Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
10/30/2012
11:10 AM
Dark Reading
Dark Reading
Security Insights
50%
50%

Is A Greater Risk Of Data Loss The Trade-Off For Convenience?

Ease of use aside, protecting customer data is never an afterthought

Interviewed by the Chicago Sun Times in the days following the recent Barnes & Noble PIN pad data breach Jacob Furst, a professor at DePaul University, specializing in information security, offered up at least one defense against data breaches―pay cash.

OK, that’s one way to stop data theft, but in the real world, especially online, that outcome just isn’t practical.

Then there’s this observation (delivered, apparently, without tongue firmly in cheek), “Generally, the more convenient something is, the less secure it is.”

For those hearing about the breach for the first time, customers using credit and debit card devices at 63 Barnes & Noble locations nationwide learned that at least one “PIN pad” in each store had been compromised (e.g., tampered with) by hackers. As a result, the bookseller warned its customers to check for unauthorized transactions and to change their PINs to defend against data loss or identity theft. Fair enough. Good advice.

As a security professional, however, I’m not so sure about Mr. Furst’s suggestion that just because something is convenient (e.g., a single-click or swipe), it’s somehow less secure. And you should just get used to it. You know, expect to get hacked. Have your credit card numbers stolen. And have the offender offer you free monitoring services for a year. And watch for irregularities in your monthly bank statement (e.g., when was I in Uruguay and why would I rent a fishing charter when I was there?).

Not so. Not even close.

That mindset suggests that whether you slide your train pass through the reader to enter a subway station, swipe your debit card to pay a tab, or even provide your credit card number online to buy something that someone, somewhere hasn’t thought of first protecting your data before you do.

Allow me to present evidence to the contrary.

Let’s work backward, just a bit. In a former life I worked as a security scribe for a payments processor which exclusively supported card-not-present (e.g. e-tailers) businesses. It was there that I first became acquainted with the PCI Security Standards Council PCI which is responsible for the development of the PCI Security standards including the Data Security Standard (PCI DSS) and PIN Transaction Security (PTS) requirements.

These standards, to which merchants, banks and other institutions must adhere if they want to continue to accept credit cards, aren’t a step you can simply overlook, opt out of or decline to participate in if it’s not convenient. Each of the credit card companies (including AMEX, Discover, Visa and MasterCard) require you, as a merchant, to comply in full with its 12-step standards. And they’ll even take the step of sending out auditors, in this case known as QAS (or Qualified Security Assessors) to make sure you do.

In the case of point-of-sale (POS) PIN pads, the information is encrypted as it’s transmitted. This is also true of card-not-present retailers leveraging tokenization solutions, where the primary account number (PAN) is replaced with a surrogate value called a token. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements. And, parenthetically of course, if a cardholder’s card number is masked (or tokenized), it also substantially reduces the amount of risk to a cardholder at a POS PIN pad or use of a credit card online.

By the way, all of the media takes on the B&N breach suggest that customer personal identification number information remained encrypted on the PIN pad, which is one reason the bookseller did not have to publicly announce the breach immediately, but instead share it with authorities to track down the hackers responsible.

Or, how about something closer to home, like transit? Here in Boston according to the Massachusetts Bay Transit Authority (MBTA), the subway’s commuter and rail pass program – the “CharlieCard” – incorporates a tiny chip implanted into every card. If it’s ever lost or stolen, the card can be blocked from further use and the remaining balance transferred to a new card.

On more familiar ground there’s also smartphone remote wipe technology that lets you (or an IT employee) remotely erase the handheld’s data in case it’s lost or stolen.

So what do these examples prove?

Well, with complete deference to Professor Furst’s position on this, I must disagree with his premise because it presupposes that convenience will always trump security when, at least in my world (likely yours as well), nothing could be further from the truth.

Are there exceptions to the rule? As the good professor will tell you and as common sense dictates, of course. Sometimes hackers find their way round an encryption solution in order to have their way with your personal information. After all, no security solution is ever 100% impermeable. Bad actors and cyber crooks make their way through that usually resilient membrane with astounding regularity. And most of the time when they do, as in the Barnes & Noble breach, it makes the papers. And most of the time if the security measures work, they come away empty-handed (as we hope they do in this case).

However, the examples I’ve shared (and I’m confident there are others) demonstrate overwhelmingly that when it comes to virtually turning over your personal information to someone or some organization in return for a product or service, your information is not at any more risk than it would be if you personally handed over your hard-earned money to a merchant in a typical brick and mortar big box store.

In other words, (and to take the contrarian view of Professor Furst), just because it’s convenient does not make it insecure.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kfred454
50%
50%
kfred454,
User Rank: Apprentice
11/3/2012 | 1:30:54 AM
re: Is A Greater Risk Of Data Loss The Trade-Off For Convenience?
I take exception to the statement "...These standards, to which merchants, banks and other institutions must adhere if they want to continue to accept credit cards,..."-á This is not true - previously I worked for an unnamed company that were (are still?) NOT PCI compliant and were / are perfectly at ease with the position of "Risk Acceptance" and paying the monthly FINES rather than the expense of making their legacy, Windows 2000-embedded POS environment compliant.-á "Must" and "Always" statements should be used judiciously...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.