Tokenization would not have prevented most retail breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2907955/data-breach/tokenization-would-not-have-prevented-most-retail-breaches.html

Tokenization, where credit card numbers and other sensitive data is
replaced by random characters, can be a secure alternative to encryption in
many cases -- but would not have helped in the majority of retail breaches
over the past two years.

The Payment Card Industry released guidance last week about how technology
vendors and retailers can use tokenization to reduce the amount of card
data they store in their systems.

“Tokenization is one way organizations can limit the locations of
cardholder data," said PCI SSC Chief Technology Officer Troy Leach. in a
statement. "A smaller subset of systems to protect should improve the focus
and overall security of those systems, and better security will lead to
simpler compliance efforts."

But, according to a new report from CBI, if each of the 22 major breached
retailers had had a tokenization system in place, 59 percent of the
breaches would not have been prevented -- and 97 percent of the stolen
records would still have been stolen. That adds up to 154 million records.

The reason? Most of the breaches took place at the point of sale terminal,
before the data would have been tokenized.

"The tokenization takes effect after the credit card has been swiped, and
the data is protected at that point forward," said J Wolfgang Goerlich,
cybersecurity strategist at Ferndale, MI-based CBI. "But it is still not
protected in the memory of the machine."

Only 41 percent of breaches involved attacks on databases or servers, where
tokenization would have protected it.

"This exactly the type of trend that we often see when a control begins to
be widely deployed," said Goerlich. "The attackers will shift their focus
away from we strengthened the system, to the point where it is weakest."

The malware used to steal data from point of sale devices such as credit
card readers is called a RAM scraper.

According to Trend Micro, more new variants of RAM scraper malware were
discovered in the first nine months of 2014 than in all of preceding three
years. And, last month, analysts discovered two more new RAM scraper
families.

In addition to hitting high-profile targets like Target and Home Depot, the
attackers also broadened their reach last year, said Trend Micro senior
threat researcher Numaan Huq in a report earlier this year.

"Scammers have already ventured outside the shopping mall to hit newer
targets like airports, metro stations, and parking lots," he wrote.

ApplePay, which also uses tokenization, but is not vulnerable at the point
of sale because no actual credit card numbers are involved.

The tokenization process happens when the card is first loaded onto the
iPhone -- and that is, in fact, where criminals have been targeting their
efforts, by talking bank call centers into approving stolen credit cards.

"The earlier on in the process data is tokenized, the less of the payment
process is exposed," said Goerlich. "By tokenizing earlier and moving the
end, Apple Pay avoids the way credit cards are commonly stolen."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!