There's no hope for our payment systems

There's no hope for our payment systems

Summary: The lesson of the Target payment card breach is that we'll never stop such attacks without an effective second factor, and that's going to be a tough sell.

TOPICS: Security

By all accounts, the recent breach of Target point of sale systems and the resulting exposure of tens of millions of credit card and other personal customer data was a sophisticated effort by an experienced criminal gang. And yet, in a sense, there's really nothing new or innovative about it. It may have been built with off-the-shelf malware components.

How mad should we get at Target and other large corporations that get breached in this way? Personally (and speaking as a regular Target customer) I'm somewhat mad at Target, but it's not like they're much less responsible than the rest of the world and it's not going to stop me from shopping there. Especially with 20-20 hindsight, surely there was more they could do, but the real problem is bigger than them. It's the fact that the US payments system demands such convenience that we'll never be able to stop these attacks.

If you're interested in a good description of the malware and who probably built it, read Brian Krebs's accounts: Part 1 and Part 2.

The only real mystery left, if I understand it correctly, is how the attackers executed their initial privileged penetration of the Target networks. They got to the point of being able to distribute memory-scraping malware to the point-of-sale systems in stores in order to capture credit card data as it was swiped at the machines. Here is a Symantec write up on what appears to be one of the point-of-sale malware samples.

From the write up we can tell that the malware required significant privileges on the PC/point-of-sale (POS) terminal, as the first thing it does on execution is to install a malicious service in the System32 directory and requisite registry keys in HKLM to run it. So already we know that the POS terminals are not as locked-down as they should be; even if the malware was undetectable by scanners at the time, the fact that a privileged program was pushed to all their terminals should register interest somewhere in their IT group.

Yes, it's possible that large corporations will allocate sufficient resources to securing their infrastructures properly in a way that will make these attacks far more difficult; it would be foolish to say they can be made impossible. I just don't expect this to happen. Best practices like principle of least privilege have been known for ages, and the Target breach is just more evidence that they are skirted regularly in the real world, usually because it's a pain in the butt to implement them correctly.

If we're going to make a real change in the security of our payment systems it's going to have to come with some other sort of change, and the only real candidate is a strong two factor authentication (2FA). The comparatively easy ways to do 2FA, like Chip and PIN, have their own vulnerabilities and it's not clear to me whether they would defeat POS-resident malware; if the Chip-PIN verification were done by the POS system then the malware can scrape the PIN as well. There are ways around this, such as doing the verification stage in hardware right in the reader. This still leaves the possibility of skimmers and keypad spies on those readers, but at least this isn't anywhere near as scalable as what the Target thieves did.

Getting Americans to use something like Chip and PIN would be really hard. It would require an enormous capital investment by retail businesses and banks and processors and create a large support burden. The better 2FA systems, which use one-time-codes delivered through a separate device, would be even harder to push through. And don't even think of suggesting biometrics!

This episode is another example of what seems to be a law of human nature: there is a general trade-off between security and convenience. The more security you want, the less convenience you can expect; the more convenience you want, the less security you can expect. You can't have it all. I saw this law exhibited in a display at the International Spy Museum in Washington, DC. It was said by a US General in 1954, well before there were cybersecurity issues.

At the International Spy Museum

Americans may demand both convenience and security, but while they know when things are inconvenient, they generally have no idea if they are secure. They can also kid themselves that a transaction is secure when it may very well not be.

This is where we ask the tough question: If we're not willing to do what it takes to secure our payment system, does that mean we have to be willing to put up with their vulnerabilities? Ooohh, there's an uncomfortable thought! But I do think this is the question we need to ask, and I don't expect us to ask it honestly. It's too unpleasant. 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cash

    plastic only when necessary
    that is how to protect yourself
    it is a pain to pay before you pump but you save a little money too
    • Perhaps ...

      One has to remember that carrying around a lot of cash brings its own risks. It tends to attract the wrong kind of people. Swipe a credit card when you buy that new TV and nobody pays much attention, but handing over a wad of $100 bills is a different story. You risk being cased and stalked. Everything in life carries risks, you just have to choose your poison.
      George Mitchell
      • OK, then, Cash and Checks

        I carry two to five hundred in cash and a couple checks in my wallet. The inconvenience of writing a check is minimal as purchases while out and about are rarely larger than my cash stash. I'm about done with this whole mess.
    • I'd rather have my wallet stolen with

      a few credit cards that I can have cancelled than with hundreds of dollars of cash in it.
    • FREE

      Avoid the whole payment fraud debacle and make everything FREE, problem solved.
      • lol

        lol, best idea yet! Now, if you'll excuse me, I'm heading down to the Ferrari dealership.
  • Least Priviledged Access

    You made the comment about least privileged access seen as a pain to implement by many. I used to think so too before I actually did it here. The amount of time it took to clean malware, deal with users installing applications not approved, etc, the effort to reduce privs on each workstation (through GPO mind you) was miniscule in comparison. So is the need to take on additional overhead at our help desk if something legit does need admin rights to change / install. If I were to guess, the principle of least privileged access here represents about 80+% of my effective threat mitigation.

    Of course, if your app developers do not code well for this environment and require admin rights to run, we will never win unless we scrap those solutions for more secure ones.

    That said, a POS system is in no way used like a workstation in an office, and I cannot fathom for the life of me why these would not be locked down by default. This is a big fail on their part.
    • Its windows...

      And you can't lock it down enough.

      Almost the only way this could have propagated so far is to hijack the update mechanism.
      • that's just not true

        Certainly since Vista it's been very possible to do. It's not easy in a complex environment, especially when software is written to use excessive privileges, but you can definitely lock down a Windows system through group policy so that it has no access to what it doesn't need, you can block off access to things like USB ports, you can do a lot.
        • Even Windows 2000 could be secured enough to prevent this

          They got owned due to lax systems and network security implementation. This was preventable and should have been detected and blocked even if they had insider help.
          • Depends...

            Depends just how "insider" the help was. Did the insider have Enterprise Admin credentials on the network? If so then you're going to have one heck of a tine stopping him.
        • You didn't pay attention.

          The attack is so widespread that it could not be carried out manually.

          It nearly had to be done via the update mechanism, and that cannot be blocked.

          USB ports do not work for a widespread attack like that.
  • Chip and pin

    In Europa we are changing to chip and pin. Some countries already switched completely. i cant't use my visa card or my debit card without a pin. Skimming is gone for now, after the introduction of the chip on the cards. So why would it be so difficult in the US?
    • Re: Chip and pin

      Agreed! Canada is all chip and pin as well! It actually annoys me that when I go to the US I have to "sign" things. What an archaic thing. I think we're going to have to come up with something for online credit cards too.
      • Re: Chip and pin

        What do you expect ... along with Liberia and Myanmar, they are the only country still using the moronic Imperial System.

        U-S-A! U-S-A! ... just too funny ... Doh!
      • Writes the guy...

        From a country with about 15% of the U.S. population and about the same proportion of GDP.
        As the article's author wrote, the investment required is seen as unreasonable by the banks, retailers, etc. And, frankly, the losses have not been so excessive as to destabilize these businesses. The risk-reward balance has not tipped in favor of the investment in new infrastructure, whatever the perception of a shrill media.
        • Chip and PIN

          Could the difference be the banking system? In the US it appears has a different bank for each street corner. Losses through fraud may be large but when spread out between hundreds of banks, no one bank is taking that much of a hit. Canada only has 5 banks. So as an individual corporation they would be taking a bigger concentrated hit due to fraud not averaging out. Only need to get one bank on board so to speak and the others have to follow suit, or take an ever bigger hit.
        • What's population got to do with it,

          when the overhead cost per store (mom and pop as well as chains), incur the same implementation cost, if not more, as US stores? Yes, set-up does cost but the long term convenience justifies it.
          No, it's not 100% but it's certainly better than the standard in the States.
          And btw, cost goes down with scale. So, overall, it would cost US banks and retail stores less per account than it does it Canada to implement.
          I've lived in Canada for 10 years and all the Credit Cards use chip and pin. All debit cards are debit cards Visa or MasterCard. You have to use a pin every time. I travel to US regularly and I can't believe how vulnerable debit cards are along with Credit Cards! You get used to entering pin every time and learn to appreciate its security. Every store...small, large or mall kiosk...uses them
        • hah,

          "the investment required is seen as unreasonable by the banks, retailers, etc."

          Is seen or was seen? with 70 to 100 million credit cards numbers stolen how long do you think banks and retailers will keep telling themselves the lie that lax security is "good enough?"
        • re: Writes the guy...

          > And, frankly, the losses have not been so
          > excessive as to destabilize these businesses.

          There's more than loss of cash. There's loss of customer trust. Target is crying crocodile tears all over the media trying to win back people's trust. They are even sending out emails offering free credit report monitoring. And, guess what? Recipients are deleting them in the belief they are just another scam. Who can blame them?

          Part of the problem with trust is everyone knows that if a loan is made in their name because these criminals victimized Target, they are on the hook for it until they can prove they didn't take out the loan. There is this stupid notion of "Identity Theft" that makes third parties the "victims" of a breach of Target's systems and a breach of a lender's vetting practices. Target is the victim. The lender is the victim. The third party whose info Target lost and the lender was fooled into accepting should not be the victim.

          No payment system is not worth replacing if consumers don't trust it. Time for the US to join the 21st century.
          none none