The Role of Penetration Testing in Payment Security

Announcer  00:00

Craig, welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym, or wherever you decide to tune in.

 

Craig Jeffery  00:18

Welcome to the Treasury Update Podcast. This is Craig Jeffery, and I’m joined by Christin Cifaldi. Welcome to the podcast, Christin.

 

Christin Cifaldi  00:26

it’s great to be back, Craig.

 

Craig Jeffery  00:27

Today’s topic is penetration testing for payment security. This is a topic that you might not have heard about unless you’ve listened to us recently. Penetration testing, also commonly known as pen testing, is a simulated cyber attack on a system or network or an area, and is used to identify and exploit vulnerabilities in a usually controlled manner. Of course, our focus today is on payment security, which involves the protection of financial transactions and data from unauthorized access fraud or theft. These are big and significant issues for everyone today, and so appreciate everyone listening to this conversation where we’re very vigorous in our defense of payment processes, everything from training people to assessing payment processes, and now this topic of penetration testing for payment security. So maybe we could just talk through some payment system breaches. I’ll start. And you know, I didn’t know what else we wanted to cover there, but in 2016 the Central Bank of Bangladesh lost $101 million they were able to recover $20 million the fraud attempt was almost a billion dollars. And these these examples are meant to show how serious these breaches are. I think we can become complacent. So they were able to get $81 million out of the banking system, remove it, they brought the funds to Macaw, took it out of the banking system, and they haven’t recovered the $81 million people got fired and retired. This was a massive, massive breach, and that this brought a lot of serious attention to certain types of payment fraud for everybody in and around the SWIFT network, because some of the messages, some of the compromised systems and sent messages for some of these transfers. And there were a lot of, let’s just say, non, non good practices there. That was a that was a pretty significant one, Christin.

 

Christin Cifaldi  02:30

Yep. There was also Craig, if you remember, in 2017 there was a breach of Equifax, and hackers were able to access personal and financial data of 147 million Americans. I know that I still have the free alerts going that they had to give me on my credit report. For that. You know, credit card numbers were stolen, social security numbers and bank account details.

 

Craig Jeffery  02:54

I remember that. But when you say 2017 it’s like, was that seven years ago? It was we just received notification too in the US about AT&T, I think it was 68 million. I don’t remember the number off the top of my head, but we’ve just gotten all kinds of notification about all the information that was lifted from AT&T. Well, those, those who have, you know, phone or internet, have to reset their IDs passwords to make that make sense. But if you’re not worried, if you’re worried about your personal finances, Equifax is a good one. The next year, Ticketmaster 2018 there was a breach. There was malicious software on a third party customer support product. It compromised the payment information of 40,000 customers who bought tickets online. And so maybe this is a reason. We can say, if you have teenage kids, no, you can’t buy any tickets because there was a compromise in 2018 I don’t think that might work, but maybe we could talk a little bit about the the impact and consequences of these breaches, and then what are some of those causes, before we get into why pen testing and what does pen testing look like?

 

Christin Cifaldi  04:02

Well, the impact and consequences of these breaches are financial losses. Obviously, you know, you’re looking at $81 million in the example, from Bangladesh Bank. That’s that’s a huge sum of money. Also, you could have identity theft from Equifax or Ticketmaster breach, or any these other breaches we’ve mentioned. And that you know, is personal financial losses, which could hit even harder than if you’re a large corporate organization. There’s also reputational damage, loss of trust for the payment providers, processors, the companies implicated. And then there’s legal penalties, lawsuits that could come from folks who had their data stolen, and it’s just a real mess.

 

Craig Jeffery  04:45

These are fairly large examples of either money or data. There are a significant number of attacks that are happening on payment systems today that you know, some started about four years ago, and they’ve escalated. So some of these are, you know, removing payment secure. Security features that banks have. They, you know, criminals are like, Okay, this is being blocked. How do I remove a layer of security and get through that? That’s not something that existed like five years ago. We first started seeing that about four years ago, and that’s been much more prevalent. We’ve also seen where they you leverage data and then that data is used to bypass some other security features. So some of the methods of validating Ach, debits and other transactions, if someone gains access to certain codes, they put those codes in, and now it comes through and looks like it’s a valid charge or a debit. We see people. We see criminals putting these things through far more regularly. It used to be paper was the, the worst environment for for fraud, you know, checks for those outside the US. Yes, those are, they’re still checks. And there’s a lot of fraud. Those tend to be smaller, but the digital activity is, is still heavy. And so what people do with validating accounts is becoming more important. Some of the causes have to do with how sophisticated the criminals are, how much money they’ve been making, and so they can afford to be patient and seek larger paydays. But you know, not encrypting data or having proper authentication for, you know, transactions that occur or for changes that are made. You know, spoofing people to get them to change where pay information is sent. That’s a, that’s a one, one issue Kristen, as we know. And the other is, you know, outdated security protocols or software that gets outdated, not having a regular patch sequence, and some of the information that we look at shows how, how important it is to patch. That’s like, one of the biggest things you can do to keep your systems, your data safe, is regular patching. And that’s certainly not the only thing we’re supposed to do, but that’s a that’s a sick name from the area. So those are a couple to start us off. What? What are some other, I won’t say favorite ones, but what are some other causes that contribute to these breaches?

