Online Payments: Attack and Defense

This talk explores the threat landscape faced by online merchants accepting card payments. It provides an overview of card-not-present transactions and the roles of merchants, issuers, and cardholders. The session delves into three major types of threats, examining the value they present to attackers and offering insights into detection and mitigation strategies.

This talk begins with a detailed examination of the anatomy of a credit card, emphasizing the importance of the Primary Account Number (PAN) in the transaction process. It then transitions to a brief history of card-not-present (CNP) transactions, outlining the roles of merchants, issuers, acquirers, and card networks within the payment ecosystem.

The core of the presentation focuses on three specific types of attacks that online merchants encounter:

• Data Thieves: These attackers seek to steal card details by intercepting data in transit or accessing stored card data. The 2018 British Airways hack, which compromised 380,000 cardholder details, serves as a prominent example. The talk underscores the critical importance of PCI-DSS compliance in safeguarding cardholder information.
• Card Testers: Often using automated scripts, card testers exploit merchant systems to validate stolen card details. The discussion includes detection strategies such as monitoring authorization rates and traffic patterns, and proposes mitigation measures including the use of CVV, AVS, and 3D Secure.
• Fraudsters: These individuals utilize stolen card details to purchase goods, services, or directly extract money. The necessity of a robust risk engine to detect and mitigate fraudulent activities through the identification of anomalous patterns is emphasized.

A key takeaway from this session is the challenge of balancing security with customer experience. While the ideal scenario would involve blocking all fraudulent transactions while approving all legitimate ones, the reality is far more complex. Merchants must integrate multiple signals and make informed decisions tailored to the specific risks their business faces, striking a delicate balance between security and user experience.