Thursday, 10 April 2014

Heartbleed made Simple

HeartBleed has suddenly become a very well known security vulnerability, because this simple vulnerability in OpenSSL has turned out to be one of the most critical and potentially devastating of all time, with over half million trusted websites said to be vulnerable. Over the last couple of days various security advocates and vendors have been lined up by the media, with ominous warnings of grave danger online due to Heartbleed.

However I have generally found main stream media have focused far too much on trying to sensationalise instead of explaining the vulnerability properly, and not explaining how organisations should resolve the problem, and how users can protect themselves. It is fair to say the media coverage has led to much confusion on Heartbleed, with both organisations and users alike, which I’ll attempt to dispel.

Heartbleed made Simple

Heartbleed, also known as CVE-2014-0160 in techie land, is a Critical Security Vulnerability identified within OpenSSL, a set piece of software which implements SSL/TLS encryption. This encryption software is used on many 'secure' websites (https), VPNs, Email Servers and Mobile Phone Apps. The vulnerability allows an attacker to change a memory instruction within a TLS Heartbeat request. This Heartbeat request is like a regular 'ping' between a server and client, and is used to maintain a secure network connection. An attacker can modify the heartbeat request to return the contents of a target servers memory heap, which can hold private encryption keys, user credentials and confidential information. It is as simple as that, although it typically takes thousands of heartbeat requests by an attacker before an attack successfully returns the information desired.

The Register has posted one of the best detailed technical descriptions on how attackers exploit the Heartbleed vulnerability, so there is no need for me to drill into further technical detail here to explain it - http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/ 


There is also a nice video explanation of Heartbleed by Elastica Inc

Now the Heartbleed vulnerability has become so widely known, thanks to mass media, and given the ease that anyone can exploit it, immediate action by organisations and individuals is required.

Business & Organisations that Operate Secure Websites, Apps, VPNs, etc

1. Immediately identify all usage of OpenSSL Version 1.0.1 to 1.0.1f  in your organisation, and patch it - download here

2. Where OpenSSL version 1.0.1 to 1.0.1f was found and patching has been confirmed:

  • Enforce user account password changes. The assumption to take is that user account names & passwords have been compromised. It is possible for an attacker to be completely undetectable while performing the Heartbleed exploit, therefore there is no way of assuring whether account credentials have been compromised or not.
  • Invalidate all web session keys and cookies (hopefully done as part of the update)
  • Issue new encryption key pairs; assume all private keys are compromised
  • Review the content which may have been leaked due to vulnerability in OpenSSL, then action mitigation where required.
Everyone (Users)
If requested to change your password by an organisation, website, application etc, like a Nike 80s commercial, Just do it!

The media is full of advice for users, particularly advocating users should change all their website passwords. However this is a pointless exercise if the service you are using has not been patched to protect against Heartbleed, or perhaps the service has not even been effected by the vulnerability, as not all encryption makes use of OpenSSL, so check first.
Finally ensure to adhere to good practise password management. Considering using a password management vault system like LastPass, and ensure unique and strong passwords are used with all your website accounts. Particularly with any banking and email accounts, so should one of your weaker website accounts be compromised due to Heartbleed, the attackers don't have access to your more important accounts, which is a common issue when the people use the same password on multiple websites, the attackers understand some users do this and so check for it. 
See my other posts for further advice on password management:

Monday, 24 March 2014

Security Awareness Lesson on Loose Lips by Football Stars

Last week I was left rather concerned about the state of security awareness in the UK, after hearing various people in my train carriage rattle on loudly about information which was clearly meant to be kept confidential, a World War II awareness phrase comes to mind, Loose Lips sink Ships.  However my faith in personal security awareness has been somewhat been restored, as over the weekend I noticed many football superstars demonstrating a very simple security control, a control which I believe has been coached to them by their clubs, in other words information security awareness training. This simple tactic is to cover your month when speaking, a technique used to mitigate the risk of media, and perhaps opposition teams, from being able to eavesdrop what you are saying, namely by them using lip reading experts to interpret what is being said by watching TV or camera footage.

