Three Indicted In Huge Identity/Data Breach 101
ScentCone and other readers let us know about an indictment just unsealed in federal court for stealing 130 million credit cards and other data useful in identity theft, or just plain money theft. The breaches were at payment processor Heartland (accounting for the bulk of the 130M), Hannaford, 7-11, and two unnamed "national retailers." Interestingly, the focus of the indictment, Albert "Segvec" Gonzalez, is currently awaiting trial for masterminding the TJX break-in, which until Heartland counted as the largest credit-card theft ever. The indictment cites SQL injection attacks as the entry vector. Two unnamed Russia-based conspirators were also indicted. Securosis has analysis of the security implications of the breach ("These appear to be preventable attacks using common security controls. It's possible some advanced techniques were used, but I doubt it") and the attackers' methodology.
Faith is gone. We need a better way! (Score:5, Interesting)
These credit card processing companies had better get their acts together fast, or they'll be sunk by so many lawsuits that they won't be able to stay in business.
Yes, but there is still an underlying problem: The credit card payment system is inherently insecure. I'm not talking about the computers, I'm talking about the system at large. Credit card numbers are basically a password that you share with anybody who you buy stuff from. Any of these vendors by definition have all the information necessary to use your credit card.
What you can't do with the current system:
1) You can't "lend" your card to a subcontractor so that they can buy supplies, without opening yourself up to a world of hurt.
2) You can't trust that your identity isn't stolen at every possible transaction.
3) In the case of a leak, you can't be automatically alerted to attempts to use your credit card.
It could be some otherwise bored l337 h@x0r in Montana at his mom's house who cracks an online shopping cart, or the Russian Mafia, or the pimply guy who pumped your gas. All of them get the ability to "be you" simply by transacting as you, and so long as this fundamental insecurity remains unchanged, credit cards are and will continue to be problematic.
Me? I'm imagining something with my cell phone, a PIN like an ATM card, but one that's different for each transaction. In this manner:
1) I swipe my card.
2) The credit card gives me a challenge code, asks me for my PIN.
3) I get a text message on my cell, which has the challenge code on one line, and a one-time-PIN on the next line, and a third line with the amount charged.
4) I enter the one-time PIN, proving that I have the registered phone in my hand.
5) Then, I enter in my permanent PIN, just like I do now.
This protects me:
1) Anybody at the cell phone company can see the challenge and the response PIN, but it doesn't do them any good since these change with every card swipe.
2) Anybody at the store can see the whole transaction, but it doesn't matter since they don't have my phone.
3) Even the credit card processing center can't fudge the transaction because the amount of the charge was submitted prior to generating the one-time PIN, and I've already been made aware of the charge.
4) If somebody did get your card #, and tried to use it, you would know immediately that it was happening, and the amounts involved because you'd be getting notices of the transactions sent to your phone!
This would DRAMATICALLY reduce the security footprint of the credit card transactional system, and would easily allow for causual "lend him the credit card" scenarios, since you could give the card to someone, and even let them know your permenant PIN, but keep the phone in your hand. The only person who can effectively compromise this credit card system effectively would be the credit card company itself.
The only downside that I can see is that you couldn't use this system in areas without cell service. But even in that case, you could "pre-register" a transaction or two with no amount set, keep the one-time PINs handy, and use them when you don't have service.
The current system is terribly insecure - I've had 3-4 different compromises of my credit card numbers in the last couple years despite my being VERY careful with my data. Then I talk to the fraud department, sign the affidavit, get my credit back, blah blah blah...
The current system sucks. We need a better system.
Re:Hate to say it... (Score:5, Interesting)
PCI compliance is the definition of security theater. I used to work for a credit card processing company, and every month we'd get some new "PCI" rule we had to follow, which did virtually nothing to make us more secure.
Month 1: Can't store credit card numbers in problem tickets. Must use e-mail. (Internal e-mail, obviously.)
Month 2: Can't e-mail credit card numbers internally. Must put them into problem tickets.
Month 3: Can't do either one. Now you must provide the credit card numbers verbally (over the phone), or write them down and carry them to the person resolving the ticket.
