Thinking About Security ROI From The Thief’s Perspective
Written by Evan SchumanJune 24th, 2010
Retail IT execs have always been very good at making risk-based security budget decisions. They know how to calculate the probability of a certain attack method being used against them, its chances for success and the likely cost to the chain if it succeeds. And they know how to use that information as a way to negotiate with the CFO's people to justify security investments. Security return-on-investment (ROI) arguments are old hat when dealing with black hats and bean counters.
But what about looking at the security ROI challenge from the cyberthief's perspective? That means examining the techniques and seeing which delivers the best value for the profit-oriented criminal. A good example of this approach is differential power analysis (DPA) and Chip-and-PIN payment cards.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
3 Comments | Read Thinking About Security ROI From The Thief’s Perspective
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
June 24th, 2010 at 9:05 am
Actually, all PCI-PED certified payment terminals are strongly protected against attacks, including DPA.
June 27th, 2010 at 4:54 pm
The quote from the “retail security cryptographer” sounds just like what people were saying about skimming a few years ago (i.e., it’s one card at a time and requires sophisticated knowledge about magnetic fields).
I was at a hacker conference, where I saw a demo of power analysis with really cheap hardware done by hobbyists — and the key recovery was basically instantaneous too. I’m sure it takes some knowledge to figure out the first attack on a given device, but the attack I watched was just about instantaneous.
Some of the testing labs charge a lot for DPA testing, so they have a vested interest in making DPA look difficult… but if the chain-smoking hacker kids can do it, I’m sure the guys who are doing skimming today could too if they tried.
I’m also interested in the reader comment that “all PCI-PED certified terminals are strongly protected against attacks, including DPA”. I don’t know how well they are protected against DPA, but the I’ve seen some pretty scary vulnerabilities in PCI-certified terminals. The smart card guys do seem to have their act together pretty well on the security front nowadays, but terminal makers have a history of cutting corners and I don’t ever recall seeing PED vendors advertising DPA protection.
July 1st, 2010 at 9:58 am
Read the POS PED requirements, specifically A6 and A7. “To determine any PIN-security-related cryptographic key resident in the PED or ICC reader, by penetration of the PED or ICC reader and/or by monitoring emanations from the PED or ICC reader (including power fluctuations), requires an attack potential of at least 35 for identification and initial exploitation as defined in Appendix B of the PCI POS PED DTRs.”
It’s a pretty clear requirement that a compliant pad should not leak energy traces. But to your point, it’s probably treated like anything else PCI related. Certify everything, and if there’s a leak, claim it was out of compliance.