The Maldivian banking landscape has undergone a significant digital transformation over the past decade, with the COVID-19 pandemic accelerating the pace of change. However, this transition has not been without its challenges, particularly concerning the curb with spending limits on foreign vendors, which can be burdensome for customers managing monthly subscriptions within these constraints.

While contactless payment card technology has been available for decades, its popularity surged in the wake of the pandemic as customers increasingly sought out tech-friendly solutions. Yet, alongside this trend, concerns about security have grown, prompting a closer examination of modern card designs and their effectiveness in safeguarding sensitive information. 

In this article, we delve into two primary pain-points faced by Bank of Maldives customers, shedding light on the following issues: 

1. The Risk of Fraudulent Practices: With the digitization of banking services, there is a heightened risk of potential exposure of sensitive card data to fraudulent activities. We explore the implications of this risk and measures to mitigate it. 

2. Security of Modern Card Designs: Specifically, we address concerns surrounding the security features of contemporary cards, focusing on two specific scenarios: the potential vulnerability to relay attacks and the effectiveness of built-in security protocols.  By examining these critical aspects, we aim to provide insights into the evolving digital banking landscape in the Maldives and offer recommendations for enhancing security measures to ensure a seamless and secure banking experience for customers. 

Analyzing The Architecture of Bank of Maldives Cards

For demonstration, we will use one of our personal Bank of Maldives Visa and Master Credit Card, which complies with the ISO 14443–3A standard, as a case study to examine how these security concerns are addressed.

We use in this example, an NFC reader to extract card details and can read UID of the card, bit rate, ISO 14443–4A card, ATAO, SAK, Raw Bytes.

The Card’s NFC Data: NFC reader revealed the following NFC data:

• ISO 14443-3A compliant: Specifies the NFC card type and standard it follows. This standard operates at 13.56 MHz. The “3A” part refers to the specific part of the standard.
• ATAO: 0004 (Answer to All 0s – part of the card’s anti-collision response)
• SAK: 20 (Select Acknowledge – byte sent after card selection, indicating capabilities)
• Historic Bytes: Raw: 73 C8(**redacted**) (historical bytes providing additional card information) They can provide additional information about the card, such as the manufacturer or specific card type.

While this data can help identify the specific card, it does not include any sensitive information such as the card number, expiration date, or CVV. This is because modern contactless cards employ advanced security features that protect this data.

Scenario 1: Contactless Card – Data Security & Exfiltration

As a research cyber security firm investigating the security of contactless payment cards, we have focused our analysis on the specific standards and protocols implemented by Bank of Maldives. The bank follows the ISO/IEC 14443-4A standard, which is widely recognized as one of the most secure standards for contactless smart card communications. This standard specifies advanced security mechanisms that ensure the card data is protected and encrypted during contactless transactions.

The ISO/IEC 14443-4A standard specifies advanced security mechanisms that provide robust protection for sensitive card data during contactless transactions. One of the key features of this standard is the use of secure messaging, which ensures that all data transmitted between the card and the reader is encrypted using industry-standard cryptographic algorithms.

In the case of Bank of Maldives cards, the card number, expiration date, and other sensitive information are encrypted within the card’s secure element or chip before being transmitted. This encryption process happens at the hardware level, making it virtually impossible for the plaintext data to be intercepted or accessed by unauthorized parties.

Furthermore, Bank of Maldives employs tokenization as an additional security layer. Tokenization replaces the actual card number with a unique tokenized value, which serves as a surrogate for the real card number. This tokenized data is useless to malicious actors and cannot be easily decrypted or reversed to obtain the original card information.

Scenario 2: A Relay Attack

In a relay attack, a malicious actor could exploit the contactless nature of the transaction by intercepting and relaying the communication between the card and the payment terminal. By doing so, they could potentially initiate unauthorized transactions without needing to physically clone the card or access the sensitive data.

While the risk is relatively low due to various security measures, it is theoretically possible for someone to attempt to relay your contactless card transaction using NFC-enabled devices like smartphones. This type of attack is known as a “relay attack” or “man-in-the-middle attack”.

Here’s how it could work:

1. The attacker would need two NFC-enabled devices, one to be held near your card (the “proxy” device) and another to be held near the payment terminal (the “mole” device).
2. When you attempt to make a payment, the “proxy” device would capture the NFC communication from your card and relay it to the “mole” device via a fast communication channel.
3. The “mole” device would then emulate your card to the payment terminal, making it appear as if your card is physically present.

However, Bank of Maldives has implemented an additional security layer called tokenization to make your card safer, even in the event of a relay attack.

Here’s how tokenization works:

1. No real card data transmitted: When you make a contactless payment, the token is transmitted instead of your actual card number. Even if an attacker managed to relay this token, they wouldn’t have your real card data.
2. One-time use: Each token is valid for a single transaction only. It can’t be used for subsequent transactions. So even if a token was relayed and used fraudulently, it couldn’t be used again.
3. Token-to-card mapping: The token is meaningless on its own. It’s only the card issuer that can map the token back to your real card number for processing the transaction. This mapping takes place on the issuer’s secure servers.

