By Justin Staskiewicz, Payments and Fraud Analyst
Secure Remote Commerce (SRC) is a standardized e-commerce checkout method proposed by EMVCo in 2017. The stated goal of SRC is to “establish the foundation to deliver a consistent consumer checkout experience while increasing simplicity and security.” Practically speaking, the SRC product will be a unified pay button for e-commerce checkout that will house consumers’ payment cards securely in one location, whether they are American Express, Discover, MasterCard or Visa cards.
One of the main advantages EMVCo touts is that it will make guest checkout easier for consumers and more secure for merchants. The design philosophy guiding EMVCo is less consumer friction at checkout, which should lead to a better consumer experience and less cart abandonment. This is accomplished, in theory, because consumers only have to register and log into their SRC account once. From then on, as long as the consumer is transacting from the same computer, using the same internet connection and satisfying the system that a few dozen other data points are consistent, they will not be prompted to login again.
Our analysis, however, has uncovered a potential gap in security we feel merchants should be aware of, and that EMVCo should address.
How SRC Works and How it is Secured
As an example, imagine a family on Friday night placing an order for a pizza. The first time using SRC at checkout, they must register, verify and then choose a payment card to store within the SRC product. Once registration is complete, the consumer finishes the pizza order and they choose to store their Visa credit card.
Two weeks later, the same consumer using the same computer places a retail order through their favorite online clothing company. If the clothing retailer accepts SRC online, then when the consumer reaches checkout, no login or passwords will be required when clicking the SRC pay button; the customer will be recognized and authenticated by their device fingerprint. After clicking the SRC pay button the stored payment credentials (the Visa card from before) will be displayed in a masked + last 4 format. Let’s imagine that for this clothing purchase, a branded MasterCard credit card is added to the SRC profile for the added reward points and the customer completes the order using the now-stored MasterCard.
Our consumer is recognized by the device they are using and is no longer required to enter any credentials for purchasing through retailers where SRC is accepted. Recognition of the device is the main authenticator for the SRC product—a unique value that is stored within the cookies of a browser, whether the device is a Mac, Windows PC or mobile phone.
This device fingerprinting works the way many fraud prevention systems do to identify unique devices customers are transacting through. As a data point for fraud prevention, it has proven to be quite successful. For example, a rapid change of devices for one person or a single device fingerprint associated with a large amount of payment credentials are both indicators of payment fraud.
How Fraudsters Might Leverage SRC
Fraudsters, hackers and other cybercriminals buy and sell victim information on the dark net. The most robust and fleshed out profiles are “fullz,” which include name, address, social security number, date of birth, payment card information, CVV/CVC code, expiration date, device make and model information, associated IP addresses, and much more. Fraudsters are also aware now that fraud prevention systems are using device fingerprinting so they use burner devices or fraud-specific emulation software to create the illusion of a new device fingerprint for fraudulent transactions. This however is not wholly successful in that there is some associated risk in a device fingerprint being totally new to a merchant (albeit lower than a device that has suspicious behavior associated with it).
In April of this year Kaspersky Labs revealed at their 2019 Security Summit, a key evolution in cybercriminal sophistication. Sergey Lozhkin shared that they’d discovered a dark net marketplace that was selling browser cookies for stolen identities as part of the “fullz” profile. Hackers had been infecting computers and mobile devices with malware which collects cookies. These user cookies are then uploaded into a custom version of Chrome or Firefox by fraudsters. So, instead of appearing like someone using a brand new device, it makes fraudulent transactions appear to be coming from a victim’s trusted device. Kaspersky Labs stated that they first discovered the marketplace in February 2019 but that it had existed since the fall of 2018. At the time of Kaspersky Labs’ 2019 summit they noted that 60,000 of these victim profiles were for sale on the marketplace.
Using our example from above, if a fraudster has access to the consumer’s browser cookies, they can use them on their own computer to mimic the victim’s device. So, without having to enter a single payment credential or password, a fraudster will be able to take over the account and place orders with any merchant that accepts SRC with the victim’s stored Visa and MasterCard.
