Tokenization would not have prevented most retail breaches

Tokenization, where credit card numbers and other sensitive data is replaced by random characters, can be a secure alternative to encryption in many cases -- but would not have helped in the majority of retail breaches over the past two years.

The Payment Card Industry released guidance last week about how technology vendors and retailers can use tokenization to reduce the amount of card data they store in their systems.

"Tokenization is one way organizations can limit the locations of cardholder data," said PCI SSC Chief Technology Officer Troy Leach. in a statement. "A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts."

But, according to a new report from CBI, if each of the 22 major breached retailers had had a tokenization system in place, 59 percent of the breaches would not have been prevented -- and 97 percent of the stolen records would still have been stolen. That adds up to 154 million records.

The reason? Most of the breaches took place at the point of sale terminal, before the data would have been tokenized.

"The tokenization takes effect after the credit card has been swiped, and the data is protected at that point forward," said J Wolfgang Goerlich, cybersecurity strategist at Ferndale, MI-based CBI. "But it is still not protected in the memory of the machine."

Only 41 percent of breaches involved attacks on databases or servers, where tokenization would have protected it.

"This exactly the type of trend that we often see when a control begins to be widely deployed," said Goerlich. "The attackers will shift their focus away from we strengthened the system, to the point where it is weakest."

The malware used to steal data from point of sale devices such as credit card readers is called a RAM scraper.

According to Trend Micro, more new variants of RAM scraper malware were discovered in the first nine months of 2014 than in all of preceding three years. And, last month, analysts discovered two more new RAM scraper families.

In addition to hitting high-profile targets like Target and Home Depot, the attackers also broadened their reach last year, said Trend Micro senior threat researcher Numaan Huq in a report earlier this year.

"Scammers have already ventured outside the shopping mall to hit newer targets like airports, metro stations, and parking lots," he wrote.

ApplePay, which also uses tokenization, but is not vulnerable at the point of sale because no actual credit card numbers are involved.

The tokenization process happens when the card is first loaded onto the iPhone -- and that is, in fact, where criminals have been targeting their efforts, by talking bank call centers into approving stolen credit cards.

"The earlier on in the process data is tokenized, the less of the payment process is exposed," said Goerlich. "By tokenizing earlier and moving the end, Apple Pay avoids the way credit cards are commonly stolen."

Join the CSO newsletter!

Error: Please check your email address.

Tags CBIsecuritydata breach

More about AppleHome DepotTechnologyTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place