There's no hope for our payment systems

The lesson of the Target payment card breach is that we'll never stop such attacks without an effective second factor, and that's going to be a tough sell.

By all accounts, the recent breach of Target point of sale systems and the resulting exposure of tens of millions of credit card and other personal customer data  was a sophisticated effort by an experienced criminal gang . And yet, in a sense, there's really nothing new or innovative about it. It may have been built with off-the-shelf malware components.

How mad should we get at Target and other large corporations that get breached in this way? Personally (and speaking as a regular Target customer) I'm somewhat mad at Target, but it's not like they're much less responsible than the rest of the world and it's not going to stop me from shopping there. Especially with 20-20 hindsight, surely there was more they could do, but the real problem is bigger than them. It's the fact that the US payments system demands such convenience that we'll never be able to stop these attacks.

If you're interested in a good description of the malware and who probably built it, read Brian Krebs's accounts: Part 1 and Part 2.

The only real mystery left, if I understand it correctly, is how the attackers executed their initial privileged penetration of the Target networks. They got to the point of being able to distribute memory-scraping malware to the point-of-sale systems in stores in order to capture credit card data as it was swiped at the machines. Here is a Symantec write up on what appears to be one of the point-of-sale malware samples.

From the write up we can tell that the malware required significant privileges on the PC/point-of-sale (POS) terminal, as the first thing it does on execution is to install a malicious service in the System32 directory and requisite registry keys in HKLM to run it. So already we know that the POS terminals are not as locked-down as they should be; even if the malware was undetectable by scanners at the time, the fact that a privileged program was pushed to all their terminals should register interest somewhere in their IT group.

Yes, it's possible that large corporations will allocate sufficient resources to securing their infrastructures properly in a way that will make these attacks far more difficult; it would be foolish to say they can be made impossible. I just don't expect this to happen. Best practices like principle of least privilege have been known for ages, and the Target breach is just more evidence that they are skirted regularly in the real world, usually because it's a pain in the butt to implement them correctly.

If we're going to make a real change in the security of our payment systems it's going to have to come with some other sort of change, and the only real candidate is a strong two factor authentication (2FA). The comparatively easy ways to do 2FA, like Chip and PIN, have their own vulnerabilities and it's not clear to me whether they would defeat POS-resident malware; if the Chip-PIN verification were done by the POS system then the malware can scrape the PIN as well. There are ways around this, such as doing the verification stage in hardware right in the reader. This still leaves the possibility of skimmers and keypad spies on those readers, but at least this isn't anywhere near as scalable as what the Target thieves did.

Getting Americans to use something like Chip and PIN would be really hard. It would require an enormous capital investment by retail businesses and banks and processors and create a large support burden. The better 2FA systems, which use one-time-codes delivered through a separate device, would be even harder to push through. And don't even think of suggesting biometrics!

This episode is another example of what seems to be a law of human nature: there is a general trade-off between security and convenience. The more security you want, the less convenience you can expect; the more convenience you want, the less security you can expect. You can't have it all. I saw this law exhibited in a display at the International Spy Museum in Washington, DC. It was said by a US General in 1954, well before there were cybersecurity issues.

At the International Spy Museum

Americans may demand both convenience and security, but while they know when things are inconvenient, they generally have no idea if they are secure. They can also kid themselves that a transaction is secure when it may very well not be.

This is where we ask the tough question: If we're not willing to do what it takes to secure our payment system, does that mean we have to be willing to put up with their vulnerabilities? Ooohh, there's an uncomfortable thought! But I do think this is the question we need to ask, and I don't expect us to ask it honestly. It's too unpleasant. 

Show Comments