 

Christin Cifaldi  07:05

Yeah, there could be human error or even negligence by employees or third party vendors who handle payment data or transactions. So this could be internal to your own organization, keeping passwords on stickies on your desk, or failing to use MFA multi factor authentication, failing to have thorough checks of your third party vendors and their security systems before engaging in business with them. These are sophisticated criminals, the hackers that go after payment systems, and they really exploit vulnerabilities and loopholes in your networks.

 

Craig Jeffery  07:39

Some of the hackers are using more commonly available tools. They may not be as sophisticated, but they can use and leverage sophisticated tools. And the use of AI is helping that. And so we’ve seen some huge examples of, or one really known example of a $25 million US equivalent loss using deep fakes, you know, with the Zoom call, having people there so there’s the escalation is significant, and that brings us to a little bit of the discussion about, why would you want pen testing? I think with all these changes, you want to make sure your people are trained to the human elements there. You want to make sure your network defenses are kept up to date. You must ensure that you’re putting patches in on a regular basis, and you want to have different types of testing. So vulnerability scanning, you know, from internal like that, you do to find data that may be accessible, ports, that may be open, other points of exposure. And companies on the cyber side want to make sure they do cyber pen testing. Also on the on the payment side, payment security assessments, where all our payment processes, that’s a complete inventory of where everything is. That’s essential, not really a focus of our talk today, but payment pen testing would be another, another key area, you know, and maybe, maybe we could talk about cyber pen testing as a context for that, versus a more narrow and focused pen testing on payments. So there’s a there’s a couple of the terms, black box, white box and gray box. Can you talk about these types of penetration testing, how they act a little differently, just so that people who may not be a CISM can understand these.

 

Christin Cifaldi  09:23

Yeah, so black box testing can reveal the most realistic and unexpected vulnerabilities, but is time consuming and costly, and this is where the tester has no prior knowledge of the system or the network and is simulating a true external attack. If you’re going to do a first round, you would start with black box testing and then step it back the two other types, gray box testing, this would probably be more common and easier to use. That’s where you provide your tester with some knowledge of the system and network, and they simulate a partially informed attack. And gray. Box testing can balance realism and thoroughness of a black box test, but it can also be challenging if you use this to determine the optimal level of information and access to provide with the testing agency to determine what you’re getting the best bang for your buck, and that they’re really able to discover true vulnerabilities. White box testing is where you provide your testing firm full access to your system and network, and that would most closely simulate an internal attack coordinated by employees or even former employees. White box testing can cover the most comprehensive and detailed aspects of your system or network, but it can be prone to bias, and it can overlook some scenarios. How to choose the best type of testing for your payment system, you consider objective scope your budget. Discuss complexity and sensitivity internally and and with potential vendors before engaging with one. And it’s always important, Craig, that we include stakeholders, owners and users of the system or network, that we’re not operating in a box, before we choose a vendor and actually pay someone to do this. We want to see internally, what are folks using similar I know we’re not narrowing the scope to payments, but if we were, you know that would be mapping the payment process and identifying it out before that, we engage a payment security vendor to help us test that. Are there any industry standards or best practices that folks should also be following, Craig?

 

