Expanding Target Breach Shows Need for Highly Secure Payment Systems

NEWS ANALYSIS: It's clear from the expanding scale of the Target data breach that highly secure systems are needed as quickly as possible for payment methods of all types.

The longer the revelations continue about the data breach at Target, the worse the news gets. The news was bad enough when the word was that hackers had managed to extract the magnetic stripe data from Target's point-of-sale (POS) terminals, allowing them to sell credit card information and even make counterfeit credit cards. But since then, the number of affected customers has vastly grown.

Now, the breach appears to be much worse than Target originally disclosed. Besides the 40 million or so customers affected originally, it now appears that the total may be as high as 70 million to 110 million customers. And the amount of data that was stolen has also grown. In addition to the mag stripe data, some PIN numbers were stolen.

It also appears that complete customer records, including names, addresses, phone numbers and even email addresses, were sucked out of Target's customer relationship management database.

The announcement on Jan. 10 that the hackers also penetrated Target's CRM database means that they have nearly everything they need to create a fictitious identity, including financial information, of a very large number of Target customers. It's unclear just how much worse this can get, but there's probably more to come. With these events, there always seems to be something else.

The problem with the new Target revelations is that it's hard to see how anyone could protect themselves against such a breach, other than by never buying anything at Target. The mag stripe data theft could have been prevented through the use of EMV-equipped credit cards, which would have prevented the creation of counterfeit cards. But EMV (Europay, Mastercard, Visa) won't prevent the theft of basic data from the CRM system.

One thing that might help, though, is through the adoption of an identity management system such as Usher, which has been developed by MicroStrategy, located near Washington in Fairfax County, Va. What Usher does is bolster the security of credit cards by offloading the identity so that it's only indirectly connected to the credit card.

In fact, according to Mark LaRow, executive vice president, products, at MicroStrategy, you really don't need credit cards at all. What you need is your biometrics stored in a secure Usher database, which then confirms your identity to the POS system, allowing the use of a stored means of payment.

"We use a phone as a biometric reader for both your voice and for facial recognition," LaRow told eWEEK."

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...