This practice was very evident in last night’s El Clasico, Real Madrid versus Barcelona, a match which fully lived up to the billing as the biggest club football match in the world. And what a match it was, some of the world’s best footballing talent on the pitch, playing amazing football, in a topsy-turvy match which was packed with controversy with three penalties, which saw Barca eventually run out 4-3 winners. Aside from the quality football, what I found particularly interesting, was an on the pitch conversation between Barca's Messi and Madrid's Pepe that was caught by the TV cameras, both demonstrated good security awareness by covering their mouth as they spoke to each other in conversation, see the pictures below.



 Messi & Pepe keeping their conversation private

On Saturday night I saw the same practice while watching Match of the Day. Wayne Rooney scored a goal from just inside the opponents half, mimicking David Beckham’s spectacular goal from his own half all those years ago. 

David Beckham and his family were actually in attendance, and sure enough a TV close up of David Beckham and his son Brooklyn followed Wayne Rooney’s goal celebration. Both David and young Brooklyn had their mouths covered with their hands while discussing Rooney’s goal. No doubt David was telling his son that his goal was better than Rooney’s goal. But the fact his son had his mouth covered with his hand suggests some sort of awareness training has occurred in my view, even if it was delivered by his security aware dad.
The Beckhams are Security Aware

My American friends will point out in US sports like American football, coaches on the sidelines have been hiding their mouth when barking out team instructions with a clipboard for years, but my point is this practice is relatively new to the UK sports, and I have observed it with English cricketers at the recent Ashes series, and with our Curling players at the recent Winter Olympics. But it is in football where it has become most prominent, you can spot the likes of Jose Mourinho using the mouth covering method all the time, especially after his private conversation about Samuel Eto'o and Fernando Torres was leaked to the media.

This makes me wonder what other security awareness training and practises have football clubs adopted in this technical age. These days at many Premier League clubs, players are handed iPads holding information about their gameplay and their opposition gameplay, especially so when used at half time. This information can be the difference between winning and losing a match, given the small margins involved in football,  and the vast amounts of money which can be gained or lost by success and failure, it means such information needs to be protected. The Manchester City reaction to their scouting database compromise is example of the importance of information security within the billion pound UK football industry.

Then there is social media awareness, a footballer’s comments on Twitter can land a football club in hot water with the FA and sponsors, resulting in fines and match bans for the player involved, for example Ashley Cole's £90,000 fine for a Twitter post or Jason Puncheon's recent fine for remarks on Twitter about a manager. So I think information security and the important awareness training that goes with it, is now being taken far more seriously by professional football clubs than it use to be a couple of years ago, the ultimate driver for this change is money.

Friday, 21 March 2014

Information Careless Great Britain: All Aboard the non-Privacy Train

This week I experienced a rather concerning two hour journey from London aboard a Virgin Pendolino train.
Might be the Age of the Train, but it's not the Age of Privacy Awareness

I had just taken my seat on board, and the train had just cleared the tunnel just north of Euston station. As I was settling in to the journey I noticed something through the gap of the two seats in front, like a magpie drawn to a sparkling object, something had caught my eye. I have spent years conducting security assessments, checking system logs and databases for the presence of credit card data. During this time I have unwittingly developed the canny knack of quickly spotting a 16 digit primary account number of a credit card, along with a expiry date and the 3 digit security code. My eyes were drawn to the laptop screen of the passenger in front, which had a webpage fully on show, which displayed his typed in credit card details, including the 3 digit security code, which was not obfuscated. In my disbelief I considered taking a picture with my phone, but then thought better of this, as it crosses an ethical boundary in my view. But if a more unscrupulous person than I did take a picture, then they could use the captured credit card details to easily commit credit card fraud, namely use it to buy items online.


The passenger is at fault on so many levels, obviously having your credit card details on open display within a public environment is not the greatest idea, a cheap laptop privacy filter could help reduce this risk, but not completely, I think my viewing angle would still have been good enough to observe his laptop screen. Then the website itself didn't look too secure in my view, in that the webpage didn't obscure the credit card information he had typed in, especially the 3 digit security code, which is not a good sign. Then there was the method of the internet access, I was pretty certain the laptop was connected with the train’s public WiFi. These days (hopefully) most people understand you should never enter credit card details to purchase anything over a public WiFi, as there is no way of telling if you are connected with a fake WiFi hotspot operated by data thieves, or whether someone is listening into (sniffing) all your web traffic, or even performing a man-in-the-middle attack, which is a method of defeating the encryption (https SSL) used by ‘secure’ websites.

