Speaking of Security – The RSA Blog and Podcast

Payment security is back in the public eye with the recent disclosure of a cardholder data breach at a leading US payment processor. While initial reaction to this latest incident has been unfortunately predictable, characterized by plenty of uninformed speculation, outrage, and a general lack of understanding of the workings of the payments industry, the story that is ultimately written about this latest incident might be one that is completely unexpected.

It’s this last point that I’d like to dive into. Our analysis of the data does not point to a flaw in the RSA algorithm itself but instead points to an important problem in cryptosystem implementations as a whole. In particular, good cryptography (including RSA’s) depends on proper implementation. The importance of proper implementation is critical and can not be overstated. Let me draw a simple analogy here.

In our last post, we made some pretty safe predictions about how the payment security landscape will evolve this year. Now let’s make a few more daring predictions about what might happen in the coming months:

Our team thought it would be interesting to make a few predictions for the upcoming year related to payment security. Some (unfortunately) don’t require a crystal ball, but for many others, the decrypted answer from our secure Magic 8 Ball is probably “outlook not so clear”. I’ll offer five we feel pretty confident about this week, and another five in our next post.

In the past several weeks, I have read two recent data breach accounts that suggest that many retailers may need their own visits from the ghosts of the past to realize that they need to change their ways.

  Host Michelle Adams-Dixon talks with Liz Robinson, Senior Product Marketing Manager for RSA about tokenization – an up and coming alternative to more traditional means of data protection.

The importance of visibility and collaboration in cryptography was confirmed recently by academic work exposing a flaw in AES. One August researchers from the University of Leuven, in association with Microsoft, announced the discovery of the first flaw in the AES algorithm. This flaw enables the decryption of AES-encrypted data if the key length is 128 bits. Any discovery of a flaw is significant, particularly in an algorithm as widely used as AES. But the flaw does not represent a significant liability for data encrypted with AES. Exploiting this vulnerability requires a very specific set of circumstances. So the more significant risks for data encrypted with AES continue to be key management issues related both to the strength and entropy of the key and to the protection of the key.

Recently we saw a major indictment of 111 individuals from an “identity theft operation” based in Queens, NY. I suppose we will learn more details as the prosecutors make their case, but from the original reads it looks more like a counterfeit credit card operation versus a full identity theft operation. One key difference between the two is someone using your identity to open new lines of credit as opposed to just capturing your card data and making a duplicate to go on a shopping spree.

In my last post, I talked about the unique challenges of trying to provide point-to-point encryption for the petroleum merchant. In a nutshell, the petroleum merchant wants to stop skimming attacks where the bad guy puts a skimming device in the chassis of the fuel dispenser*. This is easily solved by encrypting the card data at the mag-head/card reader, but doing so breaks the ability for the merchant to process the special instruction in fleet cards.

If you think about it, I’m sure it would come as no surprise that an average gas station/convenience store conducts more credit card transactions per day then practically any other type of merchant – usually on the order of two or three times as many transactions. And with that many transactions, petrol merchants are prime targets for credit card theft.