Following Brian Krebs’ blog that the Home Depot breach is being further exploited by hackers via the new chip-enabled cards rolling out in the US, Luther Martin, chief security architect at Voltage Security, explains how this works and why encrypting all sensitive payment information is still essential with the new service in the US:
“The possibility of fraud resulting from hackers exploiting a flaw in the implementation of the EMV protocol demonstrates a few interesting points. First, it was a flaw in the implementation of cryptography that was apparently exploited by hackers, not the cryptography itself. (This article suggests that signatures weren’t correctly verified and one-time values weren’t checked to make sure that they were only used once.) Cryptography can provide essentially unbreakable security for sensitive information, but it’s very hard to implement correctly. Even a fairly simple flaw in an otherwise-secure implementation can provide hackers all that they need to exploit a system, so the implementation of cryptographic protection is best left to companies who specialize in it. Don’t try to implement your own cryptography. Instead, use technology from an established and proven vendor.
“Next, it demonstrates that EMV is not proof against all payment fraud. While it may reduce card-present fraud by a considerable amount, EMV is not a “silver bullet” that will eliminate all payment fraud. In particular, it doesn’t really address card-not-present fraud. And because card-not-present transactions are a significant and increasing fraction of all payments, the types of vulnerabilities like the one apparently exploited by hackers will probably continue to exist well into the future. This means that it will still be vital to protect all stored payment information, even after EMV is deployed in the US. The failure to do this can expose large databases of sensitive payments information to hackers who can then exploit the information through card-not-present transactions. So encrypting all sensitive payment information will still be essential, even after EMV is fully deployed.”