in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Security: Why Credit Card Data Needs To Be Encrypted On Your Computers

You might wonder why credit card information should not be stored on computers (unless they're protected with encryption, such as AlertBoot).    PCI Security Standards, for example, state that primary account numbers (PAN) shouldn't be stored unless they're secured with strong encryption.  Well, now you can find out why and read all about it...and in real-speak, no less (i.e., no difficult techno-speak).

Wired.com is carrying an excerpt of the book "Kingpin -- How One Hacker Took Over the Billion Dollar Cyber Crime Underground."  It's the story of one Max Vision (that's his real name, legally changed from Max Butler), a one-time white hat hacker turned bad.  Long story short: he's serving time for stealing two million credit card numbers from computers all over the US.

If the rest of the book is anything like the excerpt, it will prove itself to be an interesting read.  The excerpt alone, however, shows us why saving credit card information in plaintext form is a bad idea.

Stealing Card Info from POS Systems

What did Max Vision do specifically, though?  He was able to log into PCs that were acting as point-of-sale (POS) systems by leveraging a vulnerability in Windows PCs:

His scanning put him inside a Windows machine that, on closer inspection, was in the back office of a Pizza Schmizza restaurant...  it collected the day's credit card transactions and sent them in a single batch every night to the credit card processor. Max found that day's batch stored as a plain text file, with the full magstripe of every customer card recorded inside.

Even better, the system was still storing all the previous batch files, dating back to when the pizza parlor had installed the system about three years earlier. It was some 50,000 transactions, just sitting there, waiting for him. [wired.com, my emphasis]

He also exploited other vulnerabilities that gave him access to even more machines.  If you'd like to see how one hacker can create mayhem, this excerpt alone will open your eyes.

Encrypting PCI Information

Once you're done reading, you might wonder, well, how would encryption software have protected all these different business that were hit?

Basically, encryption is a method that allows one to scramble and unscramble information.  Even the best hackers in the world call it a day and move on if they find files that are encrypted: it's virtually impossible to gain access to them.

Granted, there are some methods that hackers could leverage to obtain the passwords to encrypted information.  For example, if a hacker is able to access a computer, chances are he's also able to install software such as a keystroke recorder, which creates a log of all keyboard sequences that were pressed.  It would easy to capture a username and password for any encrypted files.

On the other hand, consider the 50,000 credit card numbers that Max Vision stole from Pizza Schmizza and promptly deleted.  Among the many reasons, I imagine one factor would have been that nobody would miss it because he saw that no one was accessing it.  These would have been protected because they were rarely accessed, if ever. 


Related Articles and Sites:
http://www.wired.com/threatlevel/2011/02/kingpin-excerpt/

 
<Previous Next>

HIPAA Encryption: Fines Not Related To Data Security Are Also Something To Think About

Drive Encryption Software: Henry Ford Has Second Data Breach, Loses USB Key

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.