First Equifax: Next, you?
22 Sep 2017

First Equifax: Next, you?

We’re all familiar with the disaster that occurred at Equifax, with millions of Americans identities being leaked. In fact, there’s a good chance that you might be one of the many affected. The security protocols at Equifax were so sloppy, that they actually directed customers to a phishing website to check if they were affected. There are a few points to be taken from this:

  • Any system can be breached.
  • You must offer concrete security protocols, which start with your developers.
  • Nobody wants their business affected by this.

We’ve established some considerations below to keep in mind when you are preparing to develop your software.

Disclaimer: Whereas this information may be useful to you, it is not intended to be professional advice. Always seek professional advice when dealing with matters such as how to secure your system.

1. Convenience is a risk, don’t store payment information.

The best way to not release a clients credit card or bank information is to never store it. Many companies store their client payment information for the convenience of auto-payments, or quicker payments at their next transaction. This makes sense, because consumers today are expecting a quick experience. The issue lies in the fundamental nature of storing payment details, which comes from encryption.

  • Even when “encrypted” on an “SSL” secured system, details must be able to be de-crypted. As most things can be decrypted with relative ease, this presents a major security flaw.
  • Don’t store payment details, unless absolutely necessary.

2. Sensitive information should be one-way encrypted.

When storing something such as a social security number, a bank pin, or some other information that would be damaging in the wrong hands, it’s best to encrypt one-way. The difference in one-way encryption vs. two-way encryption is explained in the name. One-way encryption, by its design, is not meant to be decrypted. This makes it virtually impossible to use any information when it is discovered. Two-way encryption, which is often used to store sensitive information to be displayed later, by its design is meant to be able to be encrypted.

One-way encryption can be utilized by software when the data requested is entered. If you type in your social security number, which was encrypted with MD5, the new encryption hash that was generated would be the same that is stored. This makes verifying information safe and secure.

  • Use MD5 encryption, a powerful one-way encryption method.
  • Two-way encryption is OK for less sensitive information (i.e. first name, last name).

3. Algorithms can save your business.

Let’s say that it is pertinent that you be able to view a clients social security number when you pull up their account. In this case, it is necessary to use multiple levels of two-way encryption, and algorithms that only your software could possibly understand. As a developer, this takes a good amount of time. As a business, this is time well spent – as your clients depend on it.

  • Software should utilize at least one proprietary algorithm to encrypt the data.
  • Multiple levels of two-way encryption should be employed to further encrypt the data.

Whereas there is always a risk that these algorithms could become understood by hackers, it severely reduces the chance that the data will be decrypted.

4. Secure your server.

Sensitive information shouldn’t be stored on a shared server. In theory, that server is already breached by others who were given access. How well are they securing their systems? If that is a factor in your security plan, your plan is flawed. The best intervention is prevention, which starts with your server. Your engineers should employ modern methods to protect the server that hosts your data. As new threats present every day, it is necessary to make daily security updates to the software that you utilize. There are a few things that you can do to secure such information:

  • If the network is local only, the server should only respond to trusted MAC addresses (physical hardware unique identifier)
  • The biggest virus might be your own software, so keep it up to date.

 

At the end of the day, the best intervention is prevention. Make sure that your clients sensitive information is secured by employing multiple modern, powerful security protocols not only with your software, but also your hardware. If you’d like to learn more about how our developers can properly secure your system, send us a message.

Kevin Heasley

Kevin is the Lead Developer at Citadel, overseeing all software development projects. With many years of experience and counting, Kevin has received awards for his works in the field of software development.

Comments are closed.