'Moving' Tokens to the Point of Sale Can Slow Crooks
Before Target, there was TJX, the major 2007 breach that impacted about 45 million credit cards. The crime and its prevention were basic, and provide a lesson for today's retailers that are battling a new wave of data theft.
It is easy to forget, going on a decade later, how relatively simple the TJX crime actually was. TJXs Wi-Fi was unprotected and the wireless network allowed access to the back-end IT systems that stored credit cards in the clear in centralized databases.
Several security improvements have been made since then, of course, but the most fundamental is shifting from using credit card information to tokens in those back-end databases. Using tokens as part of a process called format-preserving tokenization meant that criminals could not just walk out the front door with the database. PCI issued guidance on tokenization, many retailers adopted it, and for a while the security controls seemed to be working.
Until, of course, Target took TJXs place as splashy retail breach. Approximately 40 million credit cards were stolen in November and December 2013. Target was using format preserving tokenization. So what happened?
Unable to get readable credit card numbers from Targets database, the criminals went after the point of sale systems. Here, the credit cards were available in the clear. It was only after reading the card information that the token was generated and passed onto the retailers back-end systems. On the one hand, the impact on the consumers between TJX and Target was roughly the same. On the other hand, the cost to the attacker was much higher. Rather than gaining access to one database, they had to gain access into 1,700 stores and get data back out of these secured networks.
If we want to stop attacks such as the Target breach, tokenization needs to be moved up to the point of interaction. Emerging payment methods like Apple Pay and Google Wallet do just that. The tokenization occurs when the consumer enrolls in Apple Pay or Google Wallet. The token is passed via Near Field Communication (NFC) to the point of sale and the card information is never directly exposed within the retailers systems. We just raised the criminals level of difficulty from one database to a thousand stores to millions of phones.
That is not to suggest that systems like Apple Pay and Google Wallet are the stopping point. As ubiquity of NFC payments increases so will the efforts to steal from the consumers. Mass adoption is well underway, as demonstrated by the separate announcements late last year that McDonald's and Subway are supporting NFC payments in over 40,000 locations. Not surprisingly, news has begun to surface about Apple Pay fraud, including attacks on the enrollment process and schemes to add wallets to stolen Apple devices.
Each action we take moves the criminals activities. The adoption of tokenization on back-end systems moved the criminals to the point of sale systems. The adoption of NFC moves the criminals to the consumers devices. New controls provide protection for a finite amount of time, but crime ultimately finds a way. Retailers who inspect the entire payment processing chain regularly, performing ethical hacking to find the cracks, are the retailers who avoid being the next splashy name in the news. Those that lag behind and only adopt the controls that fight the last breach remain criminals favorite marks.
J. Wolfgang Goerlich is a cybersecurity strategist with CBI.