Hacked! Is Visa Next?
In an article scheduled for next months Bank Technology News, Rebecca Sausner talks about the call and the need for systematic reform in the payments industry. The main theme of the article is to adopt an End (Beginning) to End Encryption standard.
One of the more eye-opening quotes comes from Avivah Litan, distinguished analyst from Gartner, who asks "How much worse can it get than a top 10 processor being breached? Visa's next."
Let me remind you Avivah Litan predicted that hackers would target the payment acquirers/processors months ago. I believe it was shortly after the Hannaford breach.
Now, with 3 processor/acquirer breaches in 3 months, it appears she's the Nostradamus of the financial transaction world. So when one of her "quatrains" predict that "Visa's next"...I, for one, wouldn't write that off as being overly cautious (or pessimistic). HomeATM CEO, Ken Mages, (who's also a "see-er) saw the same writing on the wall years ago. Difference is, he's was in a position to, (and has already done) something about it. Ms. Litan states that Visa needs to start seeing the same thing...or they're next.
One of the reason's HomeATM employed End to End Encryption back in January 2007, is because Ken Mages understood that without beginning to end encryption, data is ripe for the picking.
That's why HomeATM is the "only" (to our knowledge) processor who instantaneously encrypts the data at the point of sale (during the swipe) while it's inside our personal swiping device. Amusingly, ironically and paradoxically, it's was his "outside the box" thinking that made him realize that encryption needs to be done "inside the box."
One of the biggest challenges HomeATM faces is overcoming the "hurdles" involved with trying to convince industry "insiders" that in order to truly secure a transaction, a hardware device is not optional, it's necessary. These latest breaches should make "overcoming those hurdles" a lot easier. New Information always = New Decision(s).
One of the things we do have going for us in this "perfect storm," is that as unfortunate as these 3 processing/acquirer breaches in 3 months were, they are helping us in driving our message home. Articles like the one below don't hurt either.
These breaches should actually assist HomeATM in overcoming these hurdles... in fact, our technique(s) to securing transactions can hurdle HomeATM towards becoming an "Edwin Moses" like talent
Speaking of Moses...they (the breaches) may even help part the read/see and get HomeATM to the promised land sooner. (Editor's Note: Edwin Moses overcame hurdles {for 122 straight wins} during a 9 year, 9 month and 9 day "run."
I find it heartening that HomeATM's approach to securing/encrypting data for transaction's (since 1/2007) also involved a 9/9/9...99.9 Sigma.
Like Edwin Moses, we WILL win. (with PIN) The hackers don't hurt by "running" right through a processor's so-called security protocols.Here's an excerpt from the article:
Heartland's Lonely Quest For Reform
Bank Technology News | March 2009
By Rebecca Sausner
Heartland Payment Systems CEO Robert Carr has likened his company's massive data breach to the Tylenol moment when product contamination led to an overhaul in packaging safety. It's likely Carr has had a few Tylenol moments himself in the past couple of months as he dealt with perhaps the largest data breach ever, though the actual number of cards compromised is undisclosed.
Now Carr is using his standing in the industry - he founded Heartland and enjoys healthy respect among processors - to call for industry-wide reform of payments technology and information sharing about exploits to prevent criminals from successfully deploying the same hack on multiple targets.
Lots of industry players agree with his stance, but there's been scant input thus far from the industry's most influential parties: including titans such as MasterCard, Discover and Visa, which are mostly mum on the subject.
"Our concern is that an underlying principal of PCI compliance is that data can be held in its native form - unencrypted - as long as it is properly protected within a corporate firewall," says Bob Baldwin, CFO of Heartland. Corporate firewalls are only as strong as their weakest link. "What we're trying to do in end-to-end encryption is have the data always remain in its encrypted form from the moment of the swipe to the moment it gets to the association." (Editor's Note: that's going to be the biggest challenge as that will require the ecosystem of the payments landscape to be rebuilt)
It's easy to make a case that the Heartland breach should be a louder call for industrywide action than Hannaford or TJX. The company is one of the leading processors, moving 11 million transactions each day, and was known to have invested heavily in its security. And, it had passed its latest PCI audit.
"I think it's more serious, how much worse can it get than a top 10 processor?" says Avivah Litan, Gartner vp. "Plus, it's a much bigger target. Visa's next."
Litan's in agreement with Carr that now's the time for the industry to pony up for end-to-end encryption. Some POS terminals can already encrypt data,
(Editor's Encryption Note 1: Our PIN Entry Device was manufactured from "beginning to end" to do so) processors can encrypt data while it's in their environment, (Editor's Encryption Note 2: HomeATM not only "can" but DOES) and issuers could "theoretically" accept encrypted data and decrypt it in their environment.
Editor's Encryption Note 3: That's the beauty of our PIN approach...it's not theoretical, it's reality. PIN's remain encrypted all the way through the process...and not only is a KEY required by the processor to un-encrypt it, but HomeATM uses DUKPT (DuckPut) which creates a "UNIQUE" key for every transaction. In the extremely unlikely event "one key" is somehow obtained, only one transaction is put at risk because there's a new key for the next one.
For those interested, here's a quickie lesson. Others, scroll down, my rant continues...
In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derivedfrom a fixed key. Therefore, if a derived key is compromised, futureand past transaction data are still protected since the next or priorkeys cannot be determined easily. DUKPT is specified in ANSI X9.24 part 1.
DUKPT allows the processing of the encryption to be moved away fromthe devices that hold the shared secret. The encryption is done with a derivedkey, which is not re-used after the transaction. DUKPT is used toencrypt electronic commerce transactions. While it can be used toprotect information between two companies or banks, it is typicallyused to encrypt PIN information acquired by Point-Of-Sale (POS) devices.
DUKPT is not itself an encryption standard; rather it is a key management technique. The features of the DUKPT scheme are:
- enable both originating and receiving parties to be in agreement as to the key being used for a given transaction,
- each transaction will have a distinct key from all other transactions, except by coincidence,
- if a present key is compromised, past and future keys (and thus thetransactional data encrypted under them) remain uncompromised,
- each device generates a different key sequence,
- originators and receivers of encrypted messages do not have to perform an interactive key-agreement protocol beforehand.
The problem is without an agreed-upon standard - though triple DES would likely work - (Editor's Encryption Note 4: HomeATM uses triple 3DES) there are "air gaps" between each of the players that even PCI doesn't address.
Still, it'd likely be worth the trouble.
Editor's Encryption Note 5: It WAS worth the trouble, in fact that isn't what troubled us...what's troubling is that it seems like it's taking forever getting other's (payment industry pro's) to understand what it written in this article...(maybe because it's written in "clear text.")
What we we need is an Edwin Moses approach to overcoming the hurdles involved with "parting that read/see" and getting industry insiders to "read" further into the risks mitigated by PIN and "see" what Avivah Litan see's...)
"I would say the cost of putting end-to-end encryption in place would be lower than the all the PCI security costs and the breaches," Litan says.
Editor's Encryption Note 6: Ya think? Now if we can only get "DUH!" so-called industry experts/insiders to see it that way...) About the only thing HomeATM puts out there in "clear text" is that a "PIN Based 3DES DUKPT Encryption is the most secure way to process a transaction. Beginning to End Encryption.
Want to learn more about our Tales from Encrypt? Contact us. and we'll tell you all about it...from Beginning to End!
Continue Reading at Bank Technology News