Security is a moving target

by. Henry Meier

At the end of WW1 the French built the impenetrable Maginot Line, a series of defenses perfect for the trench warfare that dominated the war. Unfortunately for the French and everyone else, it wasn’t all that useful against tanks and mobile armies, so by the time WWII started the French might as well have been taking a knife to a gun fight.

There was a lot of talk in Congress last week about chip based credit card technology and whether the merchants should be forced to adopt this EMV technology. I’m all for it: even if the technology is twenty years old, it’s still better than continuing to rely on magnetic strip technology developed in the 1960’s.

Proponents of the technology point out that Point of Sale fraud dropped dramatically in Britain when it was adopted.
But yesterday, a corporation owned by the nation’s largest banks reminded us that chip based technology is no panacea. The problem, as explained in this Tech World article, is that “[w]hile EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions. That is one of the major reasons why payment card fraud has migrated from point-of-sale systems to online channels in Europe and other places that have already adopted EMV.” Case in point: on-line break-ins spiked in the U.K.

To fill the gap the Clearing House Payment Company, which is owned by 22 large banks, is advocating for the increased use of token technology, which means that instead of using the same number when making online payments credit card information would be translated into unique computer generated sequences. (I know, I just made the IT people cringe, but you get the idea). The problem with policies mandating the adoption of specific technology-like EMV- or codifying specific security standards – like the privately developed PCI standards – is that they would most likely be outdated within days of any Congressional mandates. Let’s face it, the hackers know a heck of a lot more about technology, and move a heck of a lot faster than Congress ever will. There is no Silver Bullet that is going to magically make hacking go away.

continue reading »