MasterCard has opened the doors to its DigiSec laboratory, described as being a lot like Q’s facility from the James Bond films. Now that the lab is open to MasterCard customers, Bruce Rutherford, MasterCard’s Group Head, Fraud Management Solutions talks MPD CEO Karen Webster through the details related to its methods and purpose – and what sorts of James Bond-like activities go on inside of its super-secret doors.
MasterCard’s DigiSec Lab in the U.K., designed to test threats for digital payments, has recently been opened to its customers to collaborate on solutions that will keep the safety and soundness of the payments ecosystem top of mind. MPD CEO Karen Webster caught up with Bruce Rutherford, MasterCard’s Group Head, Fraud Management Solutions, who went on the record to explain not only why MasterCard felt it important to open the facility up to its customers but what goes on inside a facility that some have described as straight out of a scene in a James Bond movie.
KW: The DigiSec Lab is described in a video on its website as a place where MasterCard is developing solutions to “the problems we don’t yet know we have.”
What are some of those problems and how are you solving them?
BR: Unfortunately, the world in which we live is one where criminals will go after the lowest-hanging fruit — those places in our ecosystem where there are vulnerabilities and weaknesses. And, today, that is the mag stripe.
So, even though we are moving full steam ahead towards EMV, we continue to put a lot of time and effort into understanding existing and emerging risks in and around the magnetic stripe world. There are still plenty of magnetic stripe transactions taking place every day. We also spend time evaluating contactless security and PIN security as we look at a world where, today, there are economics in place for those criminals who are going after this lower-hanging fruit to engage in skimming — and the sophistication of those skimming attacks has definitely increased over time.
To that end, one of the basics that we are addressing is the latest attack vectors on skimming and PIN collection mechanisms — whether it’s through PIN cameras at ATMs or PIN overlay devices. That will allow us to “reverse engineer” or deconstruct those attacks through forensic analysis and feed that knowledge back into the industry standards to build more robust and more secure capabilities at the terminal and at the ATM for both card reading as well as for PIN entry.
So that’s the here and now. Now imagine a world in a future state where magnetic stripe is much less of the norm and that lower-hanging fruit begins to disappear. Then, we obviously need to be concerned with where the attack vectors will move. For us, the move to EMV chip is obviously paramount to the industry from an ongoing security perspective.
As the nature of the consumer’s interaction with the point of sale changes from traditional card-based to a mix of card-based and mobile device-based environments, we want to ensure that the ongoing viability and integrity of chip continues as the most secure mechanism of payment. We want to be engaged in understanding and raising the bar for the chips that are manufactured and introduced to the industry for use by our customers, so that we can ensure that those chip sets are being developed to deal with vulnerabilities that could result in, obviously, exposure of data.
Evolving the state of security within chip development is important to us, and understanding what that means in a world where a mobile device is being used instead of a traditional chip on a card, so that the paradigms of security that we’ve become comfortable with and we keep evolving from a security perspective will also fit well and work well within a new digital payments space.
KW: We’re so focused on the future that the here and now of the mag stripe card, as you point out, does still present some vulnerabilities. Working on solving that problem — which is both low-hanging fruit and real, in the present — is an interesting focus.
You recently announced that you opened up the DigiSec Lab to customers. What will customers be able to do now as part of the Lab, and what do you hope to achieve as a result of their involvement?
BR: For a number of years, we have engaged with some of our larger customers — ones that, for example, may sit on one of our fraud advisory councils, be it global or local — more formally, in the context of presenting considerations from a security perspective coming out of our DigiSec Lab.
What we’re doing now is a bit different. Whereas the focus in the past was on specific security considerations that MasterCard felt were of key importance to the industry, we believe that there now exists a great opportunity to open a broader dialogue with our customers. By directly engaging with their emerging payments organizations (in addition to their fraud teams), we can begin to understand what’s top of mind for them when it comes to security and risk and how to add value for them through proactive R&D.
It’s a real direct engagement approach, where we’re not going in with presumptions as to what they might need and instead are being very open-ended to address customers’ key areas of concern.
KW: One of the things that I also understand you are doing as part of the DigiSec Lab is creating partnerships with a variety of stakeholders — which now, of course, also includes your customers. Can you give us a few examples of those partnerships, and what you hope to achieve as a result?