I was still shaking my head and tutting to myself when the three ladies sat around the table seats to my left piped up. All three of them worked within the HR department of a UK footsie 100 company which I won't name, I know this because for most of the journey all they talked about was their work. First they spoke in detail about an individual which their company had recently fired. Stating this individual’s full name several times with the reason for the dismissal. They discussed how they would prepare for his employment tribunal in the following week. Next they started a real bitching session against their boss, again I'm naming no names. One of their boss’s emails was read out from a Smartphone and then ridiculed, along with further gossip...she said this, he said that, I said this. Their department restructuring is apparently a complete joke and a waste of time. Finally there were further and rather personal remarks about their boss and another individual working within their department, the irony of their HR role and the tribunal case they had been initially talking about, was not lost on me.


How many phone calls do you hear on trains?

While still doing my best to mind my own business, an annoying ring tone sounded from the seat behind me, and Mike X announced his presence to the rest of the coach, with a booming “Hello Mike X”.  He wasn't a relation to Malcolm X, I am using X to protect his real surname. We all learnt that Mike was quite the slick salesman, and how he was key to his company winning a £450K contract with a well known construction company. We also heard how he and his colleagues were going to provide the right kind of answers the construction company wanted to hear in their tender documentation, and that his company should not worry too much about details at this stage, unless it was something that was going to be clearly stipulated in the contract. Finally he told us all about his plans for the weekend, dinner with his wife on the Saturday, and golf with his chums on the Sunday.

You couldn't make this stuff up, for a moment I thought it was part of some elaborate prank, but Ant & Dec were nowhere to be seen, so I decided save myself from further annoyance by the passengers around me, I put on my headphones, pulled out my laptop, stuck on my privacy filter and wrote it up for this blog post.

Conclusion – Information Careless
I can't help but wonder whether this train carriage represents an average cross section on the level of security awareness in the UK in 2014?  No wonder cyber criminals target the UK, they know its citizen's are information careless, and are a cash rich soft touch. Information Security awareness by the UK government and companies is either proving to be not be very effective, or people already understand it well enough and are choosing not to give a dam.

Sunday, 16 March 2014

Was Flight MH370 Cyber Hijacked?

The disappearance of Flight MH370 is turning into one of the biggest mysteries of the age, the evidence is sketchy, everyone seems to have their theory, and the media are running riot with endless speculation. As a security professional I can’t help but wonder whether there was a cyber element to the incident, especially given the high amount of technology used in modern fly-by-wire jet planes like the Boeing 777-200ER.

Was Flight MH370 Cyber Jacked?

I have managed and consulted with many cyber security incidents over the years, but the following will be my own conjecture. When I usually deal cyber incidents, my golden rule is to only deal with the facts and the evidence, and saving any speculation for the Sherlock Holmes fan club. But with this incident I am allowing myself the luxury of exploring potential cyber attack possibilities with the MH370 flight disappearance, as over the week quite a few people have asked me whether the flight could have been hacked, the ‘cyber jacking’ speculation will only grow after today’s headlines in today's Sunday Newspapers.

So lets start with the facts, we now know flight MH370’s transponder and the Aircraft Communications Addressing and Reporting System (Acars) were both disabled while the aircraft was over the South China Sea, and after this the Boeing 777 changed direction, heading West.

Could the transponder and Acars been disabled by a Cyber attack?
It may well be possible to jam a transponder and Acars from within the aircraft cabin, preventing such devices from broadcasting by using fairly basic equipment to swamp these devices receiving and broadcasting frequencies with noise, a denial of service attack if you will. But I think such an attack could also interfere with other aircraft systems and jeopardise the likely objective of the hijack, which appears to be taking control of the aircraft. I believe it is far more rational that the transponder and Acars were disabled by human hand, as it is far simpler to do than a cyber attack, and it guarantees these systems are actually disabled, and then remain disabled indefinitely. The human disablement is given further credence when you consider control of the aircraft had been achieved by the attacker or attackers; as control of the aircraft is proven by the radical course change.

