The news a couple of months ago that Postbank has to replace 12 million bank cards due to a major data breach is an excellent case study in the risks of poor security processes and the reality that the human element remains a weak link in the security chain.
The breach resulted from Postbank's encrypted master key being printed in a plain, unencrypted format at its old data centre in Pretoria, and then being stolen by staff members.
“The breach might appear to be a stroke of hacking genius, but, in truth, it’s just a case of inadequate security practices and seemingly rogue and corrupt individuals who stole the 36-digit (encryption) master key,” says Karl Nimmo, CEO and founder of InTouch.
Manual key management is fraught with difficulties, says IT security expert Ian Farquhar, a director of Worldwide Security Architecture Team at Gigamon in Australia. In Postbank’s case, it’s going to cost them far more to fix this than the actual fraud, he adds.
“People routinely underestimate the cost of getting key management wrong. There’s another risk involved here, too. Not only financial loss, but poor key management can actually lead to outages that can cost as much if not more than fraud. Hopefully, this will be a wake-up call for other regional banks, so that they can improve their technology and processes around keys.”
According to Farquhar, it’s a credit to the payment card industry that they have, in the vast majority of cases, properly implemented controls around the cryptographic keys used to protect electronic financial transactions (EMV). However, it seems that in the Postbank case, a key was exposed during a data centre migration, and rather than being managed properly, it was seriously mishandled by those involved. “This fraud was the result,” he says.
Farquhar stresses that most organisations don't rely on EMV keys alone. EMV, which originally stood for Europay, Mastercard, and Visa, is a payment method based upon a technical standard for smart payment cards and for payment terminals and ATMs that are able to accept them.
“I was recently speaking to a large international financial organisation that was managing 170 000 different keys. While an extreme example, even small financial institutions will be managing 1 000 or 2 000 keys, far more than can be reliably handled with manual processes.”
Brute force
In the Postbank case, breaking the 36-character key using a brute force hacking technique would be practically impossible, based on the current state of modern supercomputers, adds Nimmo.
“The most sophisticated hackers in the world would consider this a non-trivial task with a very low likelihood of success, which is why this breach was not the work of sophisticated attackers, but, rather, the result of bad security practices and dishonestindividuals who had access to the physical systems. This breach is a reminder that hacking isn’t always done by someone sitting on the other side of the world, but often employs clever social engineering where the attacker has access to physical devices. The best way to protect against this is to strictly adhere to best security practices and processes.”
According to Nimmo, there are several encryption methods to protect data to ensure it remains safe and private to the intended parties, who should have access to the encrypted data.
“End-to-end encryption is a robust asymmetric encryption technique for encrypting data where the keys are stored by both the sender and the recipient with public and private keys. This form of encryption puts the key in the hands of the end-user. A breach would require the attacker to breach either the sender’s or the receiver's device.”
One key to rule them all
The concept of a master key to protect all the other cryptographic keys is another well-known implementation of encryption, adds Nimmo.
“Typically, these master keys are very strong and would be nearly impossible to break using even the most powerful supercomputers in existence. Using a master key has the advantage that only one piece of plaintext material needs to be protected and stored.”
The flip side of the coin and the inherent disadvantage of this single point of failure is that if this key is breached, then the entire system is breached, as in the case of Postbank.
The good news, says Farquahar, is that there are solutions in this space: hardware security modules (HSMs) for securely storing keys and enterprise key management systems, as well as associated technologies such as enterprise certificate lifecycle management systems.
“These all help to secure and automate key management, removing the need for problematic manual processes. I’m seeing a lot of organisations, inside as well as outside the financial services industryimplement these. They need to be backed up with strong operational processes supported by standards published by organisations like the ISO and NIST,” Farquahar adds.
“The Postbank breach is a reminder that information security has many idiosyncratic foibles that do not always rely on a technical solution. It is a collective engagement of technical best practices as well as real-world physical security. “`Do not allow your master key to be printed’ would be a sound security starting point,” Nimmo concludes.
Attempts by ITWeb to get further details from Postbank went unanswered.
Share