President Obama issued Executive Order “Chip and Pin” to make us all more secure. I became aware of this order when reading an email about government travel credit cards which will use the new technology. Uggh.. what a show-piece. Rampant unfamiliarity with cyber security makes this order just about useless. Let me explain…
The chip and pin technology protects point-of-sale data transfers. Threatpost.com reporting makes a gaff associating this with a the Home Depot and Target data breaches, but chip-and-pin has nothing to do with large data base breaches of accumulated data. Point-Of-Sale risks are not the same as Data-At-Rest risks. Think about it. While you sit at home and do nothing with the card in your wallet, the same hackers can use the same techniques to do the same data breeches without you or your secure card.
Cooley LLP claims the new order, “focuses squarely on the massive data breaches that continue to plague numerous companies.” Ughh.. POS transaction security does not protect data at rest databases.
Fundamentally, the largest point of ignorance is that providing a more secure data transaction method does NOTHING when implemented in parallel with existing older methods. For example, it is NOT more secure to, “outfit retail point-of-sale terminals at federal facilities – like national parks and post offices – with the capacity to accept chip and PIN-enabled cards.” (Threatpost.com)
Increased security occurs only if old methods are removed and eliminated. This reminds me of the normal web page questions to re-gain access when you forget your password. This method is touted as making the web page more secure. How can it be more secure by providing an alternate path to your account? It doesn’t. For example, when add private key cryptology to an SSH connection, it becomes more secure if you remove password-only access to the account.
One of the internal DOD communiques to employees claims, “Chip and PIN technology strengthens data security, better protecting cardholders’ personally identifiable information (PII) as well as the Government’s sensitive transaction and payment data.”
And then I began to laugh when I read, “Please note, there will be no change to the account number for replacement cards, and the magnetic strip can still be used for merchants without Chip and PIN technology.” Combo cards are like fixing security of a screen door on your house by building another large steel door secured with deadbolts. The weak little screen door is still there!
I will hold my appreciation for government guided protection until the follow-on order removes magnetic swipe data from all government cards.