Security Expert Mark Bower on Target Breach

“Unfortunately the size, scale and coordination required for this attack illustrate the lengths that attackers will go to.  There are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link–usually running a standard OS and thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable.

“The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker.  Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enable business processes to still operate as before – even at Black Friday scale. No live data means no gold to steal.

We’ve helped many thousands of merchants, and their payment gateways and acquirers, to embrace these powerful techniques with no impact on the retail process, yet practically eliminating the possibility of an attack like that Target is dealing with today,” said Mark Bower, vice president of product management at Voltage Security.

 

Longer more technical comments:

“Unfortunately this massive breach is a reflection of the times we live in. The size, scale and coordination required for this attack illustrates the lengths that attackers will go to steal valuable credit and debit information including card track data and CVV codes – the ultimate prize. Typically there are two points in the retail chain where attacks typically take place – the POS or the payment switching back end. POS systems are often the weak link in the chain and vulnerable. They often run a standard OS and are thus subject to exploits and zero-day attacks if exposed to a malware delivery channel such as a browser, a compromised POS management system, patch system or worse, from an insider.

“In use, POS systems should be isolated from other networks to restrict access to payment data flows, but often are connected to many systems. As a POS and checkout are in constant use especially around high volume periods like Black Friday, they are less frequently patched and updated and thus vulnerable to malware compromise impacting massive amounts of cardholder data, as we see today with Target. If this breach was further up the chain, perhaps in the authorization and settlement switching systems in the retail back end, then the track data and CVV codes should never have been stored – even if encrypted. There’s no need, and It’s forbidden under PCI DSS, yet sadly still happens.

“The good news is that there is a way to prevent this very efficiently. Savvy retailers are already tackling this risk and fighting back by giving the malware nothing to steal. Point-to-point encryption (P2PE) from the instant the card data is read, also called end-to-end encryption, addresses this risk by encrypting all the payment card data before it even gets to the POS. If the POS is breached, the data will be useless to the attacker.  Tokenization can eliminate live data from post authorization retail processes like warranty and returns yet enabling the retail business to still operate as before – even at Black Friday scale. No live data means no gold to steal. Attackers don’t like stealing straw.

“We’ve helped thousands and thousands of merchants along with their payment gateways and acquirers to embrace this approach using new powerful techniques with no impact on the retail process, yet practically eliminating the possibility of an attack like that Target is dealing with today” said Mark Bower, vice president of product management at Voltage Security.

“And with EMV on the horizon to make it much harder to counterfeit physical cards from stolen data, and with P2PE and Tokenization to protect the card data in the retail flow, merchants can turn the tables on data breaches in a major way. With the significant reduction in the cost of PCI compliance, there’s also an ROI to justify it in addition to avoiding the cost and complications of remediating 40 million  breached cards as in this case.”

Voltage Security

About Voltage Security

Voltage Security®, Inc. is the world leader in data-centric security, delivering secure, scalable, and proven data-centric encryption and key management solutions, enabling our customers to effectively combat new and emerging security threats. Leveraging breakthrough encryption technologies, our powerful data protection solutions allow any company to seamlessly secure all types of sensitive corporate and customer information, wherever it resides, while efficiently meeting regulatory compliance and privacy requirements. For more information, please visit www.voltage.com.

, ,

No comments yet.

Leave a Reply


*