Which made resolving card-specific software issues absolutely delightful to deal with - I couldn't even begin to guess how many miles I trudged through the IT floor, distributing sticky notes with credit card numbers written on them, which if you ask me was more of a security risk than having them stored digitally.
Meanwhile, the things that really mattered were left virtually untouched. I don't even know how many times something was completely and utterly screwed up by someone, somewhere in the company... and we couldn't even figure out who did it because there were no logs of what had happened, or because the logs pointed to a shared account that anybody could have used. My account on the actual card processing front-end system was watched like a hawk, however, nobody would ever have noticed if I'd downloaded a database dump from the FTP server and made off with it.
PCI has absolutely nothing to do with actually tightening security, and everything to do with making businesses able to say "It's OK! We're PCI COMPLIANT!"
(Post anonymously? Hmm, I wonder.)
Re:National security issue? (Score:3, Interesting)
How is 130 million cards getting compromised not going to have an impact on the economy?
The question is, how is this going to impact the economy?
If these identities are being used for fraudulent transations, then the initial impact might be an overall increase in sales. Obviously those sales will be challenged, and repercussions will be felt at various points throughout the system, but the impact on the economy is not going to be a simple cause-and-effect, regardless of scale.
This scenario makes me wonder whether mass-compromise of the credit card system has been modeled yet. And more importantly, whether there are plan(s) in place to minimize both systemic and individual disruptions.
Re:Faith is gone. We need a better way! (Score:3, Interesting)
But it doesn't matter if the cell phone company is compromised - or did you miss that bit?
The only thing that the cell phone company gets is the ability to approve the transaction that I already started. I don't give a shiat who reads the cell message. And if the cell network was hacked so that I get a bogus text message, then the transaction still doesn't work.
In other words, yes, perhaps it's possible to hack a GSM cell phone tower, but even so, the attack window is very, very small.
Compare that to today, where the attack window is so huge you could fly a dozen Airbus 380's through it in a parallel formation. Today, literally *EVERYBODY* you do business with has the ability to steal your credit card credentials!
That's just retarded.
How it works in Sweden (Score:5, Interesting)
I just recently moved to Sweden from Denmark. The changes in online payment processing wasn't that big - just introduced an extra bit of security. It's not a matter of being from Sweden or Denmark, it's a matter of how the shops are set up.
In Denmark, it's the same way as in the US:
1) Punch in your card number
2) Punch in the card's security code
3) There is no step 3
The Swedish stores I've bought from adds extra steps when I'm using the card from my bank though; it uses authentication that you need to have with you:
A smart card reader [todos.se] using the chip and pin for my card.
When I want to pay using that system, the steps are as follows:
1) Payment processor is my bank, not some random company, and is in a separate SSL session to my bank
2) Enter SSN on payment page
3) Enter the one-time control code in my reader
4) Enter the pin number for my card in the reader
5) Punch in the return code from the card reader on the payment page
It's the same system I use for my online banking as well; it has steps for login, signing and buying, each presumably using a separate private key.
A system like this put in to place everywhere would make gleaning my credit card number useless. I don't have any physical identification that has my SSN on it, nor am I required to have such by Swedish Law (unless I'm driving). And even with my SSN, they still need to know my pin code. Can't say for sure if the card and reader are tied to each other though - I haven't tried using someone else's reader.
Additionally when this system is used on the websites, all processing is done through the bank's own systems, meaning the bank itself is the one that needs to be compromised, and they're probably a bit more worried about a breach than the other guys. I mean - if their systems are broken into, it's not like they can just pass the blame onto some random third party and tell the customers "don't worry, we won't be doing business with them again" - they screw up and it's us telling the banks we won't do business with them again.
Sorry - people are too stupid for this (Score:1, Interesting)
When I set up the cart for my employer, I naturally required buyers to put in their billing address info.
Fully 40% couldn't manage to supply their billing zip code.
Not even after they called us and we went through the guessing game over the phone.
I know we are a mobile society - but c'mon - I can remember every zip I've lived in for the last 15 years.
I finally gave up and now require only card number and expiration - that's it.
Fortunately, the vast majority of our purchases are under 50 bucks, and we've only had 3 or 4 charge backs in the last three years.
Most card theft is like gambling - a tax on the stupid.