Chapter 8: Consumers – Security in the Digital World-

CHAPTER 8: CONSUMERS

Every person has rights as a consumer in what you buy or what service provider you use. Companies that provide these goods or services are always seeking to use technology and information to provide better services, improve their offering so that they can attract more customers, and improve efficiency to provide their goods or services at less expense.

Companies do this by collecting consumers’ information and analysing it, but you have the right to expect these companies to protect your information and use it responsibly.

8.1 Certifications

Before trusting companies with your information you can research their record for data protection on the Internet. checking if they have been penalised for a data breach or seeing if they have a certificate for information security. Here are some certifications that companies may have and what they mean.

Although they display a commitment to information security, certifications are mainly for other businesses’ information for when they are looking for partners or suppliers. Regardless of the actual reason for pursuing them, these certifications display a commitment to security.

Cyber Essentials

Cyber Essentials is a UK government-endorsed certification that is considered the benchmark in the UK commercial sector and is mandated in the UK for companies that provide certain services to the UK public sector. It is gaining international recognition as a foundation certification of cyber security. Cyber Essentials certification is awarded when an organisation passes an assessment against five key cyber security measures.

This is the logo that will be displayed on websites of companies that have achieved Cyber Essentials certification. You can also check the certification of companies online.

Cyber Essentials Plus

Cyber Essentials Plus provides customers with a greater degree of confidence than the Cyber Essentials because it involves technical testing of the network security. Certification is achieved when a company has had some penetration testing completed to identify any vulnerabilities and weaknesses, which must then be fixed before certification is granted.

This is the logo that companies certified to Cyber Essentials Plus can display.

ISO 27001

ISO 27001 certification states that an organisation has an information security management system (ISMS). The scope of the certification can be limited and the certification does not necessarily cover all services the company or organisation offer.

This logo will be displayed on websites of companies that have been awarded ISO 27001 status, although some certification bodies provide their own version of the crest. The crest will include ‘ISO 27001 certified’. The company must also have the certificate available. Check the details of the certificate, even by asking the company, as it must be certified against ISO 27001:2013 for the certification to be valid, and will describe which parts of the company are certified.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is specifically for organisations that are able to accept payment cards such as chip and PIN, contactless, credit cards, debit cards, etc. Organisations that have achieved this certification should provide the greatest level of confidence to the customer with regard to their payment card information. This is supported by regular technical penetration testing of the network.

This is the logo that companies certified to the PCI DSS can display. The crest may differ slightly but will include ‘PCI DSS compliant’.

Kitemark for Secure Digital Transactions

Awarded by the British Standards Institute, this certification is awarded after independent testing to show the organisation has security controls to protect or guard the financial and/or personal information it is handling.

Checking certifications

The main way to check is on the company’s website. It may be displayed on the ‘About us’ page or a ‘Certifications’ page.

Some certifications can be checked on a central website: Cyber Essentials can be checked on the website of the certification bodies and ISO 27001 can be checked on the websites of the certification companies.

Certifications do not guarantee that your information is secure but they do give greater confidence that your information will have some protection and the company is responsible and committed to information security.

8.2 Online purchasing

Companies that process purchases online have to comply with minimum standards agreed by the PCI Security Standards Council. One is the need for encryption, which means the data is changed in certain ways so that it couldn’t be understood if it was read by a person who is not supposed to see it. There are two key things to look for when buying online: the application protocol that the website uses, which is displayed in the address bar, and the padlock that shows the site is secure. What you are looking for is the ‘https://’ before the website address, which means the website is using a secure protocol.

All the information for the security of the site is found in or beside the address bar. The padlock shows the site is secure and the https:// shows a secure protocol is being used.

Hovering the mouse cursor over the padlock shows the name of the certificate authority.

Next to the padlock is an ‘i’, which will allow you to see the information for the site. This information is verified by the digital certificate authority. There is an icon to view further information that will allow you to verify the site is secure.

As a consumer you can see the security information for the site, including whether you have saved passwords for the site and what encryption standard is being used. This site is using TLS 1.2, which is an acceptable type of encryption for a PCI DSS-certified site that can accept payments.

There are many websites that offer you the option of storing your card details when you make a purchase with them. It is advised not to save your card details online as this is creating two new avenues through which your card details can be compromised, on your browser and also on the website.

8.3 Chip and PIN cards

There have been a number of technological innovations in recent years to make payments and online transactions easier. As the use of technology increases, so does the number of risks. This has certainly been the case with chip and PIN cards.

There are two main outcomes of an attack on Chip and PIN cards: information can be taken from the card that will allow payments to be made with those card details, and payments can be processed without the cardholder knowing, even when the cardholder is still holding the card.

These are some of the different types of attacks:

  • By getting hold of the card, the card details can be used to make online purchases, or the card can be ‘cloned’ (an exact duplicate is made) and used overseas where chip and PIN is not used.

  • A ‘card skimmer’ can read and record the card information. This is mainly seen at ATMs, and can be used with ‘shoulder-surfing’ where PIN numbers are viewed and remembered.

  • Stealing the card information from a site where the details have been stored.

  • Intercepting a new card in the mail and using it for online transactions.

  • Using stolen information to request a new card from the card issuer.

You can do the following to prevent these types of attack, or to reduce their impact:

  • Cover your hand when you are entering your PIN into terminals.

  • Don’t let the terminal be removed from your vision.

