in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Hannaford Suffers Credit Card Data Breach. Could Their Drive Encryption Processes Be Stronger?

Hannaford supermarkets has been alerting their customers that there has been a data breach of credit card and debit card numbers.  The statement that they’ve released made an emphatic point to let the public know that the information breach concerns those numbers alone, and does not extend to other personal information such as names and addresses, which Hannaford does not collect.  And good for them, too: personal data collection and retention was one of the root problems following the TJX data breach a little over a year ago.

 

Hannaford has also pointed out that they’re using the latest encryption protocols which are in compliance with PCI.  In fact, they were certified as PCI compliant last year and recertified just this past February.  However, 4.2 million credit card and debit card numbers were exposed in a breach that lasted four months from December 7 to March 10.  About 1800 cases of fraud have been linked to the breach.

 

Law enforcement agencies are still working on the case, but based on the Hannaford CEO’s statement, it seems that the breach stemmed not from using weak encryption—the problem that riddled TJX—but by the hackers targeting the weakest links in the chain, sometimes known as the man-in-the-middle attack: targeting any or all of the points between the cash register (the point of sale where the credit card number is entered) and the card processor’s servers (where the A-OK is given to charge the card).

 

Security experts point out that such attacks are nearly impossible to prevent, unlike using weak encryption for protecting data (easily fixed by using a stronger form of data encryption).  Man‑in‑the‑middle attacks could range from bribed network administrators to Trojan malware surreptitiously installed in computers to rogue vendors with intent to steal big.

 

Assuming that the criminals got the credit card numbers via some other method than cracking the encryption used for data transfers, it’s obvious that stronger encryption is not the answer.  In fact, if criminals are beginning to give up on cracking encryption, it’s probably a sign that it’s working and security practices have to be strengthened in other areas.  Under the above assumption, switching to stronger encryption would be a detriment for Hannaford since it would mean slower check outs at the register without affording extra security: stronger encryption means longer encryption times.

 

For example, if you sign up for AlertBoot full disk encryption to protect the contents of your laptop’s hard drives, you get choices on how what type of encryption to use, such as RSA or AES; 128-bit over 256‑bit; etc.  The stronger the encryption algorithm, and the bigger your hard drive, the longer it takes to scramble every bit of information because the entire drive is encrypted, including the unused spaces.

 

However, with laptop encryption you can design it to have a low as an impact on the system as possible so the enduser doesn’t notice there’s encryption going on while working on a document.  But waiting in line at a supermarket?  Everyone feels inconvenienced by that, and a small increase in waiting time would be even more inconvenient, so unless it can be demonstrated to retailers that stronger encryption does mean extra protection for customers, I don’t see it happening.

 
<Previous Next>

When Drive Encryption Or Other Security Measures May Be Needed?

Insurance Company Suffers Data Breach. Considering The Use Of Device Encryption

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.