Could the aircraft be remote controlled due to a Cyber Attack?
A Boeing 777 cannot be remotely flown from the ground as far as anyone is aware, but we cannot rule out the possibility that someone sat in the cabin could use a laptop or mobile phone, to infiltrate the aircraft’s computer systems and take control of the aircraft.  A sophisticated fly-by-wire Boeing 777 is reliant on its computer systems to fly, and can fly completely unaided through the autopilot. Attacking the aircraft’s computer systems and changing the autopilot settings is a possibility, however the problem I have with this theory is that autopilot can be overridden by the pilot and co-pilot from within the cockpit. It is very unlikely a hack could lock out the pilot controls and prevent the pilot from radioing such a situation to air traffic controllers. The most plausible explanation is usually the simplest, namely the aircraft is physically controlled by whoever is sat in the cockpit. If you have technical theory on how such attacks could work, please post in the comments as I would be very interested to learn how it could be done, but please go beyond from just mentioning PlaneSploit, and describe how such tools could be used to lock the pilot out from the aircraft controls.

Conclusion
In my view based on the current evidence, I believe we are looking at a sophisticated plane hijack, by a person or persons who have a high degree of expertise in aviation, not cyber security. Although the investigation should not rule out a cyber attack element, I think it is far more plausible to switch off the aircraft tracking and to take control of the aircraft from sitting within the cockpit, than sitting in the cabin with a laptop or mobile phone. We’ll see if my speculation at this time of posting is correct or not over the coming days and weeks, or perhaps even months or years, but lets not give up hope for a positive outcome for the many involved.

Friday, 28 February 2014

GCHQ Privacy Disregard Touches the Optic Nerve

The latest GCHQ revelation courtesy of The Guardian and Edward Snowden, is arguably the most privacy damming of them all. A GCHQ surveillance program called 'Optic Nerve', collected more than 1.8 million webcam imagines from Yahoo chat accounts between 2008 and 2010. The program saved one webcam image every five minutes from unknowing Yahoo users using private webcam chat.  One of the stolen GHCQ memos made no bones that the service struggled to keep the large store of sexually explicit imagery collected from the eyes of its staff.

The fact these images were collected on mass and indiscriminately without the knowledge of Yahoo's users, the vast majority of which are law abiding, is a real privacy invasion. Most worryingly is that such an undertaking could be "green lighted" by senior officials, this beggars belief, pointing to a general lack of human morality and to the uncontrolled power our security agencies have. This is what happens when covert security agencies are given a high degree of trust and power, but are held completely unaccountable for their actions.  

This has parallels with hackers, credit card fraudsters and even online cyber bullies, when certain people believe they are not accountable for their actions online, namely they feel they can get away with it, certain people will commit dark acts without the fear of any recourse and do dastardly things they certainly wouldn't repeat in the more accountable real world. Take the example of Curtis Woodhouse, a professional boxer who turned the tables on his cyber abuser by offering a £1,000 reward on Twitter is anyone who could identify his abuser. Duly enough he received a name and an address, and proceeded to travel across England to meet his abuser face to face, tweeting his progress along the way. As he reached the doorstep of his troll he received a full apology from him on Twitter. Just in the nick of time, and to Curtis' great credit he resisted demonstrating his boxing prowess to his abuser, but instead has used his cyber bully and the whole experience to raise awareness.

Back to the GCHQ privacy abuse, it is high time the UK government got a stronger grip with GHCQ, by holding them to account by introducing an independent privacy protection oversight function with all of their covert digital operations, and perhaps even direct GCHQ into helping to protect the UK's national cyber assets and critical infrastructure. The latter is especially important given this week we heard UK energy companies security is so weak, they can't obtain any cyber insurance.

