Security breach at Target part 2
Home
eMarketing
eSecurity
Mobile Comm
Global e-Business
News & Insights
Contact Us

Articles

Security breach at Target part 2
FIDO Alliance Seminar
Security Breach at Target
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

Security Breach at Target Part 2: The Alternative to Centralized Consumer Data System
By: Lan Lin, eSecurity Assistant Editor, Internet Journal
02/19/2014

In Part 1 of Target Security Breach, we have discussed several underlying factors that made Target top victim to cyber-attacks. In this article, I would like to focus on the solution side and discuss the alternative of today's prevalent model of a centralized consumer data system.

Most businesses today are deploying a centralized data system to manage consumers' private data. Information required to complete a transaction, such as customer name, address, phone number, payment card record, account username, login password, is stored and managed on the merchant's server side. That makes large corporates such as big-box retailers juicy targets for cyber criminals who run the lucrative business of identity theft. It also adds a lot of burden to the businesses who shoulder the responsibility of securing consumer data.

As Target security breach mostly affected the data associated with in-store transactions, it was the POS machines not the central servers that were compromised. But if we take a closer look, security breaches of in-store and online stores actually share something in common. That is, hackers stole consumer data from the merchants who have those data stored collectively somewhere in their network. For Target case, it is the cash registers that temporarily store payment data. For ecommerce stores, it is the central server or the cloud that stores login and account information. Having consumer's sensitive information flowing in some of the vendor's communication channels is problematic.  The simple reason is that there is no perfect solution to secure these data.

Today, many organizations are advocating and exploring the idea of "Private data never leave local mobile device". Fast Identity Online Alliance (FIDO) is among these advocates. As a young but rapidly-growing industry consortium, FIDO advocates a simpler yet stronger authentication process for online transactions. Its members include industry leaders such as Mastercard, Discover Card, Google, Microsoft, Lenovo and many more.

The authentication process that FIDO promotes utilizes user's mobile device for authentication and uses standard public key cryptography techniques to ensure stronger authentication. Simply put, the idea is to let the user authenticate the user's smartphone and then let the smartphone authenticate the service provider( i.e. websites). The scheme leaves ample room for the adoption of a wide variety of authentication technologies, including biometrics such as fingerprint, iris, voice and facial recognition, as well as "existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, and Near Field Communication (NFC)".

During the transaction process, user's personal data are kept all the time in the user's personal mobile device.  Therefore, FIDO model transfers the responsibility of securing consumer personal data to consumers themselves. It mitigates the risks of massive data theft to a great extent, as vendors no longer host consumer data that criminals deem valuable. On the other hand, to crack individual mobile device seems impractical and unproductive from the hackers' perspective.

For Target, there is no easy fix. It may take time to upgrade the payment system to chip-and-pin in which pin information never leaves smartcard as we discussed in my previous article. And for the use of mobile wallet under similar protocols in FIDO authentication process, it also takes time to remove many hurdles on the path towards public acceptance.

To sum up, FIDO specifications alleviate the headaches brought by a centralized consumer data management system that most businesses today are deploying.  FIDO authentication model certainly works in a more efficient way for online transactions if it gets more traction.

About The Author
Lan Lin is the Assistant Editor of the
Internet Journal http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to editor@intnetjournal.com.

 

[Home] [eMarketing] [eSecurity] [Mobile Comm] [Global e-Business] [News & Insights] [Contact Us]

eMarketing