Digital Fortress

Is there anything like a Digital Fortress? Can someone come up with a fortress that can hold data and be protected with five levels of security that would require 200 quantum computers and an unlimited time to break?

Given that there would be something like this that can hold customer data, what would people that want to get this data do? Nothing? No, they would somehow just click a picture of it from an in-built camera in a mobile phone when it shows up on screen somehow. QED.

Thats how most of these events work. The weakest link is the give-away. Hackers find the weakest spot and turn it into a charmer. More often than not, its really a very long time before someone discovers how the data was stolen, and an un-imaginable number of theories are floated around, and then millions of dollars are spent investigating the how on the breach. This is the truth. They will not come and look in your shredder to get your card data. They will steal the card data that they want from large databases. In millions. As Schnier on security puts it "I'm sure every one of us has a credit card in our wallet whose number has been stolen. It'll probably never be used for fraudulent purposes, but it's in some stolen database somewhere."

Are current security systems that govern our payment systems adequate in provide protection for the customer? One would not think so, as some of the recent breaches that have occurred have taken places with PCI certified payment companies, or retailers. Examples would be Heartland and Forever 21, both of them complained and both breached around the same time. Hackers found very innovative ways of either getting into the fortress, or actually waiting for someone to unlock the data from there, so that they could view it. Its not PCI that makes an organization or system risk averse.

There is certainly a lack of understanding PCI, its derivations and its implementations. I recently met two EMV experts fighting over the fact that a key was supposed to be stored in the crypto chip permanently or temporarily as PCI warrants. They both were right, its only that they read the PCI specifications a little differently. And implemented either way, they both would have cleared the PCI certification.

Its true that the only network security is an "inch of air" between two computers. Its also true that this is not reality. How does one really secure all the gaping holes that are exposed from time to time. Its a very difficult thing to achieve, and thirteen or twenty-one points written on a piece of paper certainly cannot do that. Achieving end-to-end security is a very difficult task, but thats the only solution to this problem.

In our next few blogs we will explore the concepts of end-to-end security and real time fraud management in electronic payments. Keep reading!!