Tuesday, April 15, 2008

A "New" Data Security Threat, and Why That's a Good Thing

this article from Computer World describes a "new" type of attack hackers have been using to get at credit card data: interception of unencrypted data while in transit. Now, as the article points out, the tools being used by hackers to intercept data in transit aren't novel technology, so the description of a "new" threat is, in one sense, not accurate. However, obtaining unencrypted information in transit marks a significant shift from the traditional hacker tactic of stealing information stolen from databases (see, e.g., TJX and CardSystems, the two biggest data security incidents on record). Of course, to a consumer, it doesn't matter much how their credit card numbers were stolen. However, to me, the fact that hackers are switching tactics is not only a big deal, it's also good news for at least three reasons.
First, it's harder for a hacker to steal huge amounts of data by intercepting it in transit than it is for a hacker to steal huge amounts of data by stealing it from a database. For example, it takes at least a month for a hacker to steal a month's worth of credit card numbers if they're being captured while in transit during a transaction. By contrast, a month's worth of credit card numbers can be stolen from a database in seconds. Thus, if hackers focusing on data in transit rather than data at rest should decrease the overall amount of data stolen.
Second, as described in the article, one reason that hackers are switching to catching information in transit rather than focusing on databases is that companies have hardened their databases in order to comply with the PCI DSS. This shows that compliance with the DSS, while admittedly not universal, has been widespread enough to change criminal behavior, something that is clearly a positive development for data security.
Third, the fact that hackers have switched from high value targets (databases) to relatively lower value targets (data transmissions) based on the behavior of their targets shows that, when properly motivated, regulation can address and alleviate serious problems (in this case, the problem of easily compromised databases). Of course, at this point, the switch from targeting databases to targeting transmissions means that some tinkering with the PCI DSS is probably in order. However, there is no reason why the same framework which resulted in the increases in database security that led to the shift can't also be used to address threats to transmissions. Thus, while the new tactics being used to steal credit cards represent new challenges, they also show that some progress has been made in the ongoing battle to increase the security of individual consumer data.

PostScript: On a quasi-related note for everyone who says that private initiatives are always superior to government action, the HIPAA security regulations actually address protecting information in transit and at rest, so they already address the "new" threat described in the article.

1 comment:

I Love IRS said...

Like Ben Franklin said, "they who would give up an essential liberty for temporary security,
deserve neither liberty nor security. Here's an interesting book,