We just might put a dent in data breaches

New developments in payment technology could show the way to keep credit card data away from the prying eyes of cyberthieves.

Is the dawn of the age of ubiquitous e-payments finally here? Can we throw away our credit cards yet?

I wish! If you read my column regularly, you know that payment systems are a particular interest of mine. I've been holding out hope for a few years now that big improvements were just around the corner.

I'm a security-conscious guy, but my credit card accounts have been compromised three times in just the past couple of years. I try to be careful in how I use my cards, but the fact is that I have to use them a lot, all over the world. Given those circumstances, there doesn't seem to be any way currently to ensure safety. Heck, the most recent compromise was of my fancy-pants EMV (Europay MasterCard Visa) card --the kind with a smart chip on it that is supposed to make it much more difficult for attackers to steal data. EMV is certainly not perfect, especially when the merchant processes it like any other credit card. That's just what happened on a recent trip to Asia, where two merchants ran my EMV card's magstripe through their payment terminals. Sure enough, bad things happened.

Despite the shortcomings of EMV, I'll be glad when it's widely adopted in the U.S. It's coming, but slowly. Nonetheless, it's not going to solve all of our problems.

Happily, some other developments are helping.

Payment data can be compromised at retailers both big and small, but the nature of the compromise is very different depending on the merchant's size. With small-scale retailers, the threat is that someone, probably an insider, will simply snatch the relevant data (credit card numbers, for example). That affects one customer at a time. The high-profile compromises, of course, hit large-scale retailers like Home Depot and Target, where cyberthieves are able to access millions of accounts all at once. These attacks have succeeded by compromising firmware on payment terminals directly, thereby snagging account data during the payment process.

In both cases, the way to keep data safe is to keep it from prying eyes. For small retailers, this goal has been furthered by companies like Square, which have put credit card payments into the hands of even the smallest of merchants while paying attention to security. When a merchant uses a Square reader, it never sees the customer's credit card account number and keeps no record of it. The payment is processed by Square, , which probably helped Square achieve compliance with PCI-DSS (the Payment Card Industry Data Security Standards).

Of course, Square and its competitors don't serve big merchants, the ones whose data breaches make the headlines. But a similar idea -- don't let the merchant ever even see the credit card data -- could help there as well. And Apple just might be giving us a glimpse of how this could work.

To some people, the announcement of Apple Pay was underwhelming. Bringing NFC (Near Field Communications) capabilities to the iPhone platform, enabling cardless payments, doesn't seem earth shattering. After all, some Android devices have used NFC for a couple of years already.

But some of what Tim Cook said during the iPhone 6 announcement made me pay particular attention. If it was technically accurate, Apple Pay is reason to be cautiously optimistic that we have a new way forward to better security. Consider the following things about Apple Pay:

  • Credit card account information is stored on the phone in a secure element, making the account information inaccessible directly to application software.
  • Merchants are not given an account number directly, but rather a one-time usage code with which they can complete a transaction.
  • Payments are authorized via fingerprint scans rather than a signature or PIN.

This trifecta of technical features could well accomplish the objective of keeping the real account data away from our adversaries.

In addition, with iOS 8, Apple claims to have stepped up personal privacy. Indeed, it says it can't decrypt encrypted data stored on an Apple device, even if presented with a lawful subpoena.

Though the details are not entirely clear yet, the preliminary indications are that Apple has come up with a pretty slick architecture. Of course, the scrutiny that will come with actual use of the new iPhones could change the perception, and it wouldn't surprise me in the least if someone were to find a problem or two.

Nonetheless, it seems as though we might finally be looking at a consumer-friendly payment system that keeps our accounts from being compromised by unscrupulous vermin.

And of course, for a system like this to succeed, merchants need to adopt it. Apple's legendary marketing muscle could make all the difference. Already, several very large merchants, including Macy's, have announced that they'll be Apple Pay early adopters.

I'm looking forward to giving my own i6 Plus a run for its money. I'm hoping it can keep the bad guys from giving me a run for my money.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile paymentsvisasecuritydata breachNonemastercarddata protectionSquareAppledata breaches

More about AppleHome DepotMellonNFCPara-ProtectVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts