Since I had just started my expedition into the SANS Institute Master of Information Security Engineering program and had to write a paper, one of the options being a case study, this sounded like as good of topic as any. I talked to the SANS instructors that sent me down the path of white listing software and hardware encryption. I was also able to use the knowledge gained in SANS 5100 - Enterprise Information Security, otherwise known as Security Essentials, Bootcamp Style.
I was then very fortunate to be able to connect with security experts related to POS devices with hardware encryption, a security leader in a major retail organization and a deputy CISO who spoke at an event I attended on the issues faced by security professionals in the current environment.
The whole experience was very gratifying and I greatly appreciate the help from both the people at SANS Institute and the industry contacts, some of whom went to great lengths to help understand technologies involved and review the paper in great detail.
I hope others will find ways to prevent further credit card breaches by understanding the nature of the attacks and the pros and cons of the proposed solutions.
One big take away from the paper was that EMV chips protect people's cards doesn't always work. It seems to me it would be better to prevent the data from being stolen in the first place. There was a lot of publicity about EMV cards after the Target breach which distracted from the reasons the credit cards got stolen in the first place.
Since I wrote the paper have been reading about VISA's token service, which basically uses a token instead of the actual credit card in the transaction process. This protects the credit card number itself, however if the token is stolen I would think that could be used just as the credit card would be. [edit: met a guy at a meet up who says the tokens are ever only used once - like a nonce? Also card on chip is protected so if you destroy the magstripe failover is not possible. Also Apple is trying to be the pin provider - kind of like multi factor authentication I would guess - but I haven't really looked into any of this myself). My initial take is that minimum it is a way for banks to replace the token without having to issue a new credit card and change your credit card account, which in the Target case cost them about $200M. I have not yet researched how this would work with old school POS machines and would assume retailers that had not upgraded would be subject to the same fail over problem as as the EMV chip solution (possibly unless you destroy the mag stripe). Maybe I will look into this more later, but right now I have to move on to another class and a new topic.
Tokens and EMV are great ideas, but don't solve the underlying security problems that cause the credit card data (or tokens) from getting stolen in the first place. Which brings more value - protection after the fact or underlying security - depends on your place in the credit card food chain (banks paid a lot of money to replace credit cards and refund invalid transactions in the Target case) and how fast all retailers update their equipment to use this new technology. Both would probably be ideal and improved detection of the theft is probably even more critical.
Another point was reiterated by everyone I spoke with, is that compliance does not equal security. The compliance check lists don't cover all the threats and can't keep up with the number and complexity of the customized attacks.
Understanding network traffic seems like a very important issue given the fact that trusted ports were tunneled and networking equipment designed to prevent malicious traffic for the particular protocols supposedly running on those ports were bypassed.
Not having enough or adequately trained security staff also seemed to be a factor.
Some of the security experts I met with felt that this must have been an inside job at least in part, however I could not find documentation to support this theory so left it out of the paper.
Overall it was a great experience and I hope some people find value in reading it. I'd love to get feedback.
The paper is now published in the SANS Reading Room - whitepapers section:
The paper is now published in the SANS Reading Room - whitepapers section: