Madrock

EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

Looking at the products and relationships us usually a good start.

Things to consider:

• Card skimming methods
• Some EFT POS devices restrict the connection of a skimmer
• Review levels of associated fraud
• Review devices and EFT methods
• Review terminal identification (merchant and customer)
• Manual processing. (internal and external)
• eCommerce products
• PC based software
• Dedicated server services (Nobil, etc.)
• Web based engine (Custom objects, Web pop-ups, etc)
• Authorisation / identification methods (Merchant and customer)
• TCPIP session hijacking / session spoofing
• Direct Debit as well as Credit Cards.
• Swift (methods and controls)
• Telegraphic transfer (methods and controls)
• Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
• Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
• Implementation of Smart Card and / or alternative customer recognition devices.
• Outsourcing and associated risks / service level agreements
• Payment processing
• Payment clearance
• Payment switching
• Reporting (segregation of merchant / customers / aggregators / partners / local / international)
• Fraud detection and reporting
• 3rd party acquiring risks
• Single merchant ID many businesses
• Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
• Encryption used
• Internet / trusted partner / inter-bank / extranet
• Private and / or public certificates
• Single use certificates
• Client side certificates
• Remittance advice processes and controls.
• EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
• Trusted partner relationships, SLA’s, liabilities and risks.
• EFT regulatory / legal requirements (inter-bank and government)
• Refund processing / authorisation. (policies, procedures, controls, etc.)
• CVV, CVV-2 / CVC-2 processing and management. (http://www.atlanticpayment.com/CVV.htm)
• Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
• Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
• Review EFT floor limits (corporate and SME merchants)
• Review the ability to withhold merchant settlement until the presence of fraud has been determined.
• Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
• Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
• Review processing with and without expiry dates. (exception controls and policies)
• Review exception / fraud reports.
• Review payment store and forward policies and procedures.
• Review Pre-Auth and Completion controls.
• Token based payment (eCash, etc)
• Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
• Real time gross settlement policies, procedures and controls. (IT and amounts)
• Card issuing policies and procedures. (customer ID checks, etc)
• Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
• Use of Internet technologies for inter-bank transfers and remote equipment.
• Physical security and controls of devices, ATM,s, line encryptors, etc.

I read a very interesting paper created by the University of Massachusetts, RSA Laboratories and Innealta, Inc.<<

This paper primarily relates to the compromise of contact less payment technologies (RFID) if the RFID and/or reader have not been implemented correctly or the solution provider has used an inappropriate type of RFID and discusses the challenges around Chip and Pin with respect to financial transactions e.g. EMV standards and compliance.

Additionally, the paper describes a RFID relay method which is being discussed within many forums around the world and we have now begun to see equipment being produced for the RFID skimmers/clonners to use for malicious means.

The overarching point of this paper is to use an appropriate RFID & Chip solutions which supports the security/privacy of the user and purpose of the transaction (financial or non financial)<<

The paper can be found at http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf

In modern payment RFID & Chip solutions, newer devices can be used which possess a high degree of processing power and are therefore able to execute strong cryptographic methods (such as digital signatures) to protect the identification and payment information whilst the transaction is occurring.

These systems often utilise bidirectional authentication between the RFID/Chip scanner and the RFID tag/Chip prior to performing the transaction. These methods and cryptographic algorithms are accepted and proven to work within the traditional payment markets.

As mentioned in the paper, some solution store static digitally signed and/or encrypted data which is provided to the RFID/Chip reader when queried, but this data never changes from one transaction to another. This may allow a malicious individual to capture and re-inject the data into the reader at a later stage. The alternative to storing static digitally signed and/or encrypted data is to negotiate a key exchange at the time of the transaction in which the card/value information is encrypted and subsequently transmitted. With this method the transmitted data
changes on every transaction and therefore even if a malicious individual was to capture the encrypted transaction data from one transaction, this would not be accepted by the reader if re-injected at a later stage.

Although this is the case today, older RFID/Chip solutions often use technologies which are not appropriate for financial transactions and therefore may be compromised easily and in some cases without the knowledge of the card holder, merchant or acquirer.

I find this interesting how some of these less secure solution have been approved for use by acquiring banks and the card schemes around the world (if they were told) in recent years, where it has been seen that these solutions have utilised techniques or deployment methods which can be compromised. These technologies and techniques would never be approved within the Point of Sale (PoS) or traditional banking markets.

It can only be assumed that the need to get product to market quickly at the expense of proper testing, understanding and with due consideration to industry lessons learnt has succeeded again.

http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html </a>

here is a local copy.

How to Build a Low-Cost, Extended-Range RFID Skimmer

Also some of the supporting documents.

A Practical Relay Attack on ISO 14443 Proximity Cards

S4100 Multi-Function Reader Module Data Sheet

Security Analysis of a Cryptographically-Enabled RFID’s

Antenna Circuit Design for RFID Applications

ISO 14443

FAQ Interoperability