Skip to main content
banner image
venafi logo

Gas Stations Have 10 Months to Encrypt Credit Card Transactions. Why Did They Wait This Long? [Encryption Digest 24]

Gas Stations Have 10 Months to Encrypt Credit Card Transactions. Why Did They Wait This Long? [Encryption Digest 24]

encryption threats
January 3, 2020 | Katrina Dobieski


The famous German Enigma

was strong enough to be theoretically unbreakable. Due to human error, a fatal flaw and some very, very smart people, it was finally cracked. Fast forward to 2020, and our encryption is similarly theoretically unbreakable. It would take current computing power lifetimes, decades or at least a few good years to solve the codes surrounding our vital assets. It’s fantastic. But like the Enigma, the process – not product - is riddled with human error. Are we undermining the best cryptographic minds of our generation by sloppy practice? In an era where cyberwar is the new front for social and political conflict, weak links could have detrimental consequences. Will we learn from our mistakes and tighten up encryption policy enforcement, or will poor practice leave our most valuable assets exposed?

 

 

Gas Stations Have 10 Months to Prepare for Encryption—What Took So Long?



Major security loophole alert. Unencrypted credit-card transactions. What’s the only place (for most of us) that you don’t have to enter a chip and use a pin? Hint: you’ve probably gone there this week. Maybe even today.
 

The gas station. As of 2018, 50% of general-purpose credit card transactions were still employed via the magnetic – ahem, the unencrypted magnetic strip. Gas stations are a top offender.
 

Up until now, banks have borne the brunt of the responsibility for lost funds. Several years ago I was the victim of a gas station card skimming attack myself. My bank payed the debt. As of October 2020, gas stations themselves will bear the impact of the blame. It’s about time.
 

Besides the obvious reasons, it’s industry standard.

 

The Payment Card Industry Data Security Standard (PCI DSS) states that all magnetic strip credit card information should be encrypted in transit and not be stored. Otherwise acquired credit card numbers need to be encrypted if stored. This double-unsafe method of the magnetic strip info not being encrypted, then sent to a back-end computer (where it should not be stored at all), then stored (unencrypted) is unsafe at best, egregious at worst.
 

What’s the solution for gas stations over the next ten months? There are two possibilities. One, install chip-and-pin systems at the pumps. It’s a bit of an overhaul, but probably overdue. The second is to just update the software backend so that it encrypts the cache of magnetic strip data, prior to being sent to the banks.
 

The latter seems a bit more feasible and requires less downtime.
 

When we think about all that’s riding on that one point of access into our financial lives –  home mortgages, college tuitions, car payments, groceries – it seems an unnecessary game of Russian roulette to keep swiping unencrypted cards at unencrypted pumps, where our sensitive card numbers will be stored in unencrypted gas station back room data bases.
 

It’s good to know that October is coming soon(ish).
 

Until then, I’m taking a pledge to only pay inside.
 

Related posts



Worth More Dead Than Alive: Enigma Machine Sells for 100K



It should have been unbreakable. The Titanic was supposed to be unsinkable. Maybe it’s time to avoid absolutes in our advertising slogans.
 

For now, what’s left of an original Third Reich Enigma was just put to sale by a World War 2 artifact collector out of Los Angeles and went to an anonymous buyer. The sticker price? $106,250. Given that it’s a key piece of encryption lore, some might say that’s a modest sum.
 

Apparently, you couldn’t get someone to keep one 70 years ago. The Nazis wanted to get rid of them to keep them out of the hands of the Allies, and the Allies had worries of their own, so they did their best to destroy the rest. Between Churchill and the Nazis, this kingpin of German communication strategy has dwindled down to about 250 units still in existence.
 

Some interesting facts about the “unbreakable” machine?
 

The theory: After World War 1, inventors realized that a randomized, unrepeated pattern would make for a theoretically unbreakable code. The three-rotor design of Enigma facilitated long stretches of ciphertext before the pattern would double back.
 

The weakness: No letter could be enciphered to itself. So, it “could scramble the letters into any of 17,576 combinations except the use of the original letter.” This ruled out some possibilities and plugged some holes.
 

Thanks for the help: The incessant use of “Heil Hitler” at the end of encrypted messages provided a necessary pattern anchor which helped the Allies eventually crack the Enigma.

 

 

Related posts

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more