![Gas Stations Have 10 Months to Encrypt Credit Card Transactions. Why Did They Wait This Long? [Encryption Digest 24] - cover graphic](/_next/image/?url=https%3A%2F%2Fcdn.venafi.com%2F994513b8-133f-0003-9fb3-9cbe4b61ffeb%2F78a95c2d-7f1b-408e-9590-dae2ab0ce106%2Faid_field_img__33f19dcc08d0ecc58a9be7b3db6bfe3d.png%3Fw%3D864%26h%3D370%26fm%3Dwebp%26q%3D75%26fit%3Dcrop&w=3840&q=75&dpl=dpl_3EAuLccmwaq4KZ9GcZftJq5NbwLA){kind=small}
The famous German Enigma was strong enough to be theoretically unbreakable. Due to human error, a fatal flaw and some very, very smart people, it was finally cracked. Fast forward to 2020, and our encryption is similarly theoretically unbreakable. It would take current computing power lifetimes, decades or at least a few good years to solve the codes surrounding our vital assets. It’s fantastic. But like the Enigma, the process – not product - is riddled with human error. Are we undermining the best cryptographic minds of our generation by sloppy practice? In an era where cyberwar is the new front for social and political conflict, weak links could have detrimental consequences. Will we learn from our mistakes and tighten up encryption policy enforcement, or will poor practice leave our most valuable assets exposed
Gas stations have 10 months to prepare for encryption—what took so long?
Major security loophole alert. Unencrypted credit-card transactions. What’s the only place (for most of us) that you don’t have to enter a chip and use a pin? Hint: you’ve probably gone there this week. Maybe even today.
The gas station. As of 2018, 50% of general-purpose credit card transactions were still employed via the magnetic – ahem, the unencrypted magnetic strip. Gas stations are a top offender.
Up until now, banks have borne the brunt of the responsibility for lost funds. Several years ago I was the victim of a gas station card skimming attack myself. My bank payed the debt. As of October 2020, gas stations themselves will bear the impact of the blame. It’s about time.
Besides the obvious reasons, it’s industry standard.
The Payment Card Industry Data Security Standard (PCI DSS) states that all magnetic strip credit card information should be encrypted in transit and not be stored. Otherwise acquired credit card numbers need to be encrypted if stored. This double-unsafe method of the magnetic strip info not being encrypted, then sent to a back-end computer (where it should not be stored at all), then stored (unencrypted) is unsafe at best, egregious at worst.
What’s the solution for gas stations over the next ten months? There are two possibilities. One, install chip-and-pin systems at the pumps. It’s a bit of an overhaul, but probably overdue. The second is to just update the software backend so that it encrypts the cache of magnetic strip data, prior to being sent to the banks.
The latter seems a bit more feasible and requires less downtime.
When we think about all that’s riding on that one point of access into our financial lives – home mortgages, college tuitions, car payments, groceries – it seems an unnecessary game of Russian roulette to keep swiping unencrypted cards at unencrypted pumps, where our sensitive card numbers will be stored in unencrypted gas station back room data bases.
It’s good to know that October is coming soon(ish).
Until then, I’m taking a pledge to only pay inside.
Related posts
- How is Diffie-Hellman Key Exchange Different than RSA?
- Budget for Encryption Increasing Over Time, Reveals Survey
- Is the War on Encryption a Fight Between Privacy and Safety?
Worth more dead than alive: Enigma machine sells for 100K
It should have been unbreakable. The Titanic was supposed to be unsinkable. Maybe it’s time to avoid absolutes in our advertising slogans.
For now, what’s left of an original Third Reich Enigma was just put to sale by a World War 2 artifact collector out of Los Angeles and went to an anonymous buyer. The sticker price? $106,250. Given that it’s a key piece of encryption lore, some might say that’s a modest sum.
Apparently, you couldn’t get someone to keep one 70 years ago. The Nazis wanted to get rid of them to keep them out of the hands of the Allies, and the Allies had worries of their own, so they did their best to destroy the rest. Between Churchill and the Nazis, this kingpin of German communication strategy has dwindled down to about 250 units still in existence.
Some interesting facts about the “unbreakable” machine?
The theory: After World War 1, inventors realized that a randomized, unrepeated pattern would make for a theoretically unbreakable code. The three-rotor design of Enigma facilitated long stretches of ciphertext before the pattern would double back.
The weakness: No letter could be enciphered to itself. So, it “could scramble the letters into any of 17,576 combinations except the use of the original letter.” This ruled out some possibilities and plugged some holes.
Thanks for the help: The incessant use of “Heil Hitler” at the end of encrypted messages provided a necessary pattern anchor which helped the Allies eventually crack the Enigma.
Related posts