GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

What will be in merchants' stockings this year - caviar or coal?

News

Industry Update

Farewell PABP, hello PA DSS

Visa, AmEx settlement no biggie for merchants

More public steps for bankcard heavyweights

Optimal socked by Internet gambling regs

Go international in real-time

It sings, it instructs, it's a gift card

Mobile checkout moving up

Features

Data breaches pique interest

Travis K. Kircher
ATMMarketplace.com

Growing on the 'Inside'

Views

Art imitates life or does life imitate art?

Patti Murphy
The Takoma Group

Stay ahead with a checklist

Biff Matthews
CardWare International

Education

Street SmartsSM:
We're all in the PCI loop, like it or not

Dee Karawadra
Impact PaySystem

What to watch in the coming months

Rob Drozdowski
Electronic Transactions Association

Using e-mail effectively: Copy and design

Nancy Drexler
Marketing Moguls

Security breaches costly to all

David Mertz
Compliance Security Partners LLC

Turning negatives into positives

Steve Schwimmer
Renaissance Merchant Services

Opportunity knocks at your online door

Curt Hensley
CSH Consulting Inc.

Liability limbo: Where will you land?

Adam Atlas
Attorney at Law

Company Profile

FirstView Financial LLC

Commerciant

New Products

A cherry of a keyboard

Cherry LPOS Qwerty Keyboard
Cherry Corp.

Sign on the dotted line - online

ContractPal
ContractPal Inc.

Inspiration

Holiday survival guide

Miscellaneous

POScript

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

November 26, 2007  •  Issue 07:11:02

previous next

Data breaches pique interest

By Travis K. Kircher

It's the data-breach scandal that won't die -the 2005 to 2006 TJX data breach that compromised the security of some 45 million debit and credit cards. Details about what is widely regarded as the largest data breach of its kind on record continue to emerge.

Over an 18-month period, which began in July 2005 and ended in December 2006, stolen card numbers have been traced back to customers of TJX Companies Inc., the name behind retail giants such as T.J. Maxx, Marshalls and HomeGoods.

Industry experts believe card data was compromised after it was fraudulently obtained during the transmission of data to card issuers. The cause: a vulnerable and badly secured wireless network, they say, in addition to stored card data at the point of sale - a flub that has prompted MasterCard Worldwide and Visa Inc. to tighten the reins on compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Perpetrators were able to download card information and decrypt it with TJX's decryption key, which they also allegedly illegally obtained. In addition to the debit and credit card numbers, the hackers pulled drivers license information, including names, addresses and Social Security numbers, from several of the customer accounts.

In response to the breach, TJX has agreed to settle with the affected customers who filed a suit against the company.

TJX has offered those consumers the option of cash or vouchers that could be used at TJX stores. That deal is awaiting approval from the judge presiding over the case. Quests for justice aside, the TJX breach has put a spotlight on the need to secure wireless networks. And as more financial transactions are handled over wireless networks, experts are taking a closer look at what happens after transactions vanish into the ether.

A bigger picture

Which are more secure: wire-line or wireless transactions? Experts seem split on the issue. Wired infrastructures, such as land lines and lease lines, contain transactions, some say, making them more secure. When accessing card data through a system breach, a hacker would only have access to information they can gather after physically tapping the lines. In wireless transactions, hackers need only use a special wireless device to intercept the cellular or Wi-Fi transmission. But making those kinds of generalizations about the security of either transmission method is risky, said Mark Elson, Director of Product Management and Architecture for Phoenix Interactive Design Inc.

"I guess both can be compromised if the right security mitigation plan is put in place," he said. "There are different ways to infiltrate the system. It's difficult to say which one is more or less secure because some of them are drawing upon the same technology."

The security key, analysts say, is not the method of data transport, but rather the way the transported data is encrypted.

"Whether they were doing it over a land-line or not, the fact was that they had PIN detail that was generally available to anyone who wanted to look at it and knew how to look at it," said Rob Evans, the Director of Industry Marketing for NCR Corp. Evans referred to "basic guidelines" compiled in the PCI DSS, which the major card companies collaboratively designed in December 2004.

The ATM connection

PCI DSS requires that any entity that handles card transactions pass an audit conducted by the card companies to ensure that wireless networks are secure, that all transmissions are encrypted and that card data is not stored on the system. The standard also suggests that networks and systems regularly be tested for security holes.

"Wireless communications have to use an encryption method of a virtual private network, a security sockets layer or one of the other approved PCI technologies," said Chuck Hayes, a Product Manager for Long Beach, Miss.-based ATM manufacturer Triton Systems.

Mark Gamon of Australia's Symstream Technologies Pty. Ltd., which produces a product that converts landline ATMs to cellular ATMs, said his company sends financial-transaction data symbolically and layers its coded transmissions with Triple-DES encryption.

The use of the symbol with a layered-coding approach typically takes at least two hours to hack, Gamon said. And because each transmission uses a different code, fraudsters are never able to use the same transmission key twice. Even if they could get around the coding issue, because each transmission only takes two seconds to move from point A to point B, fraudsters just can't break the encryption fast enough.

Link to original article: http://www.atmmarketplace.com/article.php? id=9344

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems