Expanding Target Breach Shows Need for Highly Secure Payment Systems

By Wayne Rash  |  Posted 2014-01-11

Expanding Target Breach Shows Need for Highly Secure Payment Systems

The longer the revelations continue about the data breach at Target, the worse the news gets. The news was bad enough when the word was that hackers had managed to extract the magnetic stripe data from Target's point-of-sale (POS) terminals, allowing them to sell credit card information and even make counterfeit credit cards. But since then, the number of affected customers has vastly grown.

Now, the breach appears to be much worse than Target originally disclosed. Besides the 40 million or so customers affected originally, it now appears that the total may be as high as 70 million to 110 million customers. And the amount of data that was stolen has also grown. In addition to the mag stripe data, some PIN numbers were stolen.

It also appears that complete customer records, including names, addresses, phone numbers and even email addresses, were sucked out of Target's customer relationship management database.

The announcement on Jan. 10 that the hackers also penetrated Target's CRM database means that they have nearly everything they need to create a fictitious identity, including financial information, of a very large number of Target customers. It's unclear just how much worse this can get, but there's probably more to come. With these events, there always seems to be something else.

The problem with the new Target revelations is that it's hard to see how anyone could protect themselves against such a breach, other than by never buying anything at Target. The mag stripe data theft could have been prevented through the use of EMV-equipped credit cards, which would have prevented the creation of counterfeit cards. But EMV (Europay, Mastercard, Visa) won't prevent the theft of basic data from the CRM system.

One thing that might help, though, is through the adoption of an identity management system such as Usher, which has been developed by MicroStrategy, located near Washington in Fairfax County, Va. What Usher does is bolster the security of credit cards by offloading the identity so that it's only indirectly connected to the credit card.

In fact, according to Mark LaRow, executive vice president, products, at MicroStrategy, you really don't need credit cards at all. What you need is your biometrics stored in a secure Usher database, which then confirms your identity to the POS system, allowing the use of a stored means of payment.

"We use a phone as a biometric reader for both your voice and for facial recognition," LaRow told eWEEK."


Expanding Target Breach Shows Need for Highly Secure Payment Systems

Usher presents your identity to the other system, but it's stored in the Usher vault. With Usher, your phone works as a conduit to confirm your identity, but your identity never resides on the phone.

"To use, Usher, you have to validate yourself to your phone using your voice, face or even a pass code," LaRow said. "Once it's absolutely certain it’s you, it can offer your identity to other things such as POS systems, using it for log-ons or even to open doors. Your identity is never on your phone."

LaRow said that the way Usher would work in actual use is that when you approached a POS system, you'd first identify yourself to the phone and then press a button on the screen to confirm that you wanted to buy something.

Once that happens, Usher would present a Quick Response (QR) Code on your phone's screen that the POS terminal can read, which would confirm your identity for the sale. LaRow said that communications between the POS system and the phone make use of a public key infrastructure (PKI) encrypted signal to prevent data theft.

LaRow said that while Usher is able to push payment card information very deep into a retailer's databases, it still can't prevent all data theft when security is poor, as appears to be the case with the Target breaches. However, it can make personal information difficult to find and even more difficult to connect to identity information so that a hacker can use it.

Unfortunately, at this point, Usher exists only in the lab. For it to be deployed in a retail environment, the payment processing software needs to be upgraded as does the software in the POS system. This is one of the same problems that is slowing down the adoption of EMV-equipped credit cards. The cards are becoming available; the card readers exist; but the software to tie the POS terminals and the payment processing system together is under development.

Usher, like EMV, is a technology with great promise that needs a number of moving parts to work before it can be implemented. Some of those parts are mired in a regulatory morass, some in the inertia of major corporations and some because merchants don't want to increase their costs.

For EMV or Usher to work, those roadblocks need to come down. Unfortunately, that will take time unless customers start complaining, which they should do once they have been caught up in a data breach on the scale of Target's.


Rocket Fuel