South Korea New Target for Payment FraudSome Experts Say Merchants Are Slow to Implement Chip Cards, Security Measures
Threat actors are increasingly targeting the APAC region - especially South Korea - for payment card fraud, according to recent report from Gemini Advisory.
For example, a group of hackers recently stole information on more than 1 million credit cards in South Korea, targeting transactions made at point-of-sale terminals.
The Gemini Advisory report says more than 1 million credit card records from South Korea have been posted for sale on the dark web since May 29, 2019.
"South Korea's high card-present fraud rates indicate a weakness in the country's payment security that fraudsters are motivated to exploit," says Stas Alforov, security researcher at Gemini Advisory. "As this global trend toward increasingly targeting non-Western countries continues, I feel both the supply and demand for South Korean-issued CP records in the dark web will likely increase."
The statistics illustrate the growth of the problem. Alforov says 42,000 compromised South Korean-credit card records were posted for sale on the dark web in May. That number grew to 230,000 in June and 890,000 in July.
Missing Security Steps
Alforov tells Information Security Media Group that the failure of many South Korean merchants to shift to accepting EMV chip card transactions at their POS devices appears to have contributed to the surge in credit card information theft, along with a failure to take other security steps. Another factor, some experts say, is a lack of security measures at POS integrators. (see: Mastercard's Ron Green on Payment Card Fraud)
"In this particular case, it appears that while South Korea mandated the switch to EMV at the end of 2018, there are still some merchants lagging behind, which is why we are seeing over 1 million card-present records compromised" because of data stolen from magnetic stripe card transactions, he says. EMV cards store encrypted data on a chip, making card-present data theft far more difficult.
"Even with EMV-enabled cards, on occasion we have to swipe [the magnetic stripe] if the chip has been damaged and unable to be read," says Prakash Kumar Ranjan, IT risk manager at CNH Industrial, a Netherlands-headquartered capital goods company. "And if the POS device is not EMV compliant, the EMV cardholder still has to swipe, negating all the securities of the EMV enabled the card."
POS Devices Targeted
POS devices are attractive targets for malware-based attacks. "Since a POS device relies heavily on a lot of software, it is possible for a fraudster to insert malicious code," says Sriram Natarajan, president and COO at Quatrro Processing Services. "With the growth of mobile POS, the vulnerabilities have increased as these rely more on the software, and the security that a hardware device provides is toned down considerably."
POS malware can scrape random-access memory to obtain card information from a device's temporary memory before it is initially encrypted, Alforov explains. "The threat actor thus captures the desired plaintext card data and can encrypt it and send it back to their own server," he adds.
"Though most payment companies and merchants have been asked to shift to EMV and implement various security measures, many merchants decline to use these protective services to reduce costs," Alforov says. "Merchants often prefer to lower transaction costs by avoiding these security options, but the devastating effects of large-scale breaches reveal the flaws in this calculus."
In addition to lax security at merchants, in some cases, POS integrators, which install and managing POS systems, also skip security steps, according to a report from Sikich, a technology auditing firm.
"The integrator might use the same username and password to provide remote support for their merchant customers, despite this being a violation of PCI DSS requirements," the report states. "Moreover, the remote access tool involved may only use single factor authentication, which is again in violation of PCI DSS requirement."
Risk Mitigation Steps
Essential steps to help cut down on card-present transaction fraud in the APAC region, experts say, include continuous education of all parties on the importance of accommodating EMV chip card transactions, regular updates of POS software, vulnerability tests of POS systems, as well as conducting proper due diligence prior to engagement of third-party service providers.
"There is no other way out," Natarajan says. "Regulators need to crack the whip on merchants who are not following security orders. Merely stating security measures on paper will do no good".
Experts also suggest the use of two factor-authentication to thwart hackers.
Alforo says 3DSecure products can help reduce fraud. "These services implement stronger transactional authentication through biometrics, risk-based authentication, artificial intelligence and behavioral analytics."