Target Corp’s credit card system data breach indicated how lax US credit card security is. Now a new study shows that unencrypted credit card data is there for easy picking, and it’s the main attraction for hackers who target company networks.
SecurityMetrics’ PANscan (the company’s five-year old card discovery tool) found that 63.86 percent of companies store the unencrypted 16-digit sequence located at the front of credit cards, also known as PAN (Primary Account Number). The firm also revealed seven percent of companies were storing the magnetic stripe data on the back of cards.
David Ellis, SecurityMetrics Director of Forensic Investigations stated:
“Because of its value on the black market, unencrypted card data, is essentially just a $50 bill lying on the sidewalk, waiting for a hacker to pick it up,”
“Unencrypted card data is the ‘low hanging fruit’ that is ripe for easy picking, and it’s what attackers first look for when they hack a business.”
The card discovery tool, since its introduction, has found more than 780 million card numbers unencrypted on company networks. That makes more than 2.5 cards for every individual in the United States.
“Unencrypted card data can easily occur at both small and large retail locations,”
Added Gary Glover, Security Assessment Director.
“It may accidentally be saved on point of sale terminals, office workstations, hard drives, etc. due to misconfigured software, improper file removal, or restored backups.”
Dangers of Storing Unencrypted Credit Card Data
Cyber attacks are intensifying, spreading rapidly and becoming more malicious. Once inside the network of a business, the adversaries become entrenched. They can remain undetected for years, using cloaking and sophisticated malware strategies to hide under the radar of security controls, safely and surreptitiously stealing customer data and funds. Unencrypted card data makes security lax and financial theft difficult to prosecute.
So before companies spend their whole IT budgets on the new packet-sniffing security gadgets, it could be wise to consider the low hanging fruit where reductions in risk might cost little to implement. Breaches are not easy to reverse. Encrypting credit card details is.
Merchants possess the knowledge of writing down card numbers or emailing them. The bigger culprit is that their data systems are not properly configured, not secured, etc. And merchants do not understand their systems or its requirements well enough to recognize that the data store might be unencrypted and opening doors to hacking breaches.
Companies that store unencrypted credit card data violate PCI DDS (Payment Card Industry Data Security Standard) requirements – which can set back merchants financially and in terms of reputation if they violate the rules, or worse, if hackers tap into their systems and retrieve the unencrypted data for monetary gains or black market sale.
Unencrypted data is what made the hack at Target possible. Hackers began the heist a day before Thanksgiving last year, and spent two weeks collecting unencrypted debit and credit card data of 40 million customers before the company discovered their presence in December. A report says that hackers collected 11 GB of data that was later siphoned to an FTP server and redirected to a system in Russia.
The card data was also siphoned from the company’s POS systems. iSight Partners reported that the attack was devised via RAM scraper, a malicious software created to steal data from a PC’s memory. It was noted that the operation was sophisticated, persistent, and successful at casting a wide net, while damaging the retailer financially and reputation wise.
Encrypted Card Data and Compliance
Preventing such attacks and ensuring compliance PCI DDS standards requires businesses to have firewalls in place, up-to-date anti-malware and antivirus software installed and, most importantly, card data encrypted before it is stored on company systems or during transit over public Wi-Fi networks.
Companies are often recommended to use a private key and encrypt credit card numbers with that. But it doesn’t seem a secure strategy because the key is also stored on the server, and if hackers can get access to the system database, they can probably get the key, as well.
A safe alternative could be a solution like tokenization, which removes the card data from the internal networks of a company and replaces it with a unique token – like emptying storage so that a thief has nothing to take away.
Merchants can use the token to access, retrieve, or maintain their customer’s card information. Meanwhile, the actual data is stored in a highly secure, offsite location. Tokenization also renders customer data useless to hackers, reducing the costs and liability that companies often associate with PCI compliance.