It did not take long for Target’s security breach demotion away from top largest security breach in terms of credit card numbers compromised. During the first days of September we learned that Home Depot’s point of sale systems were penetrated and that 60 million accounts might have been snooped (NYTimes Link). While Target’s breach lasted three weeks before being identified, it seems that at Home Depot the breach remained undetected for five months. In both cases, it seems the same malicious techniques and software were used (KrebsOnSecurity Link).
At Target, and at Home Depot, the breach involved hi-jacking the normal flow of data between the point of sale system (where the user swipes his or her card) to the credit card processor –which authorizes the transaction. As things stand now, the account number (as well as the credit card’s authorized user, the charge, an identifier for the vendor, etc.) are loaded into the point of sale’s system. This information might (and should) be encrypted before transmission –however, a clever attacker might get a hold of it before it is encrypted and sent over the network.
A solution would be to ensure that at no point in time some information, say the account number, exists unencrypted at the point of sale device. A solution implemented in Europe is EMV, the technology behind ‘Smart Chip’ credit cards. EMV cards are small computers onto themselves, and can implement cryptography so that only ciphertext is always exchanged, and so that the credit card number or the user’s identity are protected from snooping. The gold or metal-plated terminals used to exchange data with the EMV chip, common in cards in Europe, look like this:
If we think about it, the vendor does not really need to know the customer’s account number, but only that the transaction was charged and the payment authorized. With EMV cards, a hacker might obtain a series of encrypted zeroes and ones from the point of sale device, but would be unable to play them back successfully, nor would be able to easily extract the customer’s account number.
But, as often occurs in computer security, human and business concerns thwart much of the technological solution. EMV cards work only on EMV-enabled point of sale terminals. And, until all businesses transition, if ever, to EMV, smart chip cards must carry an old-style magnetic strip to be compatible with existing swipe devices. Whatever happens with EMV, it looks like there will be more Home Depots and Targets in the offing for quite a while.
(For an extensive discussion on the problems surrounding EMV, see Karen Webster’s link here)