Last month’s Target data breach was not the first mass theft of credit-card information to garner national attention. It is unlikely that it will be the last. However, it definitely represents the first time a case has drawn such intense and widespread interest to the subject of POS encryption. As security experts piece together details of the heist, a number of questions have come up repeatedly:
1) Would using a European-style chip-and-PIN card system (also known as EMV) have prevented the attack?
2) Could better encryption practices or algorithms have thwarted the thieves from stealing any useful information?
3) Is it time to consider alternatives to the Payment Card Industry Data Security Standard (PCI DSS)?
First, a word about EMV; while a chip-and-PIN system may provide some security benefits, the fact is that the infrastructure is simply not here yet in this country. While the Target breach may well wind up hastening adoption of an EMV-style system, the only world in which EMV could have prevented this attack is a theoretical one.
EMV is not the be all and end all of POS security; far from it. All one needs to do is recall what happened to Shell in 2006. Shell fell prey to a type of attack known as conversation-capturing. This attack, which was reported to have taken place against Shell terminals in May of 2006, forced Shell to disable all EMV authentication in their fueling stations after more than £1 million was stolen from customers. Then, In October of 2008, it was reported that hundreds of EMV card readers for use in Britain, Ireland, the Netherlands, Denmark, and Belgium had been expertly tampered with in China during or shortly after manufacture. Details and PINs of credit and debit cards were sent during the 9 months prior over mobile phone networks to criminals in Lahore, Pakistan. Additionally, Cambridge University researchers Steven Murdoch and Saar Drimer demonstrated on a February 2008 BBC Newsnight program one example attack against EMV technology. The attack illustrated that Chip and PIN is not secure enough to justify passing the liability to prove fraud from the banks onto customers. The Cambridge University exploit allowed the experimenters to obtain card data to create both a magnetic stripe and the PIN. Finally, at the CanSecWest conference in March of 2011, Andrea Barisani and Daniele Bianco presented research uncovering vulnerability in EMV which would allow arbitrary PIN harvesting despite the Cardholder verification configuration of the card, even when the supported CVMs data is signed. The bottom line here is that EMV is not going to prevent or stop fraud.
So, could better encryption practices or algorithms have thwarted the thieves from stealing any useful information from Target? The first question most people have is whether encrypted data is really “safe”. In other words, could a criminal steal encrypted data and then employ some kind of attack to crack the code? To answer this question, we have to examine the underlying cryptographic algorithms that are in common use today; namely, AES and DES.
In the aftermath of the Target fiasco a number of so called experts are calling for a change to the payment industry’s use of TDES encryption with DUKPT key management as their defacto standard. Most of the pundits claim that TDES encryption is just not “strong enough” to secure your sensitive data. They also claim that switching to AES would provide some increased security. The problem here is that they compare fixed key DES to fixed key AES. What really needs to be highlighted is the strength of TDES with DUKPT key management. Without going into a highly technical defense of the TDES algorithm; let me offer a few comments that would be supported by all of the world’s top Cryptographers:
1) Yes, AES is stronger than DES or even TDES. However…
2) There is a huge difference between DES and TDES. DES utilizes 56 bit keys, TDES 112 bit keys.
3) This makes TDES about 72 quadrillion times stronger than DES.
4) If I could build a computer to crack a DES key in one minute, that same computer would require 260,000 years to crack a TDES key.
5) True, it would take a billion years to crack an AES key with that same computer, but knowing my PIN is secure for over a quarter million years still allows for a good night’s sleep.
6) This doesn’t even factor in the use of DUKPT as the key management scheme. Adding DUKPT in to the equation means that even if I cracked the TDES key, I would have been successful for that one and only transaction on that one and only terminal.
7) TDES with DUKPT key management is virtually impossible to breach
If applied properly, Triple DES with DUKPT key management cannot be broken and encrypted mag stripe data will be more secure than data in an EMV environment. A thief really has two options left: steal the decryption key (BDK) along with the card numbers, or catch the data while it is not encrypted – which is where the “applied properly” part comes in.
