Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cloud Security Attack. Show all posts

RBI Employs Tokenization to Combat Breaches

 

The RBI, the central bank of India, is now prepared to impose card tokenization in India after permitting customers to link credit cards with UPI. In the midst of all of this, many users are perplexed as to what card tokenization actually is and why applications and websites advise users to safeguard their credit and debit cards following the RBI's new rules.
 
What is tokenization? 

Tokenization is the process of replacing actual card information with a special alternate code called a 'token,' which must be different for each card, token requester, and device, i.e. the organization that accepts customer requests for card tokenization and forwards them to the card network to produce a corresponding token.

Researchers are still quite aware of the data exposures from MobiKwik and Domino's India. As users can see, the data becomes vulnerable to data breaches and leaks if you store your private card information on the cloud servers of numerous such online apps and websites.

Although some websites might have the highest levels of security in place to protect user credit card information, others may not be adhering to international security requirements. Having credit card information being dispersed over several servers with varying levels of security gives hackers more access points. The RBI now wants to alter the current state of digital payments and standardize 'tokenization' to increase the security of all online card transactions.

In September 2021, the RBI ordered that card-on-file (CoF) tokenization be used instead of retailers holding client card information on their systems beginning January 1, 2022. In addition, businesses such as apps, websites, payment processors like RazorPay, or banks will no longer be responsible for safeguarding your card information. Tokenization is a technique the RBI developed to protect domestic card transactions by employing random strings of tokens rather than disclosing the user's personal card information.

Since the regulation on tokenization was published, according to Deputy Governor Sankar, the central bank has been in close contact with all stakeholders to guarantee a smooth transition to the tokenization policy.

How does tokenization work? 

The process of tokenizing cards is straightforward. When a card is chosen to be tokenized, the card network such as Visa, MasterCard, etc. issues the token with the bank's approval and gives it to the retailer. For example, when you save an SBI Visa debit card on Paytm by RBI's requirements, Visa will create the token with SBI's permission and share it with Paytm.

If you decide to save the identical credit or debit card on some other app, let's say Amazon, a new token will be issued and shared with Amazon. The token will vary based on the merchant and device, even if it's the same card. From a security standpoint, it implies the tokens are unique and discrete, which is beneficial.

Potential effects of tokenization

The RBI was forced to develop card tokenization as a result of the constant data leaks, thefts, and breaches that occur in the digital age. Not to add that the various security standards used by apps, websites, payment processors, and other middlemen compromise users' online security.

Tokenization has very little of an effect on the customer. Customers simply need to submit their card information once to receive a token. The process of tokenization will then be initiated by the merchant at no further cost or customer effort.

According to experts, there are no drawbacks to card tokenization from the perspective of the end-user. The RBI standards must be implemented by merchants and payment systems, but aside from that, consumers benefit.

Public Cloud Infrastructures suffering from Security Loopholes and Vulnerabilities, researchers say


Igal Gofman, XM head of security research, and Yaron Shani, XM senior security researcher, in their research, found a new attack vector in cloud providers API ( application programming interface), that gives miscreants a window to access secured cloud data. Public Cloud Infrastructure, has added a new invisible management layer, that complicates the procedure creating security challenges, that requires better understanding. Often organizations fail to understand this management layer and hence lag in securing it, inviting attacks.

Working with public cloud infrastructure without the right understanding of risks and security challenges may lead to fatal consequences with customer risks, as was the case in Capital One breach."Current security practices and controls are not sufficient to mitigate the risk posed by a misunderstanding of the public cloud", said the researchers.

 Findings in the research

Researchers found that public cloud providers' APIs' accessibility over the internet opens a window for adversaries to exploit and gain access to confidential data on the cloud. And current security systems and practices are not equipped to beat the risk posed by misconfiguration of the cloud.

People who are in charge of managing cloud resources can easily gain access to APIs' using software kits and command-line tools as they are part of the development and IT team. "Once those account credentials are compromised, gaining access to high-value resources is trivial," the researchers say. Cloud APIs' can be accessed through the internet, with the correct API key, for example, the Command line interface tool, which saves the user's credentials which can be accessed by the cloud provider.

Attackers don't need a very sophisticated approach to sneak in cloud API, "In practice, the sophistication required to develop such tools is not high, because basically all the information is publicly available and well-documented by most cloud providers, meaning they document each security feature in great detail and it can serve both the defenders and the adversaries," Gofman and Shani say. And once, their credentials are compromised using cloud providers tools, it's easy for the black hats to rob you blind.

In order to protect themselves, organizations and companies should follow the best practice guidelines from the cloud provider. Large organizations should constantly and periodically monitor permissions and risk factors. Analyzing attack paths can decrease the risk factors, suggest the researchers.