Posted by Geraldine Hunt on Sun, Jan 26th, 2014
The giant American retailer Target has been hacked and massively so; 110 million credit and debit cards were stolen along with their pin, card holder address, email, and phone number. At first the company tried to contain the damage by not disclosing the attack. They were only flushed out when banks started reporting unauthorized purchases all from people who had recently shopped at Target. Confronted by security researchers, Target issued a press release and emailed all of those who were affected.
The damage to Target will be in the billions of dollars. The company already cut its earnings forecast for the next fiscal quarter, as all of this bad news is cutting into sales. The company will have to pay masses of plaintiffs who have banded together to file class-action lawsuits. Congress has called the company negligent in the way that it handles private data. The 50 states of America each have their own attorneys general looking into the matter.
How could such a disaster happen?. The reason is an inherent flaw in encryption and the resulting weakness in POS (point-of-sale) cash register terminals.The US Secret Service told the retailer not to reveal the details of how they were hacked. But this news has been leaked to security researchers, who have provided some details. Logic allows us to fill in the rest.
Malware penetrated POS servers
What happened at Target is that malware was able to penetrate POS servers that are deployed at each store. These send pricing data, verify UPC/EIN bar codes, open and close the cash registers at the end of each shift, meaning they send instructions, and in this case a computer virus, to the POS terminal, thus infecting the same.
You can encrypt data-at-rest (e.g., disk drives and databases) and data-in-transit (e.g., data passing over the wire). But at some point this data has to be decrypted into clear text, so that is can be read by the software that is processing it. That is the weak point in encryption. This is where the malware attacked, reading the memory of the machine, to steal the credit and debit card data. Now these stolen cards are being sold on online criminal markets for prices up to $100 each.
Debit and credit cards do not contain address, phone, and email information. So that could not have been taken from the POS terminal—this suggests the customer database was hacked as well. Customers who had not shopped at Target in three years also had their data stolen, further supporting that conclusion.
Encrypted credit cards, a possible solution?
What could Target had done differently? It was not entirely their fault, since the retail industry has not widely adopted the logical answer, which is to use only encrypted credit cards. The retailer does not need the credit card data at all; they simply need the authorization code from the credit card processor. That code gives the merchant authorization to charge the card.
The current system does not use encryption in the right place. A better approach would be to use PKI encryption at the POS card reader. It would cost billions of dollars and euros to replace all the current retail systems, there is no massive effort underway to do that today.
Briefly, here is how such a system could work:
When MasterCard issues a new credit card to the issuer, they do not need to store the card number in the magnetic strip on the back of the card. Instead they could store an encrypted number—for lack of a better term, you could call it ½ of the credit card number—and a public key. When the card holder activates the card and selects a pin, this creates a different number that is stored on the card and generates a private key. The pin passcode is not stored in the card, so the hacker cannot steal the passcode and impersonate the card holder.
MasterCard would receive and decrypt this number using the card holder’s public key. They would send back another number that only that credit card could read. Only MasterCard would know which pair of numbers are valid. That data would be stored in a super-secret facility with military, bunker like network and physical protection. (There already exist such data centres in places like New Jersey, because there must be one place where remaining credit card and bank balances for cardholders worldwide are available in an instant.)
How could such a security disaster happen?
None of this is new. What is missing is an agreement between the banks, retailers, and card issuers to agree on standards and rip out the current authorization terminals and replace them with something that can process encrypted credit cards.
Google already has solved this problem with their Digital Wallet, but it has not taken off. It envisioned isolating credit and debit card data and processing that outside of the Android operating system (and thus out of the reach of a virus running in the OS) in a chip they called the Secure Element (SE). But many companies are fighting to see who will come out on top in the lucrative market for credit card fees. Because of this lack of consensus, few manufacturers are adding the SE chip to smartphones and not all include the near-field communications (NFC) chips needed to radio encrypted card data to the NFC-equipped POS terminals. Because there is no consensus and no plan, many more companies will be attacked in this way. Already the luxury Dallas-based Neiman Marcus retailer has suffered the same fate!