[BreachExchange] Avoid bad security practices that caused Postbank's breach

[Destry Winant]

https://www.itweb.co.za/content/mYZRXv9aoXmvOgA8

he news a couple of months ago that Postbank has to replace 12 million bank

BANK
UC-Wireless is a solutions-based distributor for integrated wireless
communications in healthcare, mining, education, hospitality and
retail.
 cards due to a major data breach is an excellent case study in the
risks of poor security processes and the reality that the human
element remains a weak link in the security chain.

ITWeb Security Summit 2020

Register now for the ITWeb Security Summit 2020, being held as a
virtual event from 25 to 28 August, and get access to an excellent
lineup of local speakers, and seven international keynotes that should
not be missed. Eight tracks over three days will explore a variety of
themes, from technical to governance to strategy and everything in
between. To register, and for more information, please click here.

The breach resulted from Postbank's encrypted master key being printed
in a plain, unencrypted format at its old data centre in Pretoria, and
then being stolen by staff members.

“The breach might appear to be a stroke of hacking genius, but, in
truth, it’s just a case of inadequate security practices and seemingly
rogue and corrupt individuals who stole the 36-digit (encryption)
master key,” says Karl Nimmo, CEO and founder of InTouch.

Manual key management is fraught with difficulties, says IT security
expert Ian Farquhar, a director of Worldwide Security Architecture
Team at Gigamon in Australia. In Postbank’s case, it’s going to cost
them far more to fix this than the actual fraud, he adds.

“People routinely underestimate the cost of getting key management
wrong. There’s another risk involved here, too. Not only financial
loss, but poor key management can actually lead to outages that can
cost as much if not more than fraud. Hopefully, this will be a wake-up
call for other regional banks, so that they can improve their
technology and processes around keys.”

According to Farquhar, it’s a credit to the payment card industry that
they have, in the vast majority of cases, properly implemented
controls around the cryptographic keys used to protect electronic
financial transactions (EMV). However, it seems that in the Postbank
case, a key was exposed during a data centre migration, and rather
than being managed properly, it was seriously mishandled by those
involved. “This fraud was the result,” he says.

Farquhar stresses that most organisations don't rely on EMV keys
alone. EMV, which originally stood for Europay, Mastercard, and Visa,
is a payment method based upon a technical standard for smart payment
cards and for payment terminals and ATMs that are able to accept them.

“I was recently speaking to a large international financial
organisation that was managing 170 000 different keys. While an
extreme example, even small financial institutions will be managing 1
000 or 2 000 keys, far more than can be reliably handled with manual
processes.”

Brute force

In the Postbank case, breaking the 36-character key using a brute
force hacking technique would be practically impossible, based on the
current state of modern supercomputers, adds Nimmo.

“The most sophisticated hackers in the world would consider this a
non-trivial task with a very low likelihood of success, which is why
this breach was not the work of sophisticated attackers, but, rather,
the result of bad security practices and dishonestindividuals who had
access to the physical systems. This breach is a reminder that hacking
isn’t always done by someone sitting on the other side of the world,
but often employs clever social engineering where the attacker has
access to physical devices. The best way to protect against this is to
strictly adhere to best security practices and processes.”

According to Nimmo, there are several encryption methods to protect
data to ensure it remains safe and private to the intended parties,
who should have access to the encrypted data.

“End-to-end encryption is a robust asymmetric encryption technique for
encrypting data where the keys are stored by both the sender and the
recipient with public and private keys. This form of encryption puts
the key in the hands of the end-user. A breach would require the
attacker to breach either the sender’s or the receiver's device.”

One key to rule them all

The concept of a master key to protect all the other cryptographic
keys is another well-known implementation of encryption, adds Nimmo.

“Typically, these master keys are very strong and would be nearly
impossible to break using even the most powerful supercomputers in
existence. Using a master key has the advantage that only one piece of
plaintext material needs to be protected and stored.”

The flip side of the coin and the inherent disadvantage of this single
point of failure is that if this key is breached, then the entire
system is breached, as in the case of Postbank.

The good news, says Farquahar, is that there are solutions in this
space: hardware security modules (HSMs) for securely storing keys and
enterprise key management systems, as well as associated technologies
such as enterprise certificate lifecycle management systems.

“These all help to secure and automate key management, removing the
need for problematic manual processes. I’m seeing a lot of
organisations, inside as well as outside the financial services
industryimplement these. They need to be backed up with strong
operational processes supported by standards published by
organisations like the ISO and NIST,” Farquahar adds.

“The Postbank breach is a reminder that information security has many
idiosyncratic foibles that do not always rely on a technical solution.
It is a collective engagement of technical best practices as well as
real-world physical security. “`Do not allow your master key to be
printed’ would be a sound security starting point,” Nimmo concludes.

Attempts by ITWeb to get further details from Postbank went unanswered.