The Target attack involved a now famous piece of malware known as a RAM scraper. A RAM scraper is designed to grab card data in the memory of an infected point-of-sale (POS) terminal before they can be encrypted. This is malware that is designed to defeat all but the most secure encryption schemes possible in a retail environment. Depending on what hardware and software is being used, a retail environment may (from least to most secure):
1) Send card data in unencrypted, plain text format, all the way from the magnetic read head of the POS device to the payment processor (gateway);
2) Send card data unencrypted from the POS device’s magnetic read head to the register or a PC, where it is encrypted in software before transmitting to the gateway in the PCs payment application;
3) Encrypt card numbers just after the swipe, within the secure microprocessor of the POS terminal;
4) Encrypt card data as the card is swiped by using an encrypting read head such as devices pioneered and developed by MagTek. In this scenario, data is encrypted at the head and remains encrypted until it is received by the payment processor or gateway.
RAM scrapers attack very early in this process, bypassing any of the first three encryption methods. This is one of the reasons they have been a lurking concern in the IT world for years. Other methods exist of capturing data all along the chain, from malware that infects PCs, to devices like the PS/2 skimmers found attached to data cables at several Nordstrom stores last year.
The important thing to understand is that criminals can now attack a system all the way down to a few milliseconds after the card swipe. The only way to protect your data with 100% confidence is for it to be encrypted even before that, which is to say immediately. The data then needs to remain encrypted until it reaches the payment processor’s system. To be truly secure, the retailer should not even have the capability to decrypt card information. The only two entities that should have the key are the payment processor and the hardware manufacturer.
This arrangement constitutes the basis of P2PE, or Point to Point Encryption. In an ideal world, everyone would be using P2PE with encrypting read heads. This corresponds to method #4 above. However, the reality is that retailers are using a mishmash of systems with varying levels of security. Target, for example, was not using encrypting read heads. If they were, the data stolen would have been useless to the thieves and this story would never have made the headlines that it did.
For a thief to attack an encrypting read head is virtually impossible. With no software to hack into, a successful attempt would require physically removing and altering the head itself. The chances of successfully modifying the circuits potted behind the head to gain access to a path to non-encrypted data are highly unlikely. Unfortunately, only a small percentage of merchants encrypt at the read head today. It boils down to a cost concern. Moving to a system with encrypting read heads would involve replacing the physical hardware at the point of sale. This usually means it only happens when the old device becomes obsolete. For a company the size of Target, such an upgrade would also mean a massive IT and logistics project. However, in hindsight, I’m sure Target’s CEO would gladly take on that project today.
Retailers are not required to implement P2PE. The card industry’s PCI compliance guidelines, which have been much scrutinized in the past few weeks, do not mandate P2PE, nor should they. It is becoming more and more apparent that PCI has some serious flaws. Therefore, it is currently possible to be fully compliant with PCI requirements, yet vulnerable to a Target style attack. I am positive Target was in compliance with PCI up until the moment they were breached. This is the problem with PCI.
Ironically, the cost of an encrypting read head is on par with the cost of a non-encrypting read head. This is certainly the case for manufacturers such as MagTek. Manufacturers of POS terminals and equipment can include encrypting read heads into their designs for under $20. In the post Target environment of the payment industry; this has now become one of the surest investment choices one can make.
Finally, as mentioned earlier, Target breach is shining a spotlight on the shortcomings of the Payment Card Industry Data Security Standard (PCI DSS). Target was surely in compliance with PCI. The only thing that bought Target is what is sure to be heavy fines levied against them. It is time for the industry to abandon PCI in favor of an alternative security environment. And, EMV is not the right choice.
The only real way to secure card data is to make that data useless to thieves. One needs to take away the incentive to steal it in the first place. Stolen card data is attractive to thieves because they can use the data to make counterfeit cards. If you could implement a system of card authentication; then counterfeit cards would be useless and criminals would no longer have an incentive to steal the card data.
The only manufacturer of POS components that can offer this is MagTek. MagTek has a technology called MagnePrint that is being examined by some of the world’s largest card issuers to detect and prevent fraudulent cards from being used. MagnePrint acts as a card “fingerprint” and can allow merchants the ability to determine if a card being used is an original or a fraudulent duplicate.
There are sure to be many changes to the payment industry in light of the Target breach. We already have Niemen Marcus and Michael’s added to the mix of compromised companies. It is also a given that the list is for sure to grow. What is important here is for the industry to continue to have open and meaningful conversation about the three questions posed at the top of this article. This is an issue that affects all of us and we will need the cooperation of everyone involved in the industry to solve these problems.
Tom Coduto
VP and General Manager OEM Solutions
MagTek, Inc
Special thanks goes to Digital Check Corp for contributing to this post.