  • Request the terminal be passed to you instead of giving your card to the retailer.

  • Regularly review your card statements to identify unknown or strange transactions.

  • Carry your card in an inside pocket, front pocket, closed purse or closed handbag to prevent pickpocketing.

8.4 Contactless cards

Contactless cards are chip-and-PIN cards with extra functionality, but the points above remain valid.

Contactless cards are used to make payments without even putting the card into a machine. They work with ‘near field communication’: the terminal can read the card from a very short distance, which allows the transaction.

With this technology comes a number of new risks. The dominant risk when using contactless cards is that a transaction can take place without the cardholder even knowing. Criminals use card readers in confined areas, so even when cards are in handbags, wallets or purses, transactions can still be made.

A handheld card reader can be seen in the image above which was published in the Daily Telegraph. (www.telegraph.co.uk/technology/2016/02/17/if-you-have-a-contactless-card-watch-out-for-this-scam). This image was reportedly captured on the London Underground. The carriage is congested, so it is likely that the person with the card reader was able to process lots of unauthorised transactions without the cardholder’s knowledge, each at £30.

To help prevent these attacks, or reduce their impact on you, you can use an RFID-blocking sleeve or an RFID-blocking wallet or purse. Confirm the RFID-blocking device works by testing it against a reader in a retail outlet, then verify this by making a payment with the same reader. There can also be accidental transactions if you have more than one contactless card. Transactions have been charged to the wrong card when the wallet is presented to make a purchase, which could be an issue if a card issued by your employer is contactless and an unauthorised purchase is questioned by the company.

An RFID-blocking wallet or purse will prevent your contactless card being used unintentionally. The wallet to the right is produced by Secrid (www.secrid.com) and can protect up to six cards, as well as hold notes. As of November 2017 Secrid has put a single price of €50 on its mini-wallet so there should be little variation throughout Europe, and it can be bought from the company online.

RFID-blocking sleeves can be bought through online marketplaces such as Amazon. The image to the left also shows RFID blocking passport sleeves. There have not been any reports of passports being read by this method, but as more countries are talking about developing digital passports with biometric information, sleeves such as these will be a good precaution.

8.5 Motioncard

An innovation that is being developed and trialled in mainland Europe is the Motioncard. When you make an online payment the details that are needed from your card are the long card number, the expiry date and the three-digit security code on the back of the card, known as the CVV.

The Motioncard has a digital CVV that changes every hour. It works with a payment system that records your card number and the CVV in use so that any payments you make can be authorised, but by changing the CVV every hour it means that if your card information is stolen, the card information will only be valid for up to an hour and will stop too many fraudulent purchases being made.

There is no indication when this technology will be available in the UK or Ireland.

8.6 Apple Pay and Internet of Things (IoT) payments

With the way technology and the IoT are developing, there are more devices that can be used to make payments. With an Apple Pay-enabled Apple Watch you can buy coffee with a flash of your wrist, or even a swipe of the phone if that has Apple Pay enabled.

A big risk with all these devices is that for you to use Apple Pay, they must have your card details saved on them. These devices are not as secure as computers or laptops because you cannot put as many security features on them. You should weigh up whether using Apple Pay on your watch or phone will be so convenient and make your life so much easier that it is worth the risk.

8.7 ATMs/Cashpoints

Automatic Teller Machine, or rather ATM, is the term used in the US for a cashpoint. It has also been used in the UK for cashpoints. For ease of reference ATM is used in this book.

There are two things an attacker needs to defraud a chip and PIN card: the card information and the PIN. Attackers will try many devious ways to get the card information and the PIN.

The common way to get the card information is by inserting a device inside the card reader that will copy the card details. These devices allow the intended transaction to be completed but will read the card information and store this so that a duplicate card can be created at a later time.

Alternatively, a false overlay could be fitted to the ATM, again with the intent of copying the card information. This is called card skimming. Once the information is copied from the card it could be cloned or the information could be used in any other way for the attacker’s benefit at the victim’s expense.

There are three things you can do to protect yourself when using ATMs:

  • Check the ATM for any tampering, look for anything that you would not expect, or feel the individual components of the ATM to check they are secure and appear to be the device components.

  • Be aware of the environment, particularly of people paying attention when you are entering the PIN.

  • Use an ATM that is monitored within a secure area, for example in a bank lobby or in a retail outlet.

The following image was issued by the US FBI to explain what card skimming is.

This following image is an illustration from Pakwired.com that shows how attackers use cashpoint machines against you.

Seven tips to help you protect yourself from ATM theft:

  1. 1. Get in the habit of using the same ATM for your transactions. Become familiar with it and be able to recognise changes to the machine.

  2. 2. Use ATMs inside banks rather than on the street.

  3. 3. If you’re visiting an unfamiliar ATM that is not inside a bank, examine it for devices. Card- or cash-trapping devices need to be glued or taped to the card reader or cash dispenser. Look for ‘extra’ cameras beyond the basic and generally obvious ATM security camera.

  4. 4. Never rely on the help of strangers to retrieve a card that is trapped in the ATM

  5. 5. Never use an ATM when other people are lingering.

  6. 6. Report cards trapped in the machine immediately. Try not to leave the machine. Call the bank from the ATM where your card was taken using a mobile phone, if at all possible.

  7. 7. Don’t use ATMs with extra signage or warnings posted on the machine, these signs may be put there to divert your attention when you use the machine.