If encryption keys are vulnerable, so is the point of sale
South African investigators' revelation last week that fraudsters stole more than $3.2 million from the banking division of the country's post office more than a year ago served as a stark reminder that encryption doesn't mean a thing if the key is left unprotected.
That breach occurred in December of 2018, and forced the bank to reissue 12 million payment cards. It all came about because Postbank's 36-digit encryption digital master key was printed out in what was feared to be an inside job.
"Every time, the breaches within encryption occur with key management," said Ruston Miles, chief strategy officer for Atlanta-based Bluefin, a point-to-point encryption management firm.
As an example, Miles said, a global company may obtain several thousand new payment terminals for sites worldwide, and purchase encryption keys injected into the system.
"But somewhere along the way, someone forgot to turn the keys on," said Miles, who serves on the Payment Card Industry Security Standards Council board of advisers. "That sort of thing can happen when encryption is not part of a certified, validated system."
The company may have had good intentions and gave its best effort, but "if no outside entity is regularly auditing and validating the controls against a certain standard in place, they will eventually fall out of place and the hackers will get in," he added.
Around the same time the South African post office bank was dealing with fallout of a mismanaged encryption key, youth retailer Claire's e-commerce site suffered a breach that took place with malware hiding behind the "submit" button to initiate a transaction, thus making it easy for hackers to route payment data to a fake domain and steal it.
That incident, not too unlike so many other retail data breaches, illustrates another point about encryption services: They remain a hardware-to-hardware solution, and retailers who might seek to avoid that expense and go to software-based protections run the risk of trouble.
Because encryption keys are in place at the front and back ends of the process, it is vital to remember that those keys "can only live in hardware, as in hardware security modules," Miles said.
"The keys have to live in an area separate from where cards are taken for payments," Miles noted. "That separate area can't be exposed and the encryption has to be done inside of that before it gets into the application or software layer, even (the layers) in that of a device."
This issue is a longstanding concern for the PCI council and other security experts.
"Software developers generally do not understand the intricacies of encryption, and invariably will code keys directly into their applications, much as they often use hard-coded usernames and passwords," said Joe Krull, senior cybersecurity analyst for Aite Group. "It's easy and it's very low latency, but it is not secure."
As such, hardware security modules, or HSMs, remain the top solution for encryption key protection.
"I can't count the number of databases I've audited where the encryption key was stored in the database," Krull said of what results in an easy target for hackers.
Looking to shore up what it viewed as a prominent security weakness, the PCI council recently updated its P2PE standard to simplify the validation process for component and software providers in a move it hoped would ultimately make more products available for cardholder protection.
HSMs have often been looked upon as too costly for mid-size and smaller merchants, in the $4,000 to $5,000 range per unit, thus forcing many companies to consider other options that don't support encryption as well.
"HSMs are taking on a new life due to blockchain deployments, which should hopefully lower costs via higher-volume manufacturing," Krull added.
But key management is not as simple as making sure it sits in an HSM and no one can access it.
"Key management is complicated and difficult," Krull said. "Split keys and escrow are even harder, and that's where experts need to be engaged early and often so that when a key manager departs under a cloud, the entire infrastructure does not become unusable."
Ultimately, P2PE remains an effective way to protect cardholder data and reduce PCI scope for merchants. Its importance makes it almost impossible for an assessor to issue a favorable opinion on a merchant or service provider solution that does not include strong key management. "It's literally the keys to the kingdom for the POS infrastructure," Krull added. "That's going to be a hard sell without HSMs and it will require an extended review of all of the controls."
It's troubling when the security industry continues to see breaches based on poor key management.
"You don't want encryption to get a bad name, because that would be silly when it's often just that someone put something in wrong," Miles said.
Miles sticks to the mantra that encryption processes should follow payments industry standards and that PCI compliance is a key barometer. Still, there are conflicts between security providers and the PCI council, particularly if a company feels its HSM is a stronger asset to the process than those the council recommends.
The largest retailers in the world build and manage their own security keys because they don't want a single acquirer managing that process. Bigger companies at a level just below the top ones generally turn to an acquirer like First Data, Elavon, Global Payments, TSYS or others. They generally work with companies like Gemalto to obtain an HSM.
But even major acquirers and processors have turned to companies like Bluefin to manage the encryption keys on a full-time basis, and this trend should lead to fewer breaches related to key management problems, Miles said.
Smaller retailers mostly use payment gateways that bring P2PE services to the table, operating like a value-add reseller in the payments security chain. "But now, businesses of all sizes have access to encryption services, and acquirers are making it part of their security and compliance services," Miles said.