Commentary Sophos Labs Insights
Is A Greater Risk Of Data Loss The Trade-Off For Convenience?
Ease of use aside, protecting customer data is never an afterthought
Interviewed by the Chicago Sun Times in the days following the recent Barnes & Noble PIN pad data breach Jacob Furst, a professor at DePaul University, specializing in information security, offered up at least one defense against data breaches―pay cash.
OK, that’s one way to stop data theft, but in the real world, especially online, that outcome just isn’t practical.
Then there’s this observation (delivered, apparently, without tongue firmly in cheek), “Generally, the more convenient something is, the less secure it is.”
For those hearing about the breach for the first time, customers using credit and debit card devices at 63 Barnes & Noble locations nationwide learned that at least one “PIN pad” in each store had been compromised (e.g., tampered with) by hackers. As a result, the bookseller warned its customers to check for unauthorized transactions and to change their PINs to defend against data loss or identity theft. Fair enough. Good advice.
As a security professional, however, I’m not so sure about Mr. Furst’s suggestion that just because something is convenient (e.g., a single-click or swipe), it’s somehow less secure. And you should just get used to it. You know, expect to get hacked. Have your credit card numbers stolen. And have the offender offer you free monitoring services for a year. And watch for irregularities in your monthly bank statement (e.g., when was I in Uruguay and why would I rent a fishing charter when I was there?).
Not so. Not even close.
That mindset suggests that whether you slide your train pass through the reader to enter a subway station, swipe your debit card to pay a tab, or even provide your credit card number online to buy something that someone, somewhere hasn’t thought of first protecting your data before you do.
Allow me to present evidence to the contrary.
Let’s work backward, just a bit. In a former life I worked as a security scribe for a payments processor which exclusively supported card-not-present (e.g. e-tailers) businesses. It was there that I first became acquainted with the PCI Security Standards Council PCI which is responsible for the development of the PCI Security standards including the Data Security Standard (PCI DSS) and PIN Transaction Security (PTS) requirements.
These standards, to which merchants, banks and other institutions must adhere if they want to continue to accept credit cards, aren’t a step you can simply overlook, opt out of or decline to participate in if it’s not convenient. Each of the credit card companies (including AMEX, Discover, Visa and MasterCard) require you, as a merchant, to comply in full with its 12-step standards. And they’ll even take the step of sending out auditors, in this case known as QAS (or Qualified Security Assessors) to make sure you do.
In the case of point-of-sale (POS) PIN pads, the information is encrypted as it’s transmitted. This is also true of card-not-present retailers leveraging tokenization solutions, where the primary account number (PAN) is replaced with a surrogate value called a token. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements. And, parenthetically of course, if a cardholder’s card number is masked (or tokenized), it also substantially reduces the amount of risk to a cardholder at a POS PIN pad or use of a credit card online.
By the way, all of the media takes on the B&N breach suggest that customer personal identification number information remained encrypted on the PIN pad, which is one reason the bookseller did not have to publicly announce the breach immediately, but instead share it with authorities to track down the hackers responsible.
Or, how about something closer to home, like transit? Here in Boston according to the Massachusetts Bay Transit Authority (MBTA), the subway’s commuter and rail pass program – the “CharlieCard” – incorporates a tiny chip implanted into every card. If it’s ever lost or stolen, the card can be blocked from further use and the remaining balance transferred to a new card.
On more familiar ground there’s also smartphone remote wipe technology that lets you (or an IT employee) remotely erase the handheld’s data in case it’s lost or stolen.
So what do these examples prove?
Well, with complete deference to Professor Furst’s position on this, I must disagree with his premise because it presupposes that convenience will always trump security when, at least in my world (likely yours as well), nothing could be further from the truth.
Are there exceptions to the rule? As the good professor will tell you and as common sense dictates, of course. Sometimes hackers find their way round an encryption solution in order to have their way with your personal information. After all, no security solution is ever 100% impermeable. Bad actors and cyber crooks make their way through that usually resilient membrane with astounding regularity. And most of the time when they do, as in the Barnes & Noble breach, it makes the papers. And most of the time if the security measures work, they come away empty-handed (as we hope they do in this case).
However, the examples I’ve shared (and I’m confident there are others) demonstrate overwhelmingly that when it comes to virtually turning over your personal information to someone or some organization in return for a product or service, your information is not at any more risk than it would be if you personally handed over your hard-earned money to a merchant in a typical brick and mortar big box store.
In other words, (and to take the contrarian view of Professor Furst), just because it’s convenient does not make it insecure.
Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.