The Target, Neiman Marcus and the potential other breaches of retailers to come should be a learning moment for all of us to demand that the card brands change their business paradigm to one that is more secure.
Bolt-Ons Do Not Cut It
For all intents and purposes, how a credit card works has not changed since the late 1950s when they were introduced. Yes, there have been advancements such as EMV, 3D Secure and end-to end encryption (E2EE), but those are all things that just bolt onto the original concept. The trouble is that, given today’s technologies and their capabilities, the card and the bolt-ons are just no longer providing the security they once did.
With the Target breach there has been a call to get the US to finally convert to EMV. The trouble is that EMV would have leaked enough information for fraud to be committed as well, so it is not an answer.
Trade association spokespeople trotted out 3D Secure and other methods of securing online transactions. The trouble is that most merchants eschew 3D Secure and its kind. In addition, there are known vulnerabilities with these supposedly secure payment methods so they also have potential issues that could be exploited.
Then there is E2EE also known as point-to-point encryption (P2PE) from a PCI perspective. These also can be exploited. It may be more difficult, but when you are determined to gain access to sensitive information, that does not matter.
After the release of the PCI DSS in 2008, a lot of retailers implemented a variety of E2EE solutions. Unfortunately, the endpoint at the retail location was the POS register and not the terminal. This was not due to merchants’ negligence; this was due to how their POS applications operated. This allowed for attacks such as that used in the Target breach to succeed. All the attacker has to do is insert their malware into the POS process so that the malware can “see” the cardholder data before it gets encrypted.
Even in solutions that do E2EE/P2PE to the terminal can be defeated by taking the same approach and inserting the malware into the terminal process before the terminal can encrypt the data. Worse yet, if the terminal is breached, the attacker can capture PINs if they also have malware that captures the keystrokes on the terminal before the PIN is encrypted. There are a number of methods to minimize these risks at the terminal, but if the terminal supply chain is compromised as it was over a year ago in the Barnes & Noble breach, there is little a merchant can do to stop such attacks.
The bottom line is that all of these solutions are bolt-ons to the existing card paradigm and all still have risks that a breach could occur.
Using Complexity Against Us
Brian Krebs and others have wondered aloud how a sophisticated organization such as Target that has information security and forensic resources second possibly only to the government could have been compromised. Particularly after the 2007 compromise by Albert Gonzales when Target totally revamped and increased their security posture to minimize the likelihood of another event.
The first clue to me came when I read the iSIGHT PARTNERS report on the Target breach. The theme that comes through loud and clear is that the attackers are using the complexity of Target’s technology infrastructure against Target. I mean how could FTP activity and huge data transfers (internal and external) go so unnoticed?
Actually, that was likely fairly easy. The attackers used existing network traffic to mask their own network traffic. They sought out servers that already had large volumes of traffic and put their data collection server on one of those servers that already had a lot of traffic. Better yet, a server that was already running as an FTP server. As a result, even with diligent monitoring, the increase in traffic likely did not raise any alarms.
People assume that such breaches are like a “snatch and grab” in the real world. The attackers break into an organization’s network, quickly take what they can off of the computers they encounter and leave. That was the modus operandi (MO) in the past, but not today. Sophisticated and organized attackers such as those that breached Target, do what they can to remain unseen while they learn more about their victim. They take their time mapping out the network and determining what devices they want to compromise to further their efforts to gain access to the sensitive information they seek. Because of this, it is highly likely that the Target attackers encountered the Target customer database during their investigation of the Target network and took it first so that they would have at least something for all of their efforts.
The most insidious thing I think the attackers did was that they likely used Target’s software distribution system to disseminate their malware. Given the number of POS systems compromised (around 51,000); I find it hard to believe that the attackers manually installed their malware on those POS systems. It would have placed their operation at extreme risk likely resulting in its discovery. By using Target’s software distribution system, the attackers got an added benefit of legitimacy to their malware because they Target themselves did the installation. As such, the malware would appear as valid because Target’s software management system initiated the change.
Now What?
All of this brings up an interesting conundrum. If attackers are stepping up their game and using such techniques, how do we detect them? It is a very good question with no good answers. The iSIGHT report offers methods to stop and eradicate this particular attack. However, the next attack and the attack after that will all likely use different malware and different techniques to get the data out of your network.
We are in is a war of escalation with no end in sight. Merchants step up their efforts to stop such attacks and the attackers adapt and adopt new techniques to breach organizations and gain access to their sensitive information. What we need is a solution that stops the escalation and gets us out of this vicious circle.
That is why I am pushing the 15 – 16 character single use transaction code as that solution. My reasons are as follows.
- The algorithms already exist as a number of the card brands experimented with them a decade or more ago.
- It will work with existing POS technology and applications.
- It will work with existing eCommerce sites.
- It can be implemented into eWallet applications.
- It can be processed, stored and transmitted without encryption.
- It can be generated by PCs, smartphones, tablets, credit card sized devices and any other devices that have computational capabilities.
- It can be displayed on devices in a character format for manual entry or as one or 2D bar codes for scanning.
- It can be transmitted via swipe, EMV, near field communication (NFC), Wi-Fi or even Bluetooth.
- And best of all, it is secure by the very nature that it can only be used once.
There will be some changes that would be required at the transaction processors and acquiring banks to handle such a solution. But given that some of the card brands already have experience with this solution, there is a body of knowledge that already exists as to how it needs to be implemented.
Let the discussion begin on how we move ahead with a better, more secure solution.
PCI Guru 