BR: Without sharing any specific names, I can tell you that — beyond that which we’ve had with issuers and acquirers and even key merchants — we have for a number of years had a strong engagement framework with various law enforcement agencies around the world. Those have become important for us in a number of ways.
Having access to the types of devices that the criminals are using is critical to us, especially when we look at the sophistication of skimming. We’ve been able to leverage various law enforcement relationships to gain access to confiscated devices and deconstruct criminals’ solutions to gain insight into the nature of the attacks.
Using that knowledge, we’re able to build more robust controls into our fundamental security requirements, which we then feed into at the industry level — for example, PCI security requirements and PIN entry security requirements — as well as into our own MasterCard product development and design apparatus. So we’re addressing our own company concerns and what we can do on our end, but more importantly we’re also driving industry evolution to be more resistant to the attacks that are out there.
As we look to advance our own R&D and as we’re aware of the known attacks that are occurring, we do have a number of partnerships with other external security labs that we have instituted through our certification programs, as well. Any chip that’s used either in a MasterCard card or in a device used for payments will go through a security evaluation via a program we call CAST (Compliance Assessment and Security Testing), which is designed to ensure that the chip sets being used today are resistant to known vulnerabilities and attacks.
We’re also extending our threat analysis and vulnerability analysis capabilities to include the emerging digital space. That will involve direct interaction with entities that have implemented solutions in that space, as well as with our own security experts, in order to certify solutions above and beyond just the chip sets used in phones and devices.
KW: You also say that your focus isn’t so much on the new “flashy” technology but on what it will take to keep payments transactions safe and secure. Can you give us a few examples of some of the “non-flashy” things you have on your plate now?
BR: Without going into the nature of the exact attacks, there have been situations where potential payment vulnerabilities could be introduced if proper back-end controls and monitoring are not in place across a number of different transactional and fraud-related scenarios.
One of the areas that perhaps is not flashy but is critical to us is that — having recognized that these types of attacks can exist, and the fact that we can carry out some advanced data analytics to look for potential signs of them in the wild — we were able to actually detect the likelihood of some attacks and upgrade our SafetyNet solution (designed to provide fraud monitoring and controls against excessive or catastrophic attacks) and others accordingly.
It’s the integration of a knowledge center, where security and vulnerability analysis combine with advanced data analytics, and then feeding that back into our actual product mechanism, where we’ve got network monitoring in place to protect our customers against things that perhaps might slip through their own control sets.
As I say, it’s non-flashy, but it’s critical to us.
KW: So let’s get to the flashy stuff. I chuckled when, in your introductory video, one of the individuals interviewed said that one of your clients described the lab as something along the lines of what Q operates in James Bond movies. So, I have to ask. What are some of the flashy, bleeding-edge, James Bond kinds of problems that you’re trying to solve and the insights coming out of the lab as a result?
BR: The analogy to James Bond and Q speaks to the nature of the tools that we use in the DigiSec laboratory.
When you move from a world of magnetic stripe that is relatively unsophisticated in terms of how it works and the product construct, the tool sets that you need to apply in a world of security data — specifically payment account data or token data — involving secret keys that access a chip or secure element are, by necessity, much more sophisticated.
For example, we have lasers at the laboratory that are used to analyze the underlying security of chips by deliberately perturbing them to see if they’ll do things they shouldn’t be doing, such as changing memory contents or jumping over their programmed instructions. It’s important for us to understand these vulnerabilities because, in understanding where the risks are, we can begin to ensure that we secure our products and our applications with those considerations in mind.
Another interesting thing we have in our DigiSec Lab is what we call “tempest” equipment. It’s designed to understand what type of unintended electromagnetic emissions might be occurring from a given device (for example, a terminal containing chip sets) and determine what attack potentials they might create. That process is done in a dedicated room where we effectively block out all external electromagnetic noise.
We also obviously utilize X-ray machines at the lab, as well as very detailed microscopes that allow us to understand and prevent attacks that would affect the circuitry of a chip and biometric devices.
Those tools are pretty cool to look at, but it takes sophisticated tools to analyze sophisticated mechanisms. With the information we glean, we can give insights on security and engineering that can be taken into account as new products are built for MasterCard and our customers.