The Target data breach was not the first mass theft of credit-card information to garner national attention, nor will it be the last. It definitely, however, represents the first time such a case has drawn such intense and widespread interest to the subject of POS encryption. As security experts piece together details of the heist, two questions have come up repeatedly:
1) Would using a European-style chip-and-PIN card system (also known as EMV) have prevented the attack?
2) Could better encryption practices have thwarted the thieves from stealing any useful information?
First, a word about EMV. While a chip-and-PIN system certainly has its security benefits, which have been discussed exhaustively in the past month, the fact is that the infrastructure is simply not there yet in this country. So while the Target breach may well wind up hastening adoption of an EMV-style system, the only world in which EMV could have prevented the attack is a theoretical one.
As for the security methods available today – is encryption alone enough to provide a foolproof defense against data loss? The answer is yes: If applied properly, it can stop cybercriminals in their tracks – but that’s a BIG “if.”
The first question most people have is whether encrypted data is really “safe” – e.g., could a criminal steal encrypted data and then crack the code. So we’ll start by reassuring you that this would be nearly impossible. The Triple DES encryption standard employed by the payments industry provides 112 effective bits of encryption, which generates 2112 or over 5,000,000,000,000,000,000,000,000,000,000,000 possible combinations. (For a further example of how difficult that makes cracking, see this brief article.)
In other words, if applied properly, Triple DES cannot be broken within a human lifetime – or even many human lifetimes – by even the most powerful computers. Encrypted mag stripe data will be just as secure as encrypted EMV data; either way, the encrypted card numbers are just as useless. Additional measures can generate different encryption keys for each transaction, meaning that even if the code was successfully cracked, the hacker would only obtain information for a single credit card. So a thief seeking to profit from stealing card data really has two options: Steal the decryption key(s) along with the card numbers, or catch the data while it is not encrypted – which is where the “applied properly” part comes in.
The Target attack involved a now-infamous piece of malware known as a RAM scraper, which is designed to grab card numbers in the memory of a compromised point-of-sale (POS) terminal, before they can be encrypted. As we’ll see momentarily, this type of malware attacks so early in the process that it can be used to defeat all but the most secure encryption possible in a retail environment. Depending on what hardware and software is being used, a retail environment may (from least to most secure) …
1) Send card data in unencrypted plain text all the way from the magnetic read head until it is transmitted to the processor;
2) Send card data unencrypted from the POS device to the register or a PC, where it is encrypted before transmitting;
3) Encrypt card numbers just after the swipe, within the memory of the POS terminal;
4) Encrypt card numbers as they are swiped by using an encrypting read head such as this one developed by MagTek.
RAM scrapers attack within milliseconds of the initial card swipe, bypassing any of the first three encryption methods – one reason they have been a lurking concern in the IT world for years. Other methods exist of capturing data all along the chain, from malware that infects PCs, to devices like these PS/2 skimmers found attached to data cables at several Nordstrom stores last year.
The important thing to understand, though, is that criminals can now attack a system all the way up to the moment that card data enters your system. The only way to protect your data with 100% confidence is for it to be encrypted even before that – which is to say, immediately at the read head – and for it to remain encrypted until it exits to the processor’s system. In fact, to be truly secure, the retailer should not even have the capability to decrypt card information; the only two entities that should have the key are the processor and the hardware manufacturer, lest the retailer’s own computers be used to decrypt the data, as happened to Adobe last year. The above steps constitute the basis of P2PE or E2EE, for Point-to-Point and End-to-End Encryption, as it is known respectively.
So in an ideal world, everyone would be using full P2PE with read-head encryption, which corresponds to method #4 above. However, as you might expect, the reality is that retailers are using a mishmash of systems with all different levels of security. Target, for example, could not have been using read-head encryption for an attack on the POS terminal’s memory to be successful; otherwise, the numbers would have already been scrambled. For a thief to attack the encrypting read head itself is virtually impossible: With no software to hack into, a successful attempt would require physically removing and replacing microchips within the device, in close to a workshop environment.
Unfortunately, only a small percentage of merchants encrypt at the read head today, because it generally involves replacing the physical hardware at the point of sale – which usually means it only happens when the old device becomes obsolete. For a company the size of Target, such an upgrade would also mean a massive IT and logistics project. However, in hindsight, I’m sure the company would have gladly taken on such a project, considering the alternative.
Retailers are not required to implement P2PE. The card industry’s PCI compliance guidelines, which have been much scrutinized in the past few weeks, do not mandate P2PE, nor should they. Therefore, it is possible to be fully compliant with PCI requirements, yet vulnerable to a Target style attack. I am positive Target was in compliance with PCI up until the moment they were breached. And, this is the problem with PCI.
Perhaps ironically, the cost of an encrypting read head is not much more than the cost of a non-encrypting read head. Manufacturers of POS terminals and equipment can include encrypting read heads in their equipment designs for $20 or less. In the post-Target environment of the payment industry; this has now become one of the surest investment choices one can make.
Jeff Hempker is Vice President of Digital Check Corp., a maker of secure check and card processing equipment for the U.S. banking industry. Special thanks goes to MagTek Inc. for contributing significant expertise on encryption and POS security.