Article

Data breaches pique interest

Is wireless connectivity secure, and will consumers trust it?

October 24, 2007 by Travis Kircher — N/A, N/A

Travis Kircher is a new contributor to ATM Marketplace. To submit a comment about this article, please e-mail theeditor.

Itï¿½s the data-breach scandal that wonï¿½t die ï¿½ the 2005-2006 TJX data breach that compromised the security of some 45 million debit and credit cards. Details about what is widely regarded as the largest data breach of its kind on record continue to emerge.

Over an 18-month period, which began in July 2005 and ended in December 2006, stolen card numbers have been traced back to customers of TJX Companies, the name behind retail giants such as T.J. Maxx, Marshalls and HomeGoods.

story continues below...

SPECIAL REPORT...Order Now!Customer Perspectives on Self-Service Technology

We surveyed more than 500 consumers to learn how they really feel about kiosks, self-checkout and other types of self-service. Find out what works, what doesn't, and what makes the difference between a device that helps your business and one that just gathers dust.

Regular Price: US$249

Sale Price: only US$199(offer ends 9/30/07)

SSKA Member Price: only US$149 -- Save $100

More Info|Buy Now

Industry experts believe card data was compromised after it was fraudulently obtained during the transmission of data to card issuers. The cause: a vulnerable and badly secured wireless network, they say, in addition to stored card data at the point of sale ï¿½ a flub that has prompted MasterCard and Visa to tighten the reins on compliance with the Payment Card Industry Data Security Standard. (Read more about PCI compliance.)

Perpetrators were able to download card information and decrypt it with TJXï¿½s decryption key, which they also allegedly illegally obtained. In addition to the debit and credit card numbers, the hackers pulled driverï¿½s license information ï¿½ including names, addresses and Social Security numbers ï¿½ from several of the customer accounts.

In response to the breach, TJX has agreed to settle with the affected customers who filed a suit against the company. TJX has offered those consumers the option of cash or vouchers that could be used at TJX stores.

That deal is awaiting approval from the judge presiding over the case.

Quests for justice aside, the TJX breach has put a spotlight on the need to secure wireless networks. And as more financial transactions are handled over wireless networks, experts are taking a closer look at what happens after transactions vanish into the ether. (Read also, Unwired: Wireless ATM connectivity continues to grow.)

How much influence do consumers have? A lot, say industry experts

Rob Evans, the director of industry marketing at NCR Corp., says cases like the TJX breach are unfortunate, because they chip away at consumer confidence in electronic transactions.

ï¿½I think the macro effect ï¿½ to the extent that it happens repeatedly and goes on unabated ï¿½ is that it does create a little bit of disease in the market,ï¿½ Evans said. ï¿½The more often that gets reported ï¿½ and those stories get told with increasing frequency, one on the tail of the other ï¿½ I think youï¿½ll see a more detrimental effect on consumer confidence. And I think weï¿½ll find that irrespective of how slick, how well, how convenient, how safe we build consumer electronic delivery, weï¿½ll find that there is less likelihood on the part of the consumer to use it.ï¿½

Other experts say those types of incidents have little effect on consumers themselves, but they do put pressure on deployers, retailers, financial institutions and financial-services providers to rethink their security measures.

ï¿½Consumer confidence in the integrity of ATMs is strong. What happened with T.J. Maxx probably wonï¿½t affect people when they go to use an ATM. It might in some other venue,ï¿½ said Doug Sholes, senior director of marketing and product development at Triton Systems. ï¿½But an ATM could be connected using a leased line. It could be connected using a TCP/IP network connection. It could be wireless. It could be dialup. I donï¿½t think weï¿½ve ever had an instance where someone said they wouldnï¿½t have it any one way.ï¿½

Consumer Power

What can consumers do to ensure that the businesses theyï¿½re frequenting are transmitting along a secure wireless network? Many experts say their hands are tied, as retail establishments typically donï¿½t spotlight the technical details of their data-encryption methods. Digging up that information can be a challenge, which could be a good thing for the industry.

A bigger picture

Which are more secure: wire-line or wireless transactions? Experts seem split on the issue.

Wired infrastructures, such as landlines and lease lines, contain transactions, some say, making them more secure. When accessing card data through a system breach, a hacker would only have access to information they can gather after physically tapping the lines. In wireless transactions, hackers need only use a special wireless device to intercept the cellular or Wi-Fi transmission.

But making those kinds of generalizations about the security of either transmission method is risky, says Mark Elson, director of product management and architecture for Phoenix Interactive Design Inc.

ï¿½I guess both can be compromised if the right security mitigation plan is put in place,ï¿½ he said. ï¿½There are different ways to infiltrate the system. Itï¿½s difficult to say which one is more or less secure because some of them are drawing upon the same technology.ï¿½

The security key, analysts say, is not the method of data transport, but rather the way the transported data is encrypted.

ï¿½Whether they were doing it over a land-line or not, the fact was that they had PIN detail that was generally available to anyone who wanted to look at it and knew how to look at it,ï¿½ said Rob Evans, the director of industry marketing for NCR Corp.

The ï¿½basic guidelinesï¿½ Evans refers to are compiled in the PCI Data Security Standard, which the major card companies collaboratively designed in December 2004.

The ATM connection

PCI DSS requires that any entity that handles card transactions pass an audit conducted by the card companies to ensure that wireless networks are secure, that all transmissions are encrypted and that card data is not stored on the system. The standard also suggests that networks and systems regularly be tested for security holes.

ï¿½Wireless communications have to use an encryption method of a virtual private network, a security sockets layer or one of the other approved PCI technologies,ï¿½ said Chuck Hayes, a product manager for Long Beach, Miss.-based ATM manufacturer Triton Systems.

Mark Gamon of Australiaï¿½s Symstream Technologies Pty. Ltd., which produces a product that converts landline ATMs to cellular ATMs, says his company sends financial-transaction data symbolically and layers its coded transmissions with Triple-DES encryption.

The use of the symbol with a layered-coding approach typically takes at least two hours to hack, Gamon says. And because each transmission uses a different code, fraudsters are never able to use the same transmission key twice. Even if they could get around the coding issue, because each transmission only takes two seconds to move from point A to point B, fraudsters just canï¿½t break the encryption fast enough.

Included In This Story

Triton Systems

Triton FI based products • NO Windows 10™ Upgrade • Secured locked down system that is virus/malware resistant • Flexible configurations - Drive-up and Walk-up • Triton's high security standards • NFC, anti-skim card reader, IP camera and level 1 vaults are all options • Triton Connect monitoring • Lower cost

Request Info

Learn More

Diebold Nixdorf

As a global technology leader and innovative services provider, Diebold Nixdorf delivers the solutions that enable financial institutions to improve efficiencies, protect assets and better serve consumers.

Request Info

Learn More