Author Archives: Howard Solomon

‘Remote access is here to stay,’ healthcare webinar told

Many clinical and administrative staff will be treating patients and accessing data remotely after the COVID-19 crisis settles, experts said during a Canadian webinar on the effects of the pandemic on the healthcare sector.

“Remote access is here to stay. In a big way,” said Kashif Pervaiz, CISO of Toronto’s University Health Network (UHN), a group of three hospitals, rehabilitation centres and a clinician training school.

Delivering services efficiently as well as assuring patient privacy is “definitely going to be big,” he said. UHN now has a group led by an executive vice-president dealing with ways of safely delivering virtual care, he noted, stressing that the effort is executive-led.

To deal with the pressure of operational and medical staff suddenly having to work remotely, some security policies needed “to be bent a little bit,” Pervaiz admitted. “We haven’t thrown security out of the window (but) we have had to adapt a bit.”

That meant re-thinking how to deliver remote access. Instead of relying on virtual private networks (VPNs), UHN turned to web-enabled solutions in some cases. That means his environment is “somewhat device-independent,” lowering the attack surface. He also increased network monitoring and incident response procedures.

“The days of saying no right away are long behind us,” he warned CISOs.

Pervaiz was speaking on the first day of a week-long series of webinars called siberXchange run by Richmond Hill, Ont., based SiberX, which produces cybersecurity events. Each day this week has a set of panels or speakers centred on a single topic. Tuesday’s topic is business continuity, Wednesday’s is women in cybersecurity, Thursday’s is aimed at CISOs and Friday’s theme is smart cities.

Panellist Ali Shahidi, director of information security management and privacy for Ontario Health – a group of 20 agencies including 14 local health integration networks and the Ontario Telemedicine Network (OTN) – said his agency has had to face several remote access challenges due to the pandemic.

Thanks to some “leeway” from the provincial information and privacy commissioner, the agency was able to change some security and remote access procedures, he said. Some access projects that might have taken months were done in two weeks, he explained, thanks to staff working round the clock. “It showed we can be agile.”

Shahidi, Pervaiz and panellists Daniel Pinksy, manager of the information security program at IT provider CDW Canada and Hoda Nasseri, a cyber defence manager at KPMG Canada, also said that the number of COVID-related email threats to the healthcare sector has increased. As reported elsewhere, Nasseri said there are also government warnings that other countries are interested in stealing COVID-19 related vaccine research.

However, she added, most nation state-attacks aren’t complicated. Hospitals and clinics that perform basic cybersecurity hygiene, including patching and using multi-factor authentication to protect administrative accounts, will be protected against most targeted attacks, she said.

Ultimately, said Pinksky, the goals of infosec teams need to be driven by the goals of the organization. “we exist to enable the business.” If the business changes, information security has to adapt.

The question, he said, is how does IT pivot and continue to support and enable the business, while at the same time managing risk?

Official Canadian COVID exposure notification app now available from Google, Apple stores

Canada’s federally-approved COVID-19 exposure notification app launched this morning, with residents of Ontario being the first in the country to be able to use the tool aimed at limiting the spread of the virus. Called COVID Alert, it can be downloaded by anyone in the country but so far only those in Ontario will receive…

Cybercrooks likely using EMV by-pass attack to weaken payment card protection: report

Gemini Advisory, a U.S. cybersecurity firm, warned Thursday that hackers might have found a way around the tough security on ATM access cards with data-encrypting Europay, Mastercard, and Visa (EMV) without cloning them. The sale of stolen card data from two hacks in the U.S. this year is likely the result of the vulnerability being abused by cybercriminals, Gemini said in a report.

The report highlights that the technique can be “dangerously effective” if banks don’t perform a check when processing card transactions. The reverse is also true: If banks properly do security checks, the technique is blunted.

Gemini calls the technique “EMV by-pass cloning.” Briefly, by using malware on point-of-sale (POS) machines, a small but vital piece of data is extracted from the EMV chip called the iCVV number, which is needed for transaction verification. This number can then be copied onto the magnetic stripe on the back of a blank payment card. The criminal then swipes (not taps, because it doesn’t have a chip) the new card in a bank or retailer’s card reader, which reads the mag stripe and sees the iCVV. Without proper processing by the financial institution, it might be accepted as if it was the original card with an EMV chip.

