Monday, March 9, 2009

Updated: Acculynk...Where's the PIN Offset? My Pet PVV



Updated:  I just got off the phone with Chris A. Mark, CEO and Founder of the Aegenis Group and the Society of Secure Payment Professionals.  

Apparently,  John Stewart, Editor of Digital Transaction News, saw this post and called Chris to discuss a "hardware vs. software" approach.

I had our CEO, Ken Mages join us on the phone.  Chris is probably one of the foremost experts in PCI and payments security and 1 of about 20 people in the world who "truly" understands how a PIN transaction works, so since Ken is another 1 of the 20, it made sense for him to collaborate with Chris.

In fact, here's a little backgrounder on Mr. Mark:  Quite impressive to say the least... 

The Aegenis Group is led by

Chris MarkChris Mark, CISSP, CIPP; CEO/President and Founder

Mr. Mark is an experienced information security professional and PCIexpert. Over the past six years, Mr. Mark has worked in variousinformation security capacities within the payment services’ segment.Most recently, Mr. Mark was employed at MasterCard Worldwide where hewas one of MasterCard’s representatives on the Payment Card IndustrySecurity Standards’ Council (PCI-SSC)Technical Working Group. In addition to founding an informationsecurity company and conducting numerous PCI assessments for merchants,service providers, and members, Mr. Mark has worked with bothMasterCard Worldwide and Visa USA on components of their respectivedata security programs.

Mr. Mark is also contracted with Visa to train all of their majoracquirers and the top 3000 merchants in the PCI DSS. Prior to joiningthe civilian sector, Mr. Mark served in both the United States MarineCorps, where he operated as an elite Force Reconnaissance Marine andMarine Scout/Sniper, and in the US Navy where he was selected to serveas a Navy SEAL Officer. Subsequent to sustaining a career endingtraining injury, Mr. Mark served as the Training Officer and ChiefInstructor of the US Marine Corps Basic Reconnaissance Course where hewas responsible for screening, selecting, and training eliteReconnaissance Marine Candidates. Mr. Mark is a combat veteran ofOperation Continue Hope, Mogadishu, Somalia. Mr. Mark holds the CISSP,and CIPP professional certifications, numerous technicalcertifications, and has an MBA and BA degrees.


Here's an excerpt from an email he sent me:


John,

John Stewart from Digital Transactions called to ask about the differences in Home ATM and Acculink.  I was very clear that conceptually I feel HomeATM is a much better solution.
Please feel free to call me to discuss the article comments.

Chris
Chris A Mark, CISSP, CPISA, CPISM, CIPP
The Aegenis Group, Inc.





We spoke at length about the security of our solution and he was impressed enough to want to learn more and we are happy to provide him with anything and everything we can so that we can empower his analysis.  We agreed to FedEx him a SwipePIN device (pictured below) and we'll talk again after Ken gets back from the Merchant Risk Council meeting in Las Vegas on Thursday or Friday.   I'll provide an update.   Here's the rest of the story....



In an effort to prove that I am not alone in questioning the security of Acculynk's Floating PIN Pad I am going use a respected third party resource to back up my concerns... just in case people confuse common sense for competitive jealousy.  I assure you, I have none.  (common sense that is...lol)

In fact, in an act of fairness...I hereby extend an open invitation to any C-Level Executive at Acculynk to address the two questions highlighted on the graphic on the left.  I am more than happy to allow them the opportunity to set the record straight.  It is not my intention to berate their solution.  It IS my intention to prevent a future breach that makes Heartland's pale in comparison...which is exactly what would happen if hackers got their fraudy-little fingers on PIN's.

As I said, I've spoken to Acculynk President Nandan Sheth quite a few times over the course of the last year and have nothing but good things to say about the him. As a matter of fact, after taking my cell-phone off the charger, I see that I missed a call from him earlier this afternoon, so I owe him a return call...
   

The following is from the Society of Payment Security Professionals blog written by Chris A. Mark, CISSP, CPISA, CPISM, CIPP, Founder and CEO of The Aegenis Group.

In the article he published last October, Chris questioned the security of Acculynk's Floating PIN Pad. 
Online PIN Debit; Great Idea or Not so Great Idea?

The big questions he asked about (besides security) is that if a "card is not present" (CNP) i.e. in Acculynks model one must manually type in the credit or debit card's personal account number (PAN) and if it's determined that the card can be used with a PIN, then the floating PIN Pad GUI pops up.  The e-shopper then uses the floating PIN Pad to enter their PIN.  So...with no swipe...just type...they want to know: "Where is the PIN Verification Value (PVV) and where is the PIN Offset stored?"  Good questions!  In a traditional PIN Debit transaction (like the one that most closely mimics the consumer experience in a grocery store...
the PVV and PIN Offset is resident on the magnetic stripe.  No Swipe...No Stripe!  No Stripe...No PVV...NO PIN Offset.

Besides the fact that in 500+ breaches, software was 92 times more likely to be breached than hardware, those were two more very important reasons why HomeATM went with a Hardware based solution.   

Here's an excerpt from the Society of Security Professional Blog:

I (Chris) want to thank Susan Kohl for sending this over. Digital Transactions has published several articles on new technology that will allow PIN Debit for eCommerce sites. Read the article here.

In short, the new technology will present a buyer with a floating ‘PIN Pad’ on the screen. Users can then enter their PIN which will then allow the merchant to immediately debit the user’s account for payment. While the technology appears very compelling from a convenience perspective I have to admit that it also gives me pause. In my mind, there are a number of potential issues with this technology. I am sure (or at least hoping) the companies, banks and card brands are working through these issues but they merit discussion here anyhow.

From a security perspective, I am challenged by the technology. My first thought is key stroke logging and malicious software. Now I know people will likely say that this is possible with traditional eCommerce transactions. This is accurate. In this scenario, however, PIN data is being transmitted. As discussed in a previous entry, there may not be a limit to the liability associated with compromise of PIN data. It brings another question to light, as well.

If the transaction is a ‘card not present’ transaction then where is the PIN Verification Value / PIN Offset stored?

In a traditional PIN Debit transaction it is resident on the magnetic stripe of the card. This has several benefits one of which is that it prevents a data thief from obtaining a PIN and only the primary account number and being able to conduct PIN based transactions.

If the card is not required to be presented, it appears that this would allow fraudsters to obtain the PAN or other card data and the PIN and conduct transactions.

Editor's Note:  Holy Grail Batman!  See I'm not biased.  And I'm not alone with my "concerns." Do you have any?  As always, feel free to leave a comment.  Click on the title of the post, and the comments will be enabled on the bottom.  Have a salubrious weekend!   






Reblog this post [with Zemanta]

Disqus for ePayment News