Introduction
The Heartland Payment System, which serves customers through processing credit cards, was last year (2008) attacked through the extranet and exposed customers’ information over the network. The company reported that the customers’ Phone numbers and addresses, Pin and Card security numbers were exposed. The company was dealing with Visa, Dinner Club, Master Card, American Express, Discover, and JCB electronic cards to facilitate payments for restaurants and retail services. Reportedly, this is the biggest data breach crime in history in this industry, having exposed 100 million card data.
While e-commerce business has a large potential to enlarge, the security of customer data must be put into great consideration. Because a security breach may not only lead to the loss of the company’s credibility and reputation but also loss of customer funds through illegal withdrawals, areas of risk must be identified, research launched, and solutions sought innovatively. Innovative and up-to-date solutions are essential because hackers may also use recent technology to extract business information from the network. In an IBM multinational privacy study that covered 3000 customers of the firm in the USA, Germany, and Great Britain, 63 % of the interviewees would hesitate to provide personal data on a website where no security is assured (Johnson, 2001). This means that success for the Heartland Payment Business could be highly affected by this breach.
An overview of the proposed solution
While business transactions over the internet are becoming more important in corporations, not only are the corporations becoming interested in solving the security issues that present risks, but also governments are moving forward to adopt security policies that will ensure that data over the internet is safe. Extranet and intranet risks in data breaches can be reduced and even avoided by adopting security measures stipulated in the policies in addition to using software specifically designed for that purpose. We, therefore, present in this case of Heartland Payment System a solution that is two-way, i.e., technological and policy-driven.
Impact on business process efficiency and efficacy
Higher key encryption schemes (1024 and 2048) for RSA make systems slow, and it is difficult to carry out the hardware implementation (Mohammadian, Lotfizad, Mahdi, & Mali, n.d.). The above system will ensure that the security of operations is assured. Because customers would pay attention to security to their privacy information, less secure systems would mean that trust is lost, and therefore customers may not be willing to transact with the company. Lack of security for the customer information would mean that the system becomes slow on an overall performance basis because investigations would require to be carried out once there is detection or suspicion of a crime in transactions. Again the company may incur losses if customers would stop transacting with them. RSA algorithm operations will slow down with the increase in modulus, although higher modulus achieves more security. Increasing the key size for the RSA system discussed should be expected as the time taken during encryption and signature verification and that taken in decryption and signing would increase. The recommended is the minimum for corporate businesses (RSA, 2009).
Specifics as to the products, services, policies, and procedures
Observance of data security compliance measures such as the PCI that ensures monitoring and detection of data breaches and doubtful transactions can help a company avoid such crime is observed. A big step towards curbing external fraud and access to business information either belonging to the company or customer by the company is making sure that the cases are known and detectable. In this way, a company can then initiate measures to prevent crime using technology. A company would ensure that the hacking business is detected through a Computer hacking forensic investigation scan.
Through sniffing attacks, the TCP/IP transmissions risk being captured by a malicious user, and since they carry important information such as passwords and other card information of the customer, such information gets into the wrong hands. Because preventing the attacker whose damage-machine is located between the Heartland Payment System and the client is not possible as the internet is open, the greatest solution lies in the encrypting of the communication between the user and the system.
Another possible solution to the Heartland problem is by using a strong accesses control policy at the operating system level to enforce access permissions. This is because attackers may attack a storage medium to the customers’ personal information through the Brute-force technique (Herzog, 2001; Viega & McGraw, 2002; qtd. in Sawma & Probert, n.d.) and succeed in copying the system file or the database system with the “credential information”-(the password and user name) (Sawma & Probert, n.d.). This tool is dangerous even when the credential information is encrypted. By using the algorithm originally used to encrypt the “true” credential information, encryption of possible combinations of information being inputted by the attacking tool is possible, and the attack succeeds when a match of the credential information is achieved by using various types of encrypted algorithms.
