No silver bullet for data protection

by. Henry Meier

On Friday, the Department of Homeland Security issued an advisory urging organizations, “regardless of size,” to “proactively check” for possible infection of their point of sale technology by a data theft virus which steals debit and credit card information as purchases are being made. The catch is that the computer virus that Homeland Security wants merchants to look for has been compromising purchases since at least October 2013 with the result that an estimated 1,000 businesses have been compromised. Brace for phone calls from concerned members and the expense of replacing cards…again!

The latest developments in the data theft wars mean that Target was just the canary in the coal mine and de facto scape goat for failing to recognize that its Point Of Sale equipment had been compromised during the holiday rush. Now, let’s hope that policy makers and industry leaders don’t make the mistake of thinking that a single technology can prevent systemic breaches from happening again. But I have my doubts.

A lot of analysts were quoted over the weekend as hoping that the latest disclosures will be the straw that broke the camel’s back and force merchants of all sizes to convert to payment processors that accept so-called EMV or chip technology. The basic idea is that chip enabled cards combined with PIN verification provide dynamic protection of payment information.  In contrast, that strip on the back of the credit and debit card contains static information and firewalls. Once it is breached, it can be used over and over again by anyone with the ability to replicate the magnetic strip.

A typical quote I read over the weekend was this one in the Times: “The weakness is the magnetic stripe,” said Avivah Litan, a security analyst for Gartner Research. “I can buy a mag stripe reader on eBay and easily read all the data from your credit card. It’s an antiquated technology from the ’60s.”

continue reading »