In short, a crook can take information from an EMV chip and transfer it to a mag stripe on a different card. No need to clone the chip; the scam works because POS machines around the world still accept the less secure mag stripes for transaction information.

Gemini credited a report issued earlier this month by a consulting firm called Cyber R&D Lab with discovering the technique. Lab researchers did a proof of concept and then tested it on cards from 11 unnamed banks in Europe and the U.S., out of which four accepted transactions using the fake cards.

After reading the report, Gemini says it believes that this discovery explains the recent sale on the dark web of 720,000 payment card numbers with iCVV numbers from the January hack of a northeastern U.S. supermarket chain and the June 29 hack of card data from a wine and liquor store in the state of Georgia. Gemini also says it believes that the cybercriminals must have used the EMV by-pass cloning technique to get the iCVV numbers.

There is another way of getting iCVV numbers, and that’s by secretly installing an electronic shimmer inside a point of sale device or ATM to capture the number as customers use the cards. However, Gemini notes the two hacks involve too many payment card numbers for even several compromised POS devices to capture. So, it concludes, the by-pass cloning technique was used in those hacks.

“EMV technology has until now been as secure as it gets,” Christopher Thomas, an intelligence production analyst at Gemini Advisory, said in an interview. “So it’s significant there’s a workaround… That is certainly a cause for alarm. However, it’s also important to note that Cyber R&D Lab compromised four out of 11 cards, the verification systems of the other banks did work. This seems to be a problem that only affects banks that are not verifying the way they should be.”

The Canadian Bankers’ Association, which represents the country’s major banks, wouldn’t comment on the Gemini report. Instead, it issued the following statement, “Banks are leaders in cybersecurity and their highly-skilled IT security teams use advanced technologies to safeguard their operations and keep their customers’ money and data safe from illegitimate acts. Banks constantly scan the threat horizon to stay on top of ever-evolving fraud typologies and thwart attacks of all kinds.”

Detailed explanation

Now for the more detailed explanation of the Gemini and Cyber R&D Lab reports: Most people know the back of payment or access cards have a CVV number for card and transaction verification in what the payment industry calls “card not present” purchases over the phone or online. Buyers are sometimes asked to read out or type in the number.

The CVV number is also part of the hidden information (including issuing bank, cardholder name) on the magnetic stripe on the back of cards for point-of-sale machines to read when the cards are swiped in “card present” purchases in stores. The coding on mag stripes was cracked by cybercriminals decades ago, allowing them to create counterfeit payment cards with cloned mag stripes, thus forcing banks and credit card companies to adopt the EMV chip.

These chips are protected by tough data encryption that prevents cloning. The transaction data on every chip includes an iCVV number, which is different from the card’s CVV number. When processing a transaction with an EMV card, bank computer systems are supposed to compare the CVV number on the mag stripe to make sure it hasn’t been substituted for an iCVV number. If the card has it, then the card isn’t safe.

EMV chips have foiled counterfeiters since they were introduced in the late 1990s, first in Europe, then in Canada and more recently in the U.S. Last year’s Visa said for those merchants whose stores had converted to accepting EMV cards saw a 76 per cent drop in fraud over three years.

Criminals who use stolen credit cards for card-not-present transactions rely on data they can take from magstripes.

Use of NFC data

If it’s not hard to clone mag stripes, Cyber R&D Lab wondered if EMV data could be transferred to a mag stripe, getting around the problem of cloning chips. It did it by using the wireless Near Field Communication (NFC) capability on many EMV cards, the technology that enables tap-and-go transactions. To read the data from the NFC interface of real credit cards, researchers used an Android app called Card Reader Pro. This data was then compared to the data on the card’s magstripe for similarities or differences. Using that data the researchers could calculate the card’s iCVV number and substitute it on the mag stripe of a cloned card.

When a point of sale machine is used for a transaction, a bank is supposed to check the card security code for validity. If the process isn’t done right, a mag stripe card will seem to the bank to be an EMV card.