Craig Jeffery  11:32

There’s a couple that are well known in particularly NIST and the National Institute of Standards and Technology is one of the one of several key information technology information security standards that exist there. So companies should be following some standard frameworks give everyone a leg up for thoroughness and completeness, as opposed to starting from scratch. But within the payment sphere, there’s several of these standards. So PCI DSS, or Payment Card Industry Data Security Standards, the payment card industry has a set of standards, including the data security standards geared to protecting card data, right the card number information, personally identifiable information, that information has to be kept secure. And so that standard was put in place because fraud was on the rise. You have to have confidence in any system you’re using. And so this is built to protect the data provide security systems. So every year, there’s, you know, if you’re if you’re accepting cards, you have to do some sort of validation confirmation whether you’re using a third party or not. If you’re using a third party that’s taking on those, it becomes a lot easier, but they’re standards. The other one that you and I both love the most is probably the Swift customer security program, where they’re protecting the messaging network of Swift this is for not only banks, but also for corporates, non bank, financial institutions, who are sending messages. The goal there is, of course, to protect, you know, the entire network, all the access points, you know, so that the messages are secure. And so it’s not just card data and messages that may relate to all kinds of other payments through through swift but other payment rails are providing and requiring additional standards, they need to protect the different payment channels. So NACHA has certain standards, particularly for high volume users, where you would tokenize account numbers, right? So if someone gets into the database and now instead of seeing a number, they pull a token that becomes pretty much useless to them, and so you store things in different locations, use a tokenization process. This is something that you and I have talked about. This is we see this as expanding to every payment rail over time and then, and then payment standards. So we can wait until we’re forced to do it until we have a loss, or until we’re forced to do it, or we can take steps to continue to improve what we do. And that’s, that’s really part of the the area of payment, pen testing, as you talked about, the difference between black, gray and white box black being, hey, there’s no knowledge. I think it’s, it’s generally superior to have whoever’s doing the testing to have a little bit more knowledge, because you’re trying to gain knowledge, but that’s really the choice of the company you want to pay money for people to gather the very initial information, because you it’s hard to build that information up. So usually, you know, gray or white box testing helps. You know, can you compromise it? So when we look at that, we try to figure out, who do they bank with, what’s their banking concentration method? What are the security services they have? What’s an inventory of Who are they making payments with? What are those types of payments? Who has authorization, who overrides those things? So there’s all different ways. Of gaining information to get a picture of how the company or organization moves funds, secures funds, approves transfers, validates and reconcile. So there’s lots of different ways to go after that. We’re not going to go into all of that, but that’s what that’s what we do as part of payment pen testing is gain a picture and see what can be compromised if we’re trying to remove a to see if we can remove a security feature, we want to know what the security features are, what banks are they with, what are they using? And then, you know, be able to gain as much insight there. You know, you talked about considering objective scope and budget of testing. It seems, it seems to me, and I don’t know if you fully agree or not, but it seems like you want to have your people trained, your systems updated, have a regular, maybe it’s every two years, assessment on your payment processes, and then have pen test payment, pen test done from time to time. That that would provide the, you know, a much more well rounded set of protections.

 

Christin Cifaldi  16:06

Yeah, I agree. I mean, pen tests are vital to perform periodically and protect your most valuable and sensitive assets. And also, we can’t stress enough that training those individuals and also to avoid some fraud, letting folks know the schedules of the approvers of payments. So if internally, we let everybody know that Joe is on vacation next week and he will not be sending you an email for an emergency payment to an exotic locale or bank account. That’s pretty important, because some folks are able, with the deepfake to just get in and trick people, unfortunately.

 

Craig Jeffery  16:41

Where might a pen test work well? Where might a payment security assessment work well? You know, examples of, you know, companies create payment files that get moved across a network, maybe encrypted, maybe not. Maybe it’s encrypted part of the way and then dumped to a desktop and then loaded, perhaps loaded manually, or it’s pushed to a place where it’s unsecure for a bit. Those, those type of issues tend to be more readily found through an assessment, because you track the payment from from start to finish, the custody of that activity. So you’re going to see it’s like, Hey, you’re leaving this exposed, and that’s something that needs to be tightened up. And an assessment would identify that understanding the you know, how a criminal will look at things you know, a payment pen test could identify to see what people can find out externally. Oh, you’re making payments here. Here are your bankers, who provides approval, who are your internal signers. System signers, people have ability to make those changes. Pen tests are good for that, because it’s showing what people might be able to find quickly. You know, if someone says, Which one should we do? Usually it’s both. And you know, maybe you stagger it one year. You do an assessment, then you do a pen test. You might even want to do a payment pen test every year, but you certainly want to do a payment security assessment at least every couple years. Whether you do that internally, if you have the skills, the resources and the ability to distance yourself from it, or whether you use a firm like ours to go through, ask all the questions, review and look at the systems and get that independent view. But do it, whatever you’re going to do, make sure you do those, those functions Kristen, any, any final thoughts as we we talked on, on security and penetration testing, other things, anything else that you would want to just remind everybody about.

 

Christin Cifaldi  18:35

Just want to remind everybody to make sure that they’re using multi factor authentication wherever possible. Just to button things up, add that extra layer of security. And Craig, you mentioned folks doing this internally, which is a great idea, especially if you have that IT expertise. But just like an audit, an external audit, you do want to consider periodically having an outside party if you have the resources to do either a cyber pen test or a payment pen test, just so you might catch something, remove some of that bias that internal folks might have.

 

Craig Jeffery  19:06

The other skill set too on a payment pen test is, there’s the there’s the it how you custody data, how that’s protected, encrypted, but understanding payment processes. You know, some of the frauds we’ve seen lately, it’s now the criminals are pretty smart about how the payment processes work in more depth. They’re no longer confused about next day transfer, same day transfers, making changes too late. They’re they’re nailing that. They also understand how the security processes work through systems like the ACH network or some of the more rapid payment processes that exist. And so it’s the combination needs to be understanding payment systems, understanding payment security, and it those things together seem to provide the look, because this is what criminals are bringing that full skill set to the table.

 

Christin Cifaldi  19:57

Yeah, they become more sophisticated. They keep pace. With any security changes that come out unfortunately.

 

Craig Jeffery  20:03

Well, thanks so much for your time. Thanks, Craig.

 

Announcer  20:08

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.