The company should use a strong cryptography algorithm such as RSA cryptosystem with 1024 bits keys to reducing the likelihood of this attack. The example provided is a standard system for secure cryptography that can be used by the company to solve the problem aforementioned. Another way the company must ensure the protection of the customer information is to set the maximum number of attempts to authentication because attackers, having gained a username of a customer, may try an automated means that try out possible combinations with a huge database and because the tendency by many is the usage of a password that is easier to remember, the possibility of success of these attacks is higher. This type of attack is known as the dictionary attack, where the malicious user first gains access to the user name of the customer, for example. In this case, we recommend the usage of up to seven times before locking of the account, which (number of trials) will allow customers to fix related errors on the input side such as typing errors, typing with CAPS LOCK on while the number of times avoids the malicious user to use possible combinations severally until a match is attained. An email link will help the customer unblock the account by checking through a URL link, the validity of the data stored (user name and hashed string) (Sawma & Probert, n.d.).
Encryption of data with such systems like the SSL (Secure Sockets Layer) that can ensure data privacy and security over the internet and at the same time usage of time-stamps for all the sensitive data being exchanged between the customer and Heartland over the internet is necessary because the malicious user may replay the authentication sequence he/she has trapped over the communication. SSL would require the web browser that supports it in this case (also see SSL, n.d.). Replaying entails sending the information back to the server so that the malicious user will be authenticated as the real user. These types of attacks are referred to as replay attacks (Sawma & Probert, n.d.).
In order to ensure that the company avoids the aforementioned problems that expose the customer information, it is important to know that dictionary attacks, spoofing, sniffing, weak credential policy, and cryptography can be dealt with during the design of a countermeasures model (Sawma & Probert, n.d.).
Implementation procedures, potential impediments, and cost of the solution
Implementation analysis of the system would require a designer, and the related costs include; purchase of the SSL software and RSA system required for the process. Design analysis will require the analysis of the current system since the current one may only require adjustments other than an overhaul. In case it requires an overhaul, the implementation costs will go up because more analysis of the need may be necessary. Other costs would involve the identification of the actual threat other than the group risks identified above. The more specific risk would require a lesser cost in implementation. A 1024-bit RSA would be factored in for more than $1 million.
Considerations related to system and process integration
Implementation of the above system will require the company to access the related costs, human resource facility or the personnel, and required hardware and software compatibility issues that would determine exactly which parts they would replace. As seen from the cost analysis of the solution, the company would require determining whether it has the required financial capability to implement the system. The complexity of the system would require the advice of a specialist, and the company may need to invest in more personnel.
Recommended maintenance procedures
The expiry for the key for individual customers in the RSA system can be set at two years, and then the maintenance of a certain security level and change of keys regularly is possible. I am putting a particular period before this change can allow for the adjustment of length after some time (RSA, 2009). Further increase in security of the system can be achieved by increasing the key of encrypting, say to 2948 bit if need be, and also so as to improve the factorization algorithm (Mohammadian, Lotfizad, Mahdi, & Mali, n.d.).
Assessment of the degree to which the risk has been reduced
A system that seeks to solve the problem needs to prove effective in the way it deals with the problem when analyzed. The RSA would be assessed from time to time to make sure that the necessary upgrading is done when required. The analysis of the reduction of the cases of a data breach can provide evidence of the level of security after installation. Scanning systems are already available to make sure that cases of a data breach can be identified. Continuous improvement of the system would also depend on the availability of alternative, cheaper, and better models in terms of security, reliability, cost, and efficiency, for example.
References
FPGA Implementation of 1024-bit Modular Processor for RSA Cryptosystem. Web.
Herzog, P. 2001. “The Open Source Security Testing Methodology Manual”, version 1.5. Web.
Johnson Andrew. Data Protection and E-commerce; the case for new law, in the information age. 2001. Web.
RSA. How Large a key should be used in the RSA cryptosystem? 2009. Web.
Sawma Victor and Probert Robert. E-commerce Authentication: An Effective Countermeasures Design Model. Web.
SSL. Network Security SSL Certificate FAQ. Web.
Viega, J. and McGraw, G. (2002). “Building Secure Software”, Addison-Wesley.