After Target, Retailers Need Better Security
The Target breach exposed how weak security is at shops. Wayne Rash wants to see biometrics
The longer the revelations continue about the data breach at (US retailer) Target, the worse the news gets. The news was bad enough when the word was that hackers had managed to extract the magnetic stripe data from Target’s point-of-sale (POS) terminals, allowing them to sell credit card information and even make counterfeit credit cards. But since then, the number of affected customers has vastly grown.
Now, the breach appears to be much worse than Target originally disclosed. Besides the 40 million or so customers affected originally, it now appears that the total may be as high as 70 million to 110 million customers. And the amount of data that was stolen has also grown. In addition to the mag stripe data, some PIN numbers were stolen.
We are all targets
It also appears that complete customer records, including names, addresses, phone numbers and even email addresses, were sucked out of Target’s customer relationship management database.
The announcement on 10 January that the hackers also penetrated Target’s CRM database means that they have nearly everything they need to create a fictitious identity, including financial information, of a very large number of Target customers. It’s unclear just how much worse this can get, but there’s probably more to come. With these events, there always seems to be something else.
The problem with the new Target revelations is that it’s hard to see how anyone could protect themselves against such a breach, other than by never buying anything at Target. The mag stripe data theft would not have occurred in the UK, where Chip-and-PIN cards (known elsewhere as “EMV” cards) are the norm, and would have prevented the creation of counterfeit cards.
Chip and PIN is in use on Europay, Mastercard and Visa cards, but would not prevent the theft of basic data from the CRM system.
One thing that might help, though, is through the adoption of an identity management system such as Usher, which has been developed by MicroStrategy, located near Washington in Fairfax County, Virfginia. What Usher does is bolster the security of credit cards by offloading the identity so that it’s only indirectly connected to the credit card.
Could biometrics replace credit cards?
In fact, according to Mark LaRow, executive vice president, products, at MicroStrategy, you really don’t need credit cards at all. What you need is your biometrics stored in a secure Usher database, which then confirms your identity to the POS system, allowing the use of a stored means of payment.
“We use a phone as a biometric reader for both your voice and for facial recognition,” LaRow told eWEEK.
Usher presents your identity to the other system, but it’s stored in the Usher vault. With Usher, your phone works as a conduit to confirm your identity, but your identity never resides on the phone.
“To use Usher, you have to validate yourself to your phone using your voice, face or even a pass code,” LaRow said. “Once it’s absolutely certain it’s you, it can offer your identity to other things such as POS systems, using it for log-ons or even to open doors. Your identity is never on your phone.”
LaRow said that the way Usher would work in actual use is that when you approached a POS system, you’d first identify yourself to the phone and then press a button on the screen to confirm that you wanted to buy something.
Once that happens, Usher would present a Quick Response (QR) Code on your phone’s screen that the POS terminal can read, which would confirm your identity for the sale. LaRow said that communications between the POS system and the phone make use of a public key infrastructure (PKI) encrypted signal to prevent data theft.
LaRow said that while Usher is able to push payment card information very deep into a retailer’s databases, it still can’t prevent all data theft when security is poor, as appears to be the case with the Target breaches. However, it can make personal information difficult to find and even more difficult to connect to identity information so that a hacker can use it.
Unfortunately, at this point, Usher exists only in the lab. For it to be deployed in a retail environment, the payment processing software needs to be upgraded as does the software in the POS system. This is one of the same problems that is slowing down the adoption of EMV-equipped (Chip and PIN) credit cards in the US.
Usher, like EMV, is a technology with great promise that needs a number of moving parts to work before it can be implemented. Some of those parts are mired in a regulatory morass, some in the inertia of major corporations and some because merchants don’t want to increase their costs.
Those roadblocks need to come down. Unfortunately, that will take time unless customers start complaining, which they should do once they have been caught up in a data breach on the scale of Target’s.
Are you a security pro? Try our quiz!
Originally published on eWeek.