Guest Blog // Selected Security Content Provided By Sophos
What's This?
11:10 AM
Dark Reading
Dark Reading
Security Insights

Is A Greater Risk Of Data Loss The Trade-Off For Convenience?

Ease of use aside, protecting customer data is never an afterthought

Interviewed by the Chicago Sun Times in the days following the recent Barnes & Noble PIN pad data breach Jacob Furst, a professor at DePaul University, specializing in information security, offered up at least one defense against data breaches―pay cash.

OK, that’s one way to stop data theft, but in the real world, especially online, that outcome just isn’t practical.

Then there’s this observation (delivered, apparently, without tongue firmly in cheek), “Generally, the more convenient something is, the less secure it is.”

For those hearing about the breach for the first time, customers using credit and debit card devices at 63 Barnes & Noble locations nationwide learned that at least one “PIN pad” in each store had been compromised (e.g., tampered with) by hackers. As a result, the bookseller warned its customers to check for unauthorized transactions and to change their PINs to defend against data loss or identity theft. Fair enough. Good advice.

As a security professional, however, I’m not so sure about Mr. Furst’s suggestion that just because something is convenient (e.g., a single-click or swipe), it’s somehow less secure. And you should just get used to it. You know, expect to get hacked. Have your credit card numbers stolen. And have the offender offer you free monitoring services for a year. And watch for irregularities in your monthly bank statement (e.g., when was I in Uruguay and why would I rent a fishing charter when I was there?).

Not so. Not even close.

That mindset suggests that whether you slide your train pass through the reader to enter a subway station, swipe your debit card to pay a tab, or even provide your credit card number online to buy something that someone, somewhere hasn’t thought of first protecting your data before you do.

Allow me to present evidence to the contrary.

Let’s work backward, just a bit. In a former life I worked as a security scribe for a payments processor which exclusively supported card-not-present (e.g. e-tailers) businesses. It was there that I first became acquainted with the PCI Security Standards Council PCI which is responsible for the development of the PCI Security standards including the Data Security Standard (PCI DSS) and PIN Transaction Security (PTS) requirements.

These standards, to which merchants, banks and other institutions must adhere if they want to continue to accept credit cards, aren’t a step you can simply overlook, opt out of or decline to participate in if it’s not convenient. Each of the credit card companies (including AMEX, Discover, Visa and MasterCard) require you, as a merchant, to comply in full with its 12-step standards. And they’ll even take the step of sending out auditors, in this case known as QAS (or Qualified Security Assessors) to make sure you do.

In the case of point-of-sale (POS) PIN pads, the information is encrypted as it’s transmitted. This is also true of card-not-present retailers leveraging tokenization solutions, where the primary account number (PAN) is replaced with a surrogate value called a token. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements. And, parenthetically of course, if a cardholder’s card number is masked (or tokenized), it also substantially reduces the amount of risk to a cardholder at a POS PIN pad or use of a credit card online.

By the way, all of the media takes on the B&N breach suggest that customer personal identification number information remained encrypted on the PIN pad, which is one reason the bookseller did not have to publicly announce the breach immediately, but instead share it with authorities to track down the hackers responsible.

Or, how about something closer to home, like transit? Here in Boston according to the Massachusetts Bay Transit Authority (MBTA), the subway’s commuter and rail pass program – the “CharlieCard” – incorporates a tiny chip implanted into every card. If it’s ever lost or stolen, the card can be blocked from further use and the remaining balance transferred to a new card.

On more familiar ground there’s also smartphone remote wipe technology that lets you (or an IT employee) remotely erase the handheld’s data in case it’s lost or stolen.

So what do these examples prove?

Well, with complete deference to Professor Furst’s position on this, I must disagree with his premise because it presupposes that convenience will always trump security when, at least in my world (likely yours as well), nothing could be further from the truth.

Are there exceptions to the rule? As the good professor will tell you and as common sense dictates, of course. Sometimes hackers find their way round an encryption solution in order to have their way with your personal information. After all, no security solution is ever 100% impermeable. Bad actors and cyber crooks make their way through that usually resilient membrane with astounding regularity. And most of the time when they do, as in the Barnes & Noble breach, it makes the papers. And most of the time if the security measures work, they come away empty-handed (as we hope they do in this case).

However, the examples I’ve shared (and I’m confident there are others) demonstrate overwhelmingly that when it comes to virtually turning over your personal information to someone or some organization in return for a product or service, your information is not at any more risk than it would be if you personally handed over your hard-earned money to a merchant in a typical brick and mortar big box store.

In other words, (and to take the contrarian view of Professor Furst), just because it’s convenient does not make it insecure.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/3/2012 | 1:30:54 AM
re: Is A Greater Risk Of Data Loss The Trade-Off For Convenience?
I take exception to the statement "...These standards, to which merchants, banks and other institutions must adhere if they want to continue to accept credit cards,..."-á This is not true - previously I worked for an unnamed company that were (are still?) NOT PCI compliant and were / are perfectly at ease with the position of "Risk Acceptance" and paying the monthly FINES rather than the expense of making their legacy, Windows 2000-embedded POS environment compliant.-á "Must" and "Always" statements should be used judiciously...
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Published: 2015-07-02
Cross-site scripting (XSS) vulnerability in the basic dashboard in Thycotic Secret Server 8.6.x, 8.7.x, and 8.8.x before 8.8.000005 allows remote authenticated users to inject arbitrary web script or HTML via a password entry, which is not properly handled when toggling the password mask.

Published: 2015-07-02
Cisco Digital Content Manager (DCM) 15.0.0 might allow remote ad servers to cause a denial of service (reboot) via malformed ad messages, aka Bug ID CSCur13999.

Published: 2015-07-02
SQL injection vulnerability in Cisco Unified MeetingPlace 8.6(1.2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuu54037.

Published: 2015-07-02
The SNMP implementation in Cisco Adaptive Security Appliance (ASA) Software 8.4(7) and 8.6(1.2) allows remote authenticated users to cause a denial of service (device reload) by sending many SNMP requests during a time of high network traffic, aka Bug ID CSCul02601.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report