The UK government needs to get its cyber priorities straight, and tackle the UK cyber defence problem, which is often talked about, but little is ever done. If the UK lost power or water due to a cyber attack, it would be national crises. As with their handling of GCHQ, the UK government are doing a poor job into holding profit hungry energy and utility companies to account for their security, even though their services are crucial to UK citizens and businesses alike.

Friday, 21 February 2014

Has your Website Account been Hacked?

The relentless stream of data breaches by big business continues, with the likes of VodafoneTesco, Sony, Adobe and Yahoo, all losing their customer's personal data on mass due to their inadequate security. How do you know if your username, email address and password have fallen into the hands of a cyber criminal due to these breaches?

There is one website that seeks to provide some assurance to that question,  https://haveibeenpwned.com appears to be have acquired the stolen data from the Internet's criminal underworld and allows anyone to freely search it for their own username and email, the website returns a response which states if the account is known to have been compromised or not, namely listed within the stolen database. The website says it has over 161 million stolen accounts that are searched, all this data has been compiled from several of the high profile data thefts.

Although the hacked businesses are responsible for their poor security leading to these data thefts, we as website users must recognise we have a security responsibility to protect ourselves as well, and be much more savy in creating and managing our website passwords. Website users should be creating long complex randomly formed passwords, including using special characters such as !,",£,$,%,^. In addition users should adhere to a policy of using a unique password on every different website, so if one account is compromised, multiple website accounts are not compromised as well. This is not as impossible as it might seem, as a password vault solution such as LastPass, can help provide and manage both unique and highly complicated random passwords on each website, so the user does not have to remember and even think up new complex passwords.

The password problem is nothing new, I posted advice back in January 2009, however the message is still not getting through to many website users, this is evidenced by reviewing the top most common passwords found in Adobe breach's stolen data.

Top 20 Passwords from Adobe Data Breach

123456
123456789
password
adobe123
12345678
qwerty
1234567
111111
photoshop
123123
1234567890
000000
abc123
1234
adobe1
macromedia
azerty
iloveyou
aaaaaa
654321


I think business and the security industry needs to do much more to tackle the password problem as well, certainly providing two-factor authentication provides a high level of protection to the user, so even if the bad guys have the username and password, they still can't access the account without possessing the user's hardware token or mobile phone, which are typically used a second factors to authenticate the user along with a username and password. The likes of Google and Twitter offer two-factor authentication, but these are almost provided as hidden options for their users, I have previously posted about the excellent Google two-factor authentication, read it if you wish to know more about it, I certainly recommend enabling it if you are a Gmail user.

As for the security industry, for years various vendors have been beavering over potential password replacement solutions, and certainly more noises are being made about password solutions at the moment, however nearly every solution proposed involves the trust of a third party to oversee it, even using LastPass requires trust of a third party. But I think trust, especially post Snowden, will be a major barrier in seeing the password problem truly solved.

Wednesday, 12 February 2014

How Microsoft will help Hackers attack Windows XP

Yesterday was Patch Tuesday, as usual Microsoft released a series of monthly security patches for its software.


Most notable in February's patch list, are the several 'Critical' patches, which resolve Remote Code Execution vulnerabilities in all versions of Microsoft Windows. This includes a specific security patch download for Microsoft Windows XP systems, demonstrating Windows XP vulnerabilities still keep on coming, but there is another really interesting point with these monthly Microsoft Security Bulletin announcements, which is they will aid hackers in attacking the Windows XP operating system.

How Microsoft will help Hackers attack Windows XP
Post 8th April 2014, Microsoft will be advertising to hackers a list of Windows XP vulnerabilities which will remain unpatched. As every time Microsoft announce fixes for newly discovered vulnerabilities within multiple versions of Windows operating systems, as Microsoft did yesterday, they will be in effect listing these new vulnerabilities are present and will remain unpatched on Windows XP indefinitely. We can expect new XP vulnerabilities to be targeted given the huge number of XP machines still in circulation worldwide, which are in the hundreds of millions according to many recent surveys.


Why this is a problem for non-XP usersThose of us not running XP should not be too smug about this, as the end of Windows XP security patching is grave concern for everyone. More compromised Windows XP systems equates to their usage in targeting everyone, regardless of operating system. Compromised systems are often placed into large botnets of devices, allowing the bad guys to systematically direct phishing attacks, send spam and conduct DDoS attacks.

