We all worry about the safety of our credit cards and debit cards when we use them to shop. When you take a look at any Point of Sale (PoS) device, two things remain extremely sensitive: the magnetic stripes and cardholder data.
Cryptographic solutions are instrumental in maintaining utmost security in areas where information that needs to be shielded and protected exists.
According to welivesecurity.com,
Cryptography is an essential component of PoS terminals, just as in all digital payment methods used today. In addition to the cornerstones of confidentiality and integrity, authentication and non-repudiation come into play too – in other words, a transaction cannot be allowed without the user’s knowledge.
Payment security systems primarily use three groups of cryptographic algorithms. The three groups interact with a variety of technologies and are combined with various types of architecture within PoS devices.
General differences between PoS systems that use the three cryptographic algorithms are – speed, power consumption and ease of implementation. Besides this, how they are used depends on the way the key is stored, the way the communication is encrypted between two points, or the level of security required.
Symmetric-key algorithms:
This type of algorithm is very quick but less secure. It can be used to encrypt and decrypt information. Symmetric-key algorithms have a major disadvantage. In order to initiate communication between two points, the password or the key must be exchanged. 3DES (Triple Data Encryption) and AES (Advanced Encryption Standard) are examples of symmetric-key algorithms.
Asymmetric-key algorithms:
Unlike symmetric-key algorithms, only one key can be used at a time to decrypt or encrypt data. There are two types of key in use, and they are called public and private. The private key is the one that will be used to read the information and for this reason is shielded. The public key is used to distribute the information and for this reason is used to write the information. Asymmetric-key algorithms are otherwise called PKI (Public Key Infrastructure). Some examples are PGP/GPG (Pretty Good Privacy), and network traffic encrypted with SSL/TLS (Secure Socket Layer and Transport Layer Security). SSL and TLS are extensively used by websites where they are used in performing transactions or in places where credentials need to be entered.
One-way hash algorithms:
These algorithms offer a great way to protect passwords. They work by capturing information of variable length and then generate a fixed-length output. When used in cryptography they offer an easy way to calculate. The advantage of using one-way hash algorithms is owed to the difficulty in deciphering the original output when the hash value is unknown.
With encryption algorithms, bigger is always better. Attacks generally target encrypted data by using brute force. This means, an attack generally tests all key combinations before finding the right string. For this reason, a longer and complicated encryption algorithm makes it that much harder to hack.
Welivesecurity.com also said,
We can confirm that within the “Cryptography security for remote dispenser transactions” patent, published in June 2000, that DES is believed to provide “the highest degree of security when used according to the invention described”.
With that being said, cryptographic algorithms are not built into the PoS devices at the initial stage of production. This offers cybercriminals a small window of opportunity to corrupt these devices and extract information.