Jan 08 2014

Target Data Breach Highlights Payment Security Weaknesses

The hack heard round the world is forcing banks, businesses and customers to reexamine holes in the U.S. electronic-payment system.

Did Target shoppers get on Santa’s naughty list last year? If so, that would explain the lump of coal that hit customers right before the Christmas holiday when roughly 40 million credit card and PIN numbers were snatched up by hackers in a devastating data breach for the major retailer.

The hack inconvenienced Target and its customers, and banks and credit unions had to put in overtime to alert customers and provide them with new cards.

In a report from the Las Vegas Review-Journal, the One Nevada credit union acted swiftly to inform affected customers and replace their existing cards.

One Nevada Credit Union says about 7,000 debit cards and about 500 credit cards will have to be replaced. The Las Vegas-based credit union has 75,190 members statewide.

“We are being proactive,” said Greg Barnes, senior vice president of marketing with One Nevada. “We have reached out to our members and told them that their debit or credit cards would be replaced.”

For One Nevada, the damage from the Target breach was “very minimal,” around $2,000, Barnes says in the article. But analysts have speculated that the total cost of the breach could be a whopping $680 million, according to a report from Reuters, and big banks could potentially sue Target for costs associated with dealing with it, says CNBC.

And that’s just the dollars and cents impact of the breach; there’s also the eroded trust and security between Target and its customers.

Technology’s Role in Improving Payment Security

After news of the Target breach hit the wire, some financial and security experts began to point the finger at the U.S.’s outdated magnetic stripe technology in credit cards. In much of Europe and other parts of the world, cards with magnetic stripes were phased out long ago in favor of cards with smartchips because the magnetic stripes were considered an easily compromised method of authentication.

The smartchips in EMV (Europay, MasterCard, Visa) cards send unique codes at the point of sale (POS), and customers must enter their pins rather than simply sign for their purchases, which helps increase security, reports The Buffalo News.

“As other countries started adopting the technology, the fraud moved to whoever was the most vulnerable, so it left the United Kingdom and shot up in the United States,” says Janna Herron, a credit card analyst with Bankrate.com, in the Buffalo News article.

Aaron Colwell, an inside solution architect with CDW, points out in a post on the CDW Solutions Blog that while the Target breach was massive, it was somewhat blunted by the fact that the PIN numbers nabbed by the hackers were encrypted with Triple DES encryption.

Target maintains the PIN data is still secure, and Colwell points out that while it’s not impossible for the encryption to be cracked, doing so would be extremely challenging and resource intensive.

Triple DES (3DES) uses a bundle of 3 different 54 bit keys K1, K2 and K3. The algorithm looks like this:

ciphertext = EK3(DK2(EK1(plaintext)))

There are 3.7×10^50 (370 Trillion Trillion Trillion Trillion) different key combinations so it is not going to be easy to read the plaintext without the encryption keys. The goal of encryption is not necessarily to make getting at data 100 percent impossible but rather make it so exceedingly difficult it is not worth the attempt.

SecurityMetrics, a merchant data security and compliance company, found that 71 percent of the businesses surveyed in its 2012 Payment Card Threat Report were storing unencrypted payment data on their networks.

Frankly, with so many businesses leaving so much unencrypted information out in the open, customers are lucky that breaches don’t happen more often.

The Payment Data Gold Rush

The Target breach is an example of the catastrophic impact of a data breach, and it should inspire companies of all sizes to beef up their payment security — especially since mobile payment solutions are turning tablets and smartphones into POS devices.

As we shift to a more cashless society, data is the new gold, and hackers are treating companies’ payment systems like it’s California during the gold rush. For now, encryption, up-to-date infrastructure and robust authentication policies are the best defenses businesses have against these malicious gold diggers.

Andriy Bandurenko/iStock/ThinkStockPhotos