Does Microsoft have a moral duty to carry on patching XP?
So given this, does Microsoft have a moral and security responsibility to keep on patching Windows XP post April? On the one hand I understand their commercial aspect and the advantage of standardising on less versions, however on the other hand given the mass numbers of Windows XP systems still in use, I think Microsoft does have a moral duty to keep on security patching Windows XP after April, and play its part in protecting everyone.

UK Government Windows XP AdviceThe UK government recently released its Window XP advice to UK organisations. This CESG guidance urges the retirement of WIndows XP and Office 2003 before 8th April 2014, but provides some short-term mitigation advice for organisations that will struggle to meet the deadline.

CESG Windows XP End of Support: Reducing Risk During Migration

Tuesday, 4 February 2014

Why isn’t the GCHQ & NSA Privacy Invasion Socially Accepted?

Post Snowden it is easy to jump on the media bandwagon, cry foul that GCHQ and the NSA have gone too far, forsaking our Privacy for Security. Yet if you take a walk through any city or town in the UK, and your image and actions are recorded by hundreds of CCTV cameras, no permission is ever sort, and you have no idea who is watching you without your knowledge, yet this invasion of privacy is socially accepted. 

Millions of people in the UK willingly give up their privacy on social networks, sharing almost every aspect of their private lives. This private information is commercially exploited through targeted advertising, this invasion of privacy is socially accepted. The same is true with smart phones where considerable user privacy is given up, just read Apple’s agreement and your mobile phone contract to see the extent, it goes well beyond personal details, phone calls and text messaging. These companies track the applications you use, the websites you browse and where you physically are in the world with your smart phone, huge aspects of people's personal lives are tracked and recorded. No one ever seems to complain that a US based smart phone manufacturer and German mobile phone companies are able to know exactly who we are, and track a history of our movements over time, so this level of privacy invasion is socially accepted.

Actual Mobile Phone Contract Example
We collect such information as:
your name;
billing address;
installation address;
delivery address;
telephone number;
your use of products and Services including but not limited to phone numbers and/or email addresses of calls, texts, MMS, emails and other communications made and received by you and the date, duration, time and cost of such communications, your searching, browsing history (including web sites you visit) and location data, internet PC location for broadband, address location for billing, delivery, installation or as provided by individual, phone location;

Then there is the UK ISPs, all of them track and record every website we visit, every network connection we make, in fact they have been instructed to do so by our government, the law was passed and this is socially accepted.

And of course the UK government already keeps track of many elements of our private lives, including our earnings, our medical details, and they even know the type of car we own, all private information which can be easily strung together to form a profile of our private lives.

So we already significantly trust the UK government and foreign land based businesses with considerable amounts of our private lives, so is it really correct to concluded GCHQ and the NSA have gone too far in abusing our privacy as well?  Their intent is to protect our society, preventing terrorists and criminals from delivering their dastardly acts. This is the role of such agencies in the modern age, they are usually the first in the firing line of politicians when terrorist actions are successful. 

Nether-the-less both GCHQ and the NSA are in powerful positions, which in my view requires policing and oversight to ensure such agencies do not abuse their powers, especially behind the closed doors of their operations. Such operations must remain covert for their success, this prevents the sort of public scrutiny we see with other UK government agencies. In the absence of the desired public scrutiny I believe their needs to be an independent body watching over GCHQ and the NSA within their perspective countries, a body which has public creditability and trust, and the power to investigate and where necessary hold secret service agencies to account when they are found to have strayed too far from our society’s Privacy Vs Security balance.  The Privacy Vs Security balance can never be solidified, and must be subjected to public debate which is open ended, so as a society we can keep pace with the rapid information technology revolution, and the inevitable increased storage and exploitation of our private data which comes with it, only then can we as a society come to a general agreement to what is a socially accepted level of privacy invasion.

