Security Breach at Target
Part 2: The Alternative to Centralized Consumer Data System
By: Lan Lin, eSecurity Assistant Editor, Internet Journal
In Part 1 of Target Security Breach, we have discussed several underlying factors that made Target top victim to cyber-attacks.
In this article, I would like to focus on the solution side and discuss the alternative of today's prevalent model of a centralized consumer data system.
Most businesses today are deploying a
centralized data system to manage consumers' private data. Information required to complete a transaction, such as customer name, address, phone number, payment card record, account username, login password, is stored
and managed on the merchant's server side. That makes large corporates such as big-box retailers juicy targets for cyber criminals who run the lucrative business of identity theft. It also adds a lot of burden to the
businesses who shoulder the responsibility of securing consumer data.
As Target security breach mostly affected the data associated with in-store transactions, it was the POS machines not the central
servers that were compromised. But if we take a closer look, security breaches of in-store and online stores actually share something in common. That is, hackers stole consumer data from the merchants who have those
data stored collectively somewhere in their network. For Target case, it is the cash registers that temporarily store payment data. For ecommerce stores, it is the central server or the cloud that stores login and
account information. Having consumer's sensitive information flowing in some of the vendor's communication channels is problematic. The simple reason is that there is no perfect solution to secure these data.
Today, many organizations are advocating and exploring the idea of "Private data never leave local mobile device". Fast Identity Online Alliance (FIDO) is among these advocates. As a young but
rapidly-growing industry consortium, FIDO advocates a simpler yet stronger authentication process for online transactions. Its members include industry leaders such as Mastercard, Discover Card, Google, Microsoft,
Lenovo and many more.
The authentication process that FIDO promotes utilizes user's mobile device for authentication and uses standard public key cryptography techniques to ensure stronger authentication.
Simply put, the idea is to let the user authenticate the user's smartphone and then let the smartphone authenticate the service provider( i.e. websites). The scheme leaves ample room for the adoption of a wide variety
of authentication technologies, including biometrics such as fingerprint, iris, voice and facial recognition, as well as "existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB
Security Tokens, embedded Secure Elements (eSE), Smart Cards, and Near Field Communication (NFC)".
During the transaction process, user's personal data are kept all the time in the user's personal mobile
device. Therefore, FIDO model transfers the responsibility of securing consumer personal data to consumers themselves. It mitigates the risks of massive data theft to a great extent, as vendors no longer host
consumer data that criminals deem valuable. On the other hand, to crack individual mobile device seems impractical and unproductive from the hackers' perspective.
For Target, there is no easy fix. It may take time to
upgrade the payment system to chip-and-pin in which pin information never leaves smartcard as we discussed in my previous article. And for the use of mobile wallet under similar protocols in FIDO authentication process,
it also takes time to remove many hurdles on the path towards public acceptance.
To sum up, FIDO specifications alleviate the headaches brought by a centralized consumer data management system that most businesses
today are deploying. FIDO authentication model certainly works in a more efficient way for online transactions if it gets more traction.
About The Author
Lan Lin is the Assistant Editor of the Internet Journal http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any
comments about Internet Journal, please send email to firstname.lastname@example.org.