Chip & PIN - Data breach silver bullet or lead slug?

Carl Banzhof

In my inbox this morning arrived the daily dose of security news from SC Magazine, in which an article details how 75 million records have been lost to data breach so far in 2014. That’s an average of 8.3 million records per month – 43.5% of the records lost this year were attributed to medical and healthcare organizations.

4.jpgMeanwhile, media headlines are flooded with more retail POS malware data breach victims. Home Depot, Jewel Osco and Jimmy Johns are just a few of the names in a growing list. Card issuers and retailers are struggling to meet the October 2015 deadline to convert to EMV (Eurocard, Mastercard, Visa)  technology commonly referred to as Chip and PIN. However, most industry experts agree that it will take until at least the year 2020 to fully roll out these systems in the US.

Does Chip and PIN mean the end to data breaches?

Sadly, no. We are already seeing a shift from retail to healthcare environments as a primary target of attackers. This doesn’t indicate that hackers are giving up on retail attacks in the face of Chip and PIN, it just means that attack vectors on retail will change from POS to online and card not present transactions.  The shift in attack vectors was seen in the UK after widespread implementation of chip and pin technology. From 2004 to 2008 total losses at point of sale fell from $356 million to $160 million after chip and PIN was introduced. Card not present and online transactions on the other hand showed a massive increase in fraud from $198 million to $545 million.

And that’s not all

Data thieves will continue to hone their skills and think of new methods for circumventing and breaking Chip and Pin technology. In 2012 University of Cambridge Security Researchers described what is known as a pre-play attack on EMV technology in their research paper “Chip and Skim”. The vulnerability described in this paper basically allows the attack to predict the UN (Unpredictable Number) used for transactions, which would appear as though the cardholder correctly entered the PIN for the transaction. Fast forward to May 2014, this same group of researchers updated their research to include yet another vulnerability known as ‘no PIN’ which basically allows an attacker to use the card without knowing the PIN.

Beyond Payment Card Data

The real money profited in most data breaches today happens in intellectual property theft not from retail credit card theft. Intellectual property could be designs for a new airplane, source code for proprietary software algorithms or financial and acquisition plans. In short intellectual property is the very essence of your company, what makes it unique and holds its competitive advantage in the market. The loss of this data could be catastrophic to your business. Real life examples of these types of breaches happen all too often. Because there are no clear guidelines for disclosure they often go unreported. Here are several high profile cases in recent years:

  • The 2014 case leveled by US Department of Justice against Chinese military officials for hacking into Alcoa, Westinghouse Electric and US Steel for commercial gain
  • The 2011 attack on RSA which led to compromise and theft of IP related to SecureID
  • The 2009 Operation Aurora which led to IP theft in several high profile tech giants including Google, Juniper, Adobe, Symantec and others


The Risk to Your Organization

Whether your company processes credit card transactions, offers health care services, provides financial services or builds airplanes, your data is at risk. The fact is that attackers will continue to find value and markets for all kinds of sensitive data. They will continue to break down defenses and find ways to exfiltrate it out of your people and organization to make a profit. What you should be prepared with is a plan to mitigate the risks to your sensitive data and understand the liability exposure if your company is breached.

In my next post, we'll talk about things you can do today to mitigate the risk of a data breach in your organization.