’t get fixed because the current screwed up system is too profitable for Visa. How screwed up is that?”

The issue is legitimate, but Visa is hardly solely to blame. It’s a for-profit business. No, the blame is much more widespread. If retailers, consumers, banks and others—along with the federal and various state governments—go along for the ride, what does Wall Street truly expect Visa to do?

Security isn’t free or easy. But if you value the safety or your information, your people and your facilities, you have the make the investment. At the risk of sounding melodramatic, the reference to terrorists in the opening of this column was not an accident. The job of terrorists is to cause as much terror, pain and loss of life as possible with the least risk. What better way to attack a digital capitalistic society than to turn their own devices against them? But why stop with commercial aircraft?

We can expect that among the next wave of attacks will be cybermurder. This is a heads up to security managers in all kinds of businesses. This is not just for nuclear power plant and water operations. An attack on ATM networks could help cause panic, along with assaults on investment houses. But why not try and shut down all Wal-Mart POSes? Perhaps attacking select central ExxonMobil networks—plus some other large petro chains—and the ability for Americans to drive anywhere could be crippled within a few days.

Attacking millions of consumer PCs is nice, too. Maybe shutting down cellphones in major cities? (Actually, skip that one. AT&T and the iPhone have already pretty much accomplished that.)

There’s a reason that terrorists like to plant bombs in Israeli pizza shops. Because a neighborhood pizza joint is a pleasant nicety of the community. You want to strike terror? Hit there. American companies tend to give real security short shrift because they see it as an unlikely threat. I’m sad to report that there are no unlikely targets anymore.

Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page. The opinions in this blog are the author’s, not necesarilly those of McAfee.

Tags: Cybercrime, Data Protection, mastercard, retail, visa