Breach Hearings: How Did Security Fail?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/breach-hearings-how-did-security-fail-a-6484

Encryption gaps in retail payment card transactions were highlighted at a
U.S. House hearing Feb. 5 called that examined security in the aftermath of
malware attacks against point-of-sale systems at Target Corp. and Neiman
Marcus.

At the hearing of the Energy & Commerce Committee's Subcommittee for
Commerce, Manufacturing and Trade, executives from Target and Neiman Marcus
testified that their breaches occurred when data from the magnetic stripes
on credit and debit cards was collected in the clear at the point of sale
before being encrypted as payment transactions were processed.

"Mag-stripe data was compromised prior to encryption within our system,"
John Mulligan, Target's executive vice president and CFO, testified. "Data
comes into the point-of-sale systems from the mag-stripe unencrypted."

Michael Kingston, senior vice president and CIO at Neiman Marcus, described
the same scenario. "The information was scraped immediately following the
swipe - milliseconds before sent through encrypted tunnels for processing,"
he testified.

Data in Clear Raises Concerns

Why card data is at any point during the transaction potentially visible to
fraudsters is perplexing, said Rep. Marsha Blackburn, R-Tenn. Even if
companies are adhering to mandated industry security practices, such as
compliance with the Payment Card Industry Data Security Standard, they can
still be breached, she noted.

"There is a difference between compliance and being secure," Blackburn
said. In many of the breaches the retail industry has suffered, the
affected companies were allegedly PCI-DSS compliant at the time they
exposed sensitive data, she added.

Encryption experts say true end-to-end encryption - which would mean card
data is never exposed in the clear during a POS transaction - does not yet
exist. And end-to-end encryption is notmandated by PCI-DSS, notes Troy
Leach, chief technology officer of the PCI Security Standards Council.

"Encryption at the point of sale is not required by PCI-DSS, nor is it
required that internal transmissions, within a merchant's own network, are
encrypted," Leach says. "It only needs to be encrypted when stored within a
merchant network and when transmitted over a public network."

But Leach would not comment about how card data may have been exposed in
the Target and Neiman Marcus breaches.

In a recent interview with Information Security Media Group, Bob Russo,
general manager of the PCI Security Standards Council, noted that the
council has no plans to change or update its just issued update to PCI-DSS,
which took effect in January. Russo says version 3.0 of PCI-DSS addresses
point-of-sale malware risks as well as processor and third-party
vulnerabilities. Issuing an update or addendum to the standard would be
redundant and unnecessary, he contends.

Gaps with EMV?

Even a shift from magnetic stripe cards to chip cards that are in
conformance with the Europay, MasterCard, Visa standard won't eliminate the
possibility of data being exposed at the point of sale, contends Al
Pascual, a financial fraud expert and analyst with consultancy Javelin
Strategy & Research.

"While card data is secure on an [encrypted] EMV card, it is transmitted in
clear text once it has been accessed by the terminal," Pascual says.
"End-to-end encryption would involve encrypting the card data at the
terminal, and from there all the way through to the issuer. We don't live
in a world with true end-to-end encryption, but P2PE [point-to-point
encryption] has become an accepted, though less effective, alternative. It
simply refers to encrypting card data between two points, typically from
the merchant to the processor."

During Senate hearings held Feb. 3 and Feb. 4, much of the attention
revolved around the need for stronger payments technology, such as EMV chip
and PIN, and a more uniform breach notification process mandated by the
federal government (see Finger-Pointing at Breach Hearing and Target,
Neiman Marcus Differ on EMV).

Target's Mulligan testified Feb. 4 that a shift from mag-stripe cards to
EMV could reduce card exposure, because data stored on an EMV chip is
encrypted, while data stored on a mag-stripe is not.

But it's not just data on cards that must be protected, which is why EMV
alone will not prevent card data from being breached at the POS, Leach says
(see Chip and PIN Not a Cure-All).

"For point-to-point encryption, the data is encrypted either at swipe or
within the secure controller of the device, before transmission into the
entity's network and before transmission to the processor," Leach says.
"While EMV encrypts elements of EMV data to protect the authentication of
the transaction, a very important point is that it does not encrypt the
account data - not for transmission to the processor or for storage within
a merchant's network. This means the PAN [primary account number] is in
clear text."

During the Feb. 4 Senate hearing, Leach testified that only end-to-end
encryption would ensure card data is never accessible in the clear. "EMV is
only one piece. Additional controls are needed," he said.

Phillip Smith, senior vice president at Trustwave, a cybersecurity and
retail breach response firm, testified at the Feb. 5 House hearing that
businesses must go beyond PCI to ensure security. "A common misconception
is that PCI was designed to be a catch-all for security," Smith said.

Retailers and others need to employ stronger incident response plans, more
security for Web applications and gateways to protect networks from malware
attacks, zero-day vulnerabilities and data loss, Smith said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!