Finally the big question I have is who is suppose to be holding to account the commercial giants, many have compiled huge amounts of our private information. Yes we have Information Commissioners for data privacy enforcement, but the truth is these bodies are toothless tigers, shackled by ancient data protection laws which are pre-social networking and pre-cloud computing. They are pretty much useless when it comes to tackling the large tech giants, giants which are motivated by exploiting our private information for profit, a far less noble purpose than GCHQ’s and the NSA’s intent.


Thursday, 23 January 2014

PCI London: How the Payment Card Industry could kill PCI DSS

Today (23rd Jan 14) I was a panellist at PCI London 2014, quite a few people were interested in what I had to say, on removing the need for PCI DSS compliance completely by securing the payment cards further. What I said was nothing new, I have been bleating on about this since attending the first PCI SSC meeting back in 2007. Still it is a bold thing to say, especially at a conference where Visa Europe and the PCI Security Standard Council are promoting PCI DSS compliance in the UK, and with event sponsoring vendors promoting their PCI DSS compliance servicing wares.  I'll summarise the views which I expressed at PCI London, which I believe could draw an end to PCI DSS compliance.
Introduce Global Chip & Pin (EMV)
Chip & Pin provides two-factor authentication, this means in order for the cardholder to make a payment,  the cardholder requires knowledge of a 4 digit number, and possession of the payment card. This is known as a 'cardholder present' transaction, typically these are 'over the counter' or 'check out / tills' payments. The UK introduced 'Chip & Pin' in 2006, since then the payment industry has seen a drastic cut in face to face card fraud transactions. However the US have been dragging their heals for years, resulting in breaches like Target, where the bad guys only need to steal the magnetic stripe and obtain the cardholder data, giving them ability to commit fraud with thousands of payment cards.
Remove the Magnetic Stripe from the Cards
The magnetic stripe makes it easy for card fraudsters to clone cards, they can simply create usable cloned cards by copying stolen magnetic stripe information onto new fake cards. There is nothing to prevent anyone from reading the details held on a card's magnetic stripe, while writing to a magnetic stripe is a simple and cheap process. The magnetic stripe holds all cardholder data (track 2 data), but it is a 1970s technology and has not evolved since it was introduced. The chip technology is different, it is far more secure because the details held on the chip are encrypted, chips are very difficult to clone and it is a technology that is always evolving.
A Magnetic Stripe, A Card Fraudsters Delight

Introduce Two-Factor with cardholder not present payments (Telephone & Ecommerce)
A 'cardholder not present' transaction is where you cannot be sure the actual owner of payment card is making the payment, you can't see him or her.  These are typically internet (ecommerce) payments and telephone payments (MOTO). Most of the card fraud occurs with these types of transactions, certainly nearly all of the UK card fraud occurs here. 

To secure cardholder not present transactions, just as with cardholder present transactions, the solution is simple, introduce a two-factor authentication system. There are several ways this can be achieved, with many examples of concept payment cards which include a pin entry and number return on the plastic, just as we find with remote access tokens supplied by most banks. So the technology is available, yet there are no plans by the payment card industry to role this out on mass.

Two-Factor Payment Card

Summary
In taking these steps, cardholder data would no longer require any protection, as having possession of the 16 digit number, expiry date and security code (if needed any more), would not be enough for a fraudster to be able to commit card fraud. This is due to the second factor requirement, namely the cardholder knowing their 4 digit number. Cardholders already have and know a 4 digit number, as pretty much everyone uses ATMs. So in conclusion, if cardholder data no longer requires protecting, then complying with PCI DSS is no longer required. 

The reason we do not have a more secure payment cards and payment processing systems today, is because the card industry is not prepared to invest in improving security. They are standing still on security, and through PCI DSS compliance, they are asking someone else to foot their security bill, protecting their outdated card security, the magnetic stripe is testament to this, as it is a 1970s technology which has not changed, and makes every payment card in the world insecure.

PCI DSS is about protecting someone else's data, my view is the card brands and issuers should not be passing this risk and liability over to their 'customers' to deal with, but they should be dealing with the problem themselves. Chip & Pin has been proven to drastically cut payment card fraud, it is about time the payments industry got their finger out, and stop standing still with the plastic card security, and finish the job in securing cards to a standard acceptable in the internet age.