Knowing that SRC will be verifying customers and automatically logging them in based on a device fingerprint that is stored as a cookie in the browser gives me great pause. Fraudsters are already recognizing the value of device fingerprinting as a datapoint that can be sold as an enriching credential to assist in committing payment fraud. I fear what happens when cybercriminals discover that this device fingerprint now serves as the password to a digital wallet with (potentially) multiple payment cards per profile that can be used at any online merchant that accepts SRC. Rather than the fraudster having to fool device fingerprinting for each merchant, bank or fraud platform, in the SRC world they only must fool the device fingerprint of the SRC. I fear that SRC, in its effort to eliminate passwords and friction, may also be creating a highly valuable data point that cybercriminals will seek to steal, monetize and utilize for payment fraud.
We Need a Conversation with EMVCo
In April of this year I attended a webinar led by a guest speaker from MasterCard who would be discussing the SRC product. After the presentation I explained my security concerns regarding how SRC would be using device fingerprinting and asked how account takeover (ATO) would be mitigated for the SRC product. The response I got was that they “would be looking into that post-launch.”
Discouraged, I attended a 2-hour presentation on the SRC product at an industry conference in July. At the presentation, the Chair of EMVCo’s SRC Working Group gave a technical overview of the SRC product, during which he stated the product had been evaluated by a third-party security firm. During Q&A, I explained my ATO concerns to him and how the device fingerprint in the cookies could become a valuable data point to be stolen and sold. When asked if the third-party security company had taken ATO scenarios into consideration during its security audit, he stated that they had not.
The EMVCo representative’s response was that if someone was able to mimic a customer’s device and enter their SRC wallet, they wouldn’t be able to extract any payment information from the wallet because the stored values would be in a masked + Last 4 format. Extracting information, however, is not the concern.
If a fraudster has access to the wallet, they are going to use it to make fraudulent orders; not try to extract and sell the card information. After the presentation, there was a station to leave feedback on the session, I left my contact information and urged EMVCo to contact me about this security concern. I have not yet heard back.
A joint study on fraud by Javelin and LexisNexis found that overall card-not-present (CNP) fraud rose by 115 percent in 2018. The study also found that account takeover fraud rose by 300 percent in 2017 and another 177 percent in 2018, totaling $5.1 billion in losses. Furthermore, the research revealed the average amount of time required to resolve an ATO fraud case is 16 hours.
As far as I can tell, the SRC is creating an ATO vulnerability for consumers and merchants that will exacerbate an already-challenging ATO environment. Fraudsters already have the technology to “crack” the SRC product and cybercriminals, in general, seem to be flocking to this type of fraud. It’s also worth noting that, from a merchant perspective, the liability for chargebacks on SRC payment transactions still resides with them, not the issuer.
I hope EMVCo will take this security concern to heart, consider what it means for the SRC product and share its assurance that it will be proactive about fraud and not address this after it has already become a problem. I’d be interested to hear how they are going to evaluate ATO scenarios and, as a result, what additional steps a consumer might have to take when a login or transaction is suspicious. Adding a 3D-Secure step-up for transactions or another form of two-factor authentication to transactions undermines the intent of the SRC product by adding friction. If this means a reevaluation of how the device fingerprint is being stored and used, then it may also add friction.
There is a myriad of concerns that I feel are not being addressed to achieve the product’s stated goals of lowering friction and reducing fraud. If EMVCo is not considering the ATO implications, then every consumer who stores a credential in the SRC wallet and any merchant that accepts SRC as a payment method should be aware of this as a liability.
SRC is scheduled to begin rollout later this year.
Justin Staskiewicz is a Payments and Fraud Analyst with more than five years of industry experience in payment fraud, identity fraud, social engineering, account takeover, synthetic fraud, credential stuffing, device cloning and loyalty fraud.