What is an Encrypting Read Head and What Does it Prevent?
To the uninitiated, card security can be a daunting subject, but a basic understanding of a few simple principles goes a long way toward protecting yourself. Here we’ll clear up a few things about encryption, and take a step-by-step look at some of the weak points in point-of-sale systems that thieves commonly try to exploit.
Standard card encryption cannot be “broken” – only circumvented.
The most widespread encryption method for credit cards today is Triple DES (named for the Data Encryption Standard cipher used by its predecessor). Triple DES provides 112 effective bits of encryption, which equals
2112 or 5,192,296,858,534,827,628,530,496,329,220,096 possible decryption keys. Even using technology several times more advanced than today’s, it would take many, many human lifetimes to crack with a brute-force approach. For an idea of how long, read this short article.
An even more advanced standard called AES uses up to 256-bit encryption and is even more unbreakable; this is what is used for government, military, and other top-secret purposes.
You sometimes hear talk of the DES standard being obsolete – but that refers to the original 56-bit DES standard (or “single DES”) developed in the 1970s, which is no longer used for cards. Triple DES is quadrillions of times stronger.
The best target for thieves is ALWAYS data that is “in the clear,” or unencrypted.
Since encrypted card numbers are useless, thieves have two options: Steal it while it’s unencrypted, or steal the decryption key also. The latter is a magnitude more difficult because, if proper procedures are followed, it requires breaking into a separate computer system – usually the card processor’s – where the decryption is done. However, hundreds of thousands of merchants, if not millions, leave data in the clear for at least a portion of the transaction, providing a much easier (and more lucrative) target.
How Thieves Attack a POS system
1. At the card reader slot. The criminal physically installs a card skimmer to grab magnetic data as the card is swiped. This mostly occurs at card readers that are unattended at certain times, such as ATMs and gas pumps, because of the time and effort required to install the device. Often times, the thieves must return to remove the device, although more recently, Bluetooth-enabled skimmers have become available to cut out this need.
Encrypting read heads are generally invulnerable to these attacks, because a skimmer could not be installed without ruining the machine, unless the thieves could disassemble it in workshop conditions and replace microchips on the circuit board itself.
2. In the memory of the POS device itself. In an ordinary card reader, data remains in the clear for a split-second as it travels from the read head to the RAM within the card reader, where it is then encrypted before being sent on down the line. However – even though this only takes a few milliseconds – if the terminal is infected with malware, it can “get in front” of the encryption software and grab the card numbers.
This type of attack uses malware called a “RAM scraper.” One RAM scraper that you might have heard of is BlackPOS, which gained infamy for its use in the 2013 Target data breach.
It is important to note that a merchant can be in full compliance with PCI standards while still being vulnerable to this type of attack. Currently, the only way to prevent theft on a machine infected with a RAM scraper is for the card data to be encrypted even before entering the system; that is to say, at the magnetic read head itself.
3. Between the POS terminal and the register or PC. While less common, a few thieves have tried to steal card numbers over the connection from the card reader to the register. Skimmers like this one used in a thwarted attack against cash registers at Nordstrom are designed to intercept and record anything coming down the cable until they are removed. Devices like this are readily available because they do have legitimate uses in the surveillance and intelligence fields; however, in the wrong hands, they can be a danger to unsuspecting merchants and consumers.
4. In the cash register itself. Especially if you’re using a PC as a virtual cash register, it can be attacked with malware or viruses just like any other computer. If data is unencrypted at this point, you may not technically be in PCI compliance. Storing or decrypting card data for use in other programs may also open up unexpected vulnerabilities.
5. In the cloud. Once you send data out over the network, it’s out of your control. Usually, the only place it’s going is over a secure connection to a trusted processor, so it shouldn’t be an issue. But the fact is you can never be 100% sure what happens after the data leaves your network. To protect against the unknown, the best defense is always to make sure the data is encrypted when it’s sent out.
As you’ve hopefully noticed, one possible countermeasure in all of these cases is to have your data encrypted before an attack can occur. No network will ever be 100% secure from intrusions, but if you do find yourself the target of hackers, it’s better they steal something that’s useless.
It is much easier to defend data than to defend a network, not to mention much less expensive. We hope you’ve found this a useful guide to the basics of how encryption works and how it can help you protect yourself.