Thales Blog

Chewbacca: Data Wars

February 5, 2014

Retailers have had a rocky ride from a security perspective over the last few weeks. The cost of the Target data breach has now been totted up at approximately $1bn (according to Jeffries retail analyst), Neiman Marcus is still reeling from a massive credit and debit card data breach and now - Chewbacca. At the end of last week, RSA FirstWatch revealed the full extent of the havoc wreaked over the last two months by this malicious software lurking at point of sale - stolen data from 45 retailers in 11 different countries.

The ChewBacca findings simply confirm something we already know - regular PCs and servers can’t be secured. Although we hear relatively regularly of stolen cardholder data, we very rarely see stories of stolen PINs. Why? We have a widespread solution for protecting this critical information. PINs are encrypted directly in the card reader as soon as they are entered by the shopper. They are only decrypted when absolutely necessary, and only in similarly hardened devices (hardware security modules – HSMs). Everything in between, including the point of sale terminal, only sees scrambled data which is useless to an attacker.

The success of this technique begs the question – why hasn’t this approach been extended to cover all cardholder data?

In-store point of sale terminals, such as those that fell prey to ChewBacca, are particularly vulnerable to attack for three key reasons: they handle highly sensitive cardholder data, exist in large numbers (so are extremely difficult to manage) and yet are in notoriously insecure places – the ‘brick and mortar’ retail store. Meanwhile, mobile point of sale (mPOS) technology out of sheer necessity (because phones, mobile apps and Wifi networks have never been trusted) is leading the charge, encrypting (or tokenizing) all cardholder data at point of capture, to be decrypted only on a need to know basis, and only in trusted environments.

Although this ‘encrypt everything’ approach might sound obvious, it is worth noting that this requires a complete shift of mindset. IT people like to secure systems, the things they control, while consumers and regulators are calling for a much more data-centric approach.

If you take the traditional approach, a flaw in any single system, any weak link in the chain (the point of sale terminal in this case) could easily result in that data being stolen. Encryption protects data wherever it goes. It’s the difference between giving data its very own bodyguard rather than relying on bouncers at every doorway the data passes through.