1. How [not] to shoot yourself in the
foot with credit cards
Marat Vyshegorodtsev
System Security Office
Rakuten Inc.
https://global.rakuten.com

2. Bio
Marat Vyshegorodtsev
Key areas of expertise: payments and security

3. About Rakuten

4. Worldwide growth
E-commerce in 14 countries and regions
All services and businesses in 27 countries
2011200920082005 201320122010
INVESTMENT
2014

6. History of the credit card

7. Where is the problem?

8. Where is the problem?
Here

9. Legacy issues
• Merchants still use imprinters in 2014
• Magnetic stripe will stay forever
• People will use credit card numbers for online transactions

10. Credit card data protection
Hard and scary
data security standard
up to $100,000
to implement at one site

11. Scale of the problem
• 100+ businesses processing credit
cards in 27 countries
• Few security engineers in Japan
• $100,000 per site

12. Approach
Tokenization — replace credit card number with some random string that
only makes sense to your service
Keep real credit card numbers in one secure, dark and dry place
If stolen, nobody can use these tokens

13. Approach
Contain insecure
mechanism
Replace it
with secure system
Provide interface
TokensCards
Pay with Token

14. Using an existing solution
It is tempting to map one credit number to a unique token:
• Fraud analysts want it
• Marketing wants it
• Much easier to see things in the database

15. Watch out for fingerprints
① ②
③

16. Problems with one-to-one mapping

17. Problems with one-to-one mapping
Card IIN
Account number
Check digit

18. Problems with one-to-one mapping
• Only 8 digits to bruteforce per one issuer
• Attackers can easily build a dictionary of all tokens to card numbers
• Attack is easy, reissuing all tokens every time is hard

19. Unique token every time
• No unique identifiers for cards in Rakuten
• Same credit card produces different tokens every time it is inputed
• But how to do analytics?

20. Allowed to store and display
• Masked PAN: 4297 69xx xxxx 6789
• Cardholder name: Taro Rakuten
• Expiration date: 02/2020

21. Allowed to store and display
• Masked PAN: 4297 69xx xxxx 6789
• Cardholder name: Taro Rakuten
• Expiration date: 02/2020
Duplicates?

22. Big data to help!
We ran a query to see how many duplicates we have among our users
Among total Rakuten users (~100M by now) around 250 duplicates were
found
It is a bit hard to tell precise number, because we only can see masked
PANs
0.00025% of users may have similar looking cards

23. Ok, how about issuers then?
— Hmm… Issuers don’t have much power over their
customers’ security
— Let’s give them that!

24. Welcome 3D-secure!
Take one
insecure mechanism
Add another
insecure mechanism
3D-SecureCards

25. 3D-Secure

26. 3d-secure on mobile apps
• You can’t use native components. Only WebView, only hardcore!
(and you don’t see the URL in most of the cases)
• Responsive UI for mobile 3D-Secure pages? No, never heard.
• Frustration of the customer? That’s the shop’s fail.

28. The future of payments
Credit card will remain the main interface to your bank account
Companies will make secure and convenient interfaces to your credit cards:
• NFC, PayPal Beacon or Passbook in physical world
• Secure payment gateways in the Internet
• Facebook + WhatsApp + payments, Gmail + Google Checkout, more
to come
• 3D-Secure will die

29. Future: drop “credit card” from the equation
If everybody uses new technologies, why do we need credit cards?
• Banks are bad at creating unified Internet services
• Americans can’t get rid of plastic

30. Thank you!
marat.vyshegorodtsev@mail.rakuten.com