The large recent data breaches in the retail and financial services sector, such as the compromise at US retail giant Target in late 2013, were a result of multiple elements gone wrong, writes Ian Lowe, senior product marketing manager, Identity Assurance, at the access and identity product company HID Global.
To prevent future compromises of this nature it is critical to tackle the issue on multiple fronts. Data breach can be one of the top events most harmful to a corporation’s reputation and its customers’ privacy. It is highly recommended that organisations handling payments should take necessary steps to combat the threat environment in order to protect their assets and customers. Here are some simple steps to prevent data theft:
1. Move past simple passwords to strong authentication:
When hackers steal an employee’s access credentials – like their username and password – they can then move through the network, often undetected, and upload malware programmes to a retailer’s point of sale (PoS) systems. Once here, it is relatively easy to steal/capture card data and create cloned payment cards. Organisations should protect systems and data through strong authentication that relies on more than just something the user knows, like memorised passwords. There should be at least one other authentication factor, such as something the user has (like a computer logon token) and/or is like a biometric or behaviour-metric solution.
2. Take advantage of the improved convenience of a mobile “tap-in” strong authentication model:
Users increasingly want a faster and more seamless and convenient identity authentication solution than possible with dedicated hardware one-time passwords (OTPs) display cards and other physical devices. Now, mobile tokens can be carried on the same card used for other applications, or combined on a phone with cloud application single-sign-on capabilities. Now, users can simply tap their card or phone to a personal tablet, laptop or other endpoint device to authenticate to a network, after which the OTP is unusable. There are no additional tokens to deploy and manage, and the end-user only has one device to carry and no longer must remember or type a complex password.
3. Employ a layered IT security strategy that ensures appropriate risk mitigation levels:
For optimum effectiveness, organisations should take a layered approach to security starting with authenticating the user (employee, partner, customer), then authenticating the device, protecting the browser, protecting the application, and finally authenticating the transaction with pattern-based intelligence for sensitive transactions. Implementing these layers requires an integrated, versatile authentication platform with real-time threat detection capabilities. This platform, combined with anti-virus, provides the highest possible security against threats.
4. Replace magstripe payment cards with more secure card technology for consumers at the point of sale:
Magstripe payment cards contain a static card-verification value (CVV) that is easily intercepted by malware-infected POS systems and cloned with cheap readers. In contrast, Europay Mastercard Visa (EMV) cards store all payment information in a secure chip, use issuer-specific personalisation keys, and authenticate using cryptographic standards. They also replace the magstripe’s static CVV code with a dynamic security code that cannot be used to create a counterfeit card. Already common in Europe, EMV cards are now making their way to the US.
To combat the plethora of cyber-threats that are able to gain unauthorised access to sensitive customer data it is critical for retailers to adopt flexible, intelligent authentication and credentialing solutions that protect access to everything from the cloud, to data, to the door.
