Payment cards linked to cryptocurrencies are booming. But they combine a new technology (crypto) and an old one (card payment networks). In this guest post, payments security researcher Timur Yunusov says crypto firms teaming up with the payments systems run by the debit and credit card giants, Visa and Mastercard, should be aware of the security risks they inherit.
Cryptocurrencies are the new black. They are everywhere and even your grandparents may now be gossiping about them.
But cryptocurrencies are also remarkably volatile, meaning that people don’t use them for daily transactions. Instead, we still convert to and from traditional currencies when seeking to settle a bill or pay someone else.
Unfortunately, crossing the border between traditional money and crypto is not always easy: just look at the recent ban on payments to cryptocurrency exchanges by several UK banks.
Joining the old guard
On the other hand, payments into and from cryptocurrency using card networks like Visa and Mastercard are booming. Visa announced on July 6 that its customers had spent more than $1 bn using its crypto-linked cards in the first half of 2021.
For crypto start-ups, cooperation with one of the established card networks is now a fact of life. You can’t just create your own payments ecosystem. Payments is a scale game and the existing card providers certainly have that.
For start-ups, the most popular option is to choose a white-label payment service provider that will take on the burden of enrolling card users, settling payments and doing all the backstage operations. One of the most famous payment services providers used to be German firm Wirecard, until it collapsed in 2020 following the exposure of a massive fraud.
However, Wirecard Card Solutions Limited, the firm’s UK-based subsidiary that issued brand-name debit cards to a lot of fintech and crypto start-ups, is still in business. It was sold to Railsbank late last year.
New tech on old tech
Combining a crypto offering with a payment card network raises some intriguing questions.
When teaming up with a card network like Visa or Mastercard, crypto and fintech firms are combining a new technology—their own version of money—with a technology architecture at the card firms that is nearly 75 years old (the modern payment card was created in 1950 in the US, by Ralph Schneider and Frank McNamara).
How robust is that card payments architecture? Though card designers have added many steps over the years to reduce payments fraud—magnetic stripes and PIN codes are two examples of enhancements that were added to early cards to make them more secure—there are still flaws that an intelligent attacker can exploit.
Below, we highlight some of the remaining vulnerabilities in payment card design.
So-called ‘card-not-present’ transactions happen predominantly when someone pays online. Another case is when your card details are entered by someone else on a point-of-sale (‘POS’) terminal, for example when you pay for your hotel over the phone.
In the US, a card-not-present transaction may occur when your card can’t be read during an in-person payment and the cashier gives you the opportunity to type the card details on the pin-pad machine (such a transaction is called ‘PAN key entry’ in payment card jargon—of which there’s unfortunately a lot).
By the way, a lot of people have the misconception that their ‘cardholder name’ field is checked somewhere during the online payment process. However, this is not true, and you can enter whatever you want. Try it next time!
The most secure form of card-not-present payment involves a one-time code that is sent for the verification of the specific payment (this security scheme is called ‘3D-Secure’). If the transaction had been requested by the cardholder, he/she would verify it using the code and the payment would go through. If not, it would be declined.
However, such a scheme is not ideal, since it comes with its own security risks. For example, hackers can intercept the authentication codes or use phishing to trick genuine cardholders.
If 3D-Secure is not supported by the merchant or the issuer, the payment could be done using only the PAN (the long card number), the card’s expiry date and the 3-digit card security code on the back.
This does not add up to much in terms of security. Some hackers could attack mobile applications and steal these fields from there. Or they could use another technique, such as brute-forcing the 3 digits of the card security code.
Even if malicious actors do not know anything about you, but possess cards of the same start-up as you do, you already may be under threat. How is that possible?
Let’s see. First, a fraudster opens a card account. Now he knows his PAN and expiry date. If the start-up does not use the PAN randomisation feature, card numbers go sequentially one after each other. That means that the next customers after the attacker will get numbers that he can predict. And because they were issued at approximately the same time, they will have the same or similar expiry date field.
Depending on the speed of issuance of the new cards, the number of cards with the same expiry date will vary. But the only field that the fraudster will now have to guess is the card security code field. There have been cases of successful frauds done by guessing the CSC: it’s easy to see it takes only up to 999 requests to do so.
Magnetic stripes on cards were introduced in the late 1960s as one of the first attempts to address payment fraud. The main problem with this security feature is that it’s really easy to read and write magstripe data.
In turn, this leads to the widely used possibility of making clones of payment cards. And this is where the most popular type of card fraud happens. In a so-called ‘skimming’ attack, hackers steal magstripe data and sell it all over the world.
While the card networks introduced a security upgrade in the 1990s to counter magstripe fraud (called ‘chip’ or ‘EMV’—see the next section), this kind of attack still goes on. This is because merchants in some countries, such as the US, may not have upgraded their payments terminals to insist on EMV-only transactions.
The main way of countering this old type of card fraud is to restrict magstripe transactions based on geographical location. Someone with your card’s magstripe data can’t then use it in a shop eight time zones away. Alternatively, permissions to pay using magstripe can be disabled altogether.
In the 1990s a more secure form of card payments emerged, called chip or EMV (which stands for Europay, MasterCard and Visa).
EMV introduced the concept of using smart-card features to address the well-known problems of magstripes. By using symmetric 3-DES and asymmetric RSA cryptography, payments using smart cards offered additional layers of protection, notably:
- Card authentication
- Cardholder verification
- Transaction authorisation
In early 2000s contactless payments were introduced, incentivising us to spend more, while keeping the security mechanisms from chip/EMV cards. Visa, MasterCard and banks all claim that contactless is the most secure way of making payments. However, is it?
Another issue affecting contactless payments, is that EMV is no longer in charge of the technical standards, which rule how exactly payments should be done. So Visa and MasterCard do contactless payments in their own way, along with AmEx, UnionPay and other domestic payment brands.
Know the risks
Modern payments using cards are still affected by technological design decisions made more than 50 years ago. The current ‘card-as-a-service’ model helps companies, especially start-ups, to outsource most of the card processing steps to dedicated service providers, but this decision comes at a cost.
Most fintech companies don’t have their own risk assessment team or dedicated anti-fraud departments and some of them barely understand how card payments work.
At the same time it is our money and we need to be sure that these companies do their best to protect us. Our main recommendations would be to observe what options your card has, its different limits, its notifications and security features.
Though a lot of the crypto and fintech start-ups using the traditional card networks have their bug bounty programs, not many were keen to address the issues we’ve reported on here. Several didn’t even respond.
For an in-depth description of payment card vulnerabilities and how to address them if you’re launching a new card-based payments programme, you can read my white paper.
And you can view my presentation on this topic at the recent DefCon conference here.
Sign up here for the New Money Review newsletter
Click here for a full list of episodes of the New Money Review podcast: the future of money in 30 minutes
Related content from New Money Review