While tokenization doesn’t completely eliminate the theoretical possibility of a relay attack, it significantly reduces the risk and potential impact. Even if a relay attack was successful, the attacker would only get a one-time token, not your actual card data.

Additionally, Bank of Maldives sends an SMS to your registered mobile number as soon as a successful transaction has occurred. This SMS alert can immediately notify you if a relay attack has taken place, as the attacker would need to be in close proximity to you, and the relay transaction would have to be instant, as these tokens are short-lived.

If you receive an SMS alert for a transaction you didn’t make, it’s crucial to immediately alert Bank of Maldives and the relevant law enforcement authorities. With your prompt action, the bank can narrow down the potential location and time of the attack, increasing the chances of identifying and apprehending the perpetrator.

IF MY CARD IS SO SECURE, HOW IS MY DATA GETTING COMPROMISED?

Mitigating Fraud Risks in Digital Banking: Safeguarding Sensitive Card Data

While Bank of Maldives implements robust security measures to protect your contactless card data, it’s essential to be aware of other potential vulnerabilities that could compromise your information. Here are a few scenarios to be cautious about:

1. Camera Positioning Risks at Point-of-Sale: Some merchants may unknowingly place high-resolution cameras in positions that could inadvertently capture card details during transactions which could be used by miscreants trying to steal your card details. While Bank of Maldives mitigates this by printing all the data of customer on new cards back, customers should still exercise caution when exposing cards. The VISA card’s Card Verification Value (CVV) and Master card’s Card Verification Code (CVC) used to be on the back of the card as an added security measure, whereas with the new design all the data have been moved to the backside. AMEX cards has their CVV and other data are located on the front of the card as they have one global standard branding, which banks are not allowed to change. The customers should remain vigilant when handling their cards and Merchants also play a role in preventing cameras from recording card details at POS terminals and from unauthorized access to their CCTV. Customers can protect the card details using CVV sticker or full stickers that could be used on the front side of the card. [Try this amazing CUCU covers]

2. Automatic Card Renewal: When your card is automatically renewed by Bank of Maldives, the card number remains the same (unless the card is re-issued due to fraudulent reporting or lost), but the expiry date changes. The bank typically issues cards valid for 5 years. For example, if your current card expires in October 2024, the new card will have an expiry date of October 2028. However, some customers may accidentally throw away or misplace their old card without realizing that the card number is still same. It’s crucial to properly destroy your expired card by cutting it into pieces to prevent anyone from misusing the card number. While the card number remains the same during renewal, the CVV (the 3-digit code on the back of the card) changes for each newly printed card. This new CVV adds an extra layer of security. Most online merchants now require the CVV as a mandatory step during checkout, as it helps prevent unauthorized use of your card. However, if someone manages to obtain your card number, expiry date, and CVV, they could potentially use this information to make unauthorized purchases on websites that don’t require 3D Secure authentication or Verified by Visa.

3. Online merchants without 3D Secure or Requiring CVV: If your card data is compromised, it can potentially be used for online transactions with merchants who do not require 3D Secure authentication or a CVV. While it is not mandatory for merchants to use the CVV code, most reputable merchants now do so, as card issuers like Visa and American Express provide incentives for implementing this additional security layer.

4. 3D Secure and reputed merchants: Bank of Maldives employs the 3D Secure 1.0 protocol for online transactions, which requires customers to enter a one-time password (OTP) received via SMS or email for added verification. However, some reputed merchants like Apple Pay and Google Pay may not require 3D Secure authentication, potentially allowing your compromised card data to be used on these platforms.

5. Daily Limits and Single Transaction Limit without PIN: For POS transactions below MVR 750, tap payments do not require the customer to enter a PIN. However, if your card is lost, someone could misuse it by making transactions below this limit. For transactions above MVR 750, entering your PIN is required, and you can easily update your PIN via the mobile app.  Though Bank of Maldives has a monthly total limit for which you wouldn’t need to enter your Pin and that limit is consumed, you would need to enter pin number in all the future transaction for that particular month.

Bank of Maldives has been actively promoting Scan to Pay, which includes an added security layer of OTP sent to your registered number, verifying any Scan to Pay or QR payments. This method also prevents your card details from being scanned, providing a more secure way to transact.

6. RFID Wallets: An RFID wallet functions as a shield, preventing nearby readers from scanning your credit card information. This protection ensures that your sensitive data remains secure from unauthorized access. Here is an example of a good RFID wallet brand to explore: Fossil Wallets.

Conclusion

Bank of Maldives has implemented robust security measures, such as adhering to the ISO/IEC 14443-4A standard, employing encryption and tokenization, and utilizing the 3D Secure protocol. However, customers and merchants must remain vigilant and take proactive steps to mitigate potential vulnerabilities.

By fostering an open dialogue between financial institutions, merchants, and customers, and continuously adapting to technological advancements, the security of contactless payment systems can be enhanced. This collaborative effort can drive innovation while safeguarding sensitive financial information, promoting a safer and more secure payment experience for all stakeholders involved.

OXIQA stands at the forefront of Cyber Security solutions in the Maldives, dedicated to fostering innovation for secure digital transformation and agile software development. For comprehensive cyber security solutions, reach out to us at [email protected].