Forgot your password?
Security Businesses

How to Avoid a Target-Style Credit Card Security Breach (Video) 146

Posted by Roblimo
from the remember-when-cash-was-king? dept.
Wayne Rash has covered IT as a reporter and editor for over 35 years. NPR, Fox Business News, and NBC all call on him as a technology expert. A few weeks ago he had an article on eWeek titled How Target's Credit Card Security Breach Could Have Been Avoided. In this video, Wayne tells how you (or your business) can avoid being targeted by miscreants out to steal credit card data. It turns out that the security measures he advocates for businesses are common in other parts of the world but haven't hit the United States quite yet. But don't despair. There are things you can do right now, as an individual, to limit your potential losses from card number thefts. Still, the long-term fixes to the security vulnerability that bit Target need to be made by merchants and card issuers, some of whom are already transitioning to cards and card readers that use EMV chips, and some of whom aren't quite there yet -- but might speed up their efforts after seeing what happened to Target.

Robin: Wayne, some stores have “target” in their names, such as Target. But what if your business or your online retail operation isn’t a target and doesn’t want to be a target for people stealing your customers’ credit card information. What should we do?

Wayne : Well, I am told that the proper pronunciation for the store’s name according to my daughter is “Tarjay,” I guess, that makes it sound more upscale. The way to avoid being a target for that particular exploit is to not use the magstripe on a person’s credit card. The way to get around that is by using the chip and PIN capabilities, which is available from most credit card companies. They provide a credit card that’s got a little chip in it and they scan that and then you enter a PIN. Sometimes you may end up also signing for it. However, that means that the magstripe information is not available for cloning.

What’s happening with the Target exploit was that people were copying the magstripe as the card was passed through the reader and then using that to build a new cloned credit card, which they then used to go out and buy stuff. With what they call the EMV chip, you can’t clone that. The chip itself is encrypted and even when you get the information off of it, you can’t use it to either make a magstripe or a new card with a chip in it. So that prevents that particular kind of exploit.

Robin: So, really we cardholders have to rely on our card issuer, the bank, the credit union to handle that?

Wayne : Well, you can ask for the chip to be put in your card and if you get one, then you can use that instead of the magstripe in some stores. But you got to have a store that uses that. The readers are available from the credit card clearing companies. Some big retailers, notably Walmart, already have all the readers they need and already have the software in place, and if you present them with a card that’s got the chip in it, they read the chip, not the magstripe.

Robin Miller : How do we know which retailers have that capability and which don’t or can we or do we?

Wayne : You ask. When you go to them say, can you do the chip and PIN or can you read the chip that’s in my card and they can. I went to Walmart the other day to replace some light bulbs and they were able to read the chip that was in my credit card.

Robin: Well on the other side, my wife is a Target fan, I’ll admit and she gets prescriptions there. And she immediately, when she read about this, she went to our credit union. We use a smallish, local, very friendly and low fee credit union. And they told her, don’t worry about it. They said just keep an eye on your account and if you see any weird charges, the charges you or your husband ever made, let us know and we’ll cancel it after the fact. They said that they hadn’t had any of their customers at Grow Federal Financial, none of their customers have been hit yet, and they’ve a lot of Target shoppers, is this the case do you think?

Wayne: Well, obviously, the people who took the credit card numbers took 40 million credit card numbers. There’s a fairly good likelihood they are not going to use all of those magstripe copies that they got. So your chances of getting your number taken and somebody using it to make a cloned credit card are relatively low just because of the sheer numbers involved.

However, there is a couple of things you should remember when you’re using a system like that. One of which is do not use an ATM card to buy things at Target or any other retailer even if you have a good idea that the card reader is not being skimmed because they can take the magstripe information without using the card reader, without changing the card reader, they can do it directly out of the system. So if you are going to use an ATM card, use it in a bank and only at a bank .

Robin: Really, because all we have is a Debit/ATM card.

Wayne: Get a credit card then.

Robin: Okay. I take that back, we have a credit card, we just never use it.

Wayne: Well, a credit card gives you significant legal protection that you don’t have with ATM cards. For example if they find a bogus charge on your ATM card, they will give you the money back eventually. In the meantime, you have no money and you have to wait till they get around to it and it may take them several days to do so. You will get the money back from most banks or credit unions but it may not be right away. So while it’s happening, you’re basically broke.

The credit card on the other hand, those charges ____5:09. There’s federal law that protects you. Even if the bank who issues the credit card won’t protect you, you are still limited by federal law to a loss of no more than $50 and almost every card issuer actually protects you completely. So, even if you only use the card to buy things, well if you pay it off immediately, you’re much safer using a credit card than an ATM card.

Robin: Okay. Our credit union says that they back their ATM/cash cards, same as the credit card that they run through Visa. And they told us not to worry, but this may be just this local out in MacDill Air Force Base in Tampa Credit Union.

Wayne: It may be. And the fact is, is that you are exposing yourself to that kind of a loss. The other thing quite frankly is with an ATM card, you also find yourself subject to periodic brief holds on your money at gas stations.

Robin: Yes.

Wayne: And you don’t have credit cards either.

Robin: Okay. What about from the merchant side? So, assuming I’m a merchant whether online or off, or a combination, aside from getting the newer readers, what can I do to make my customers safe?

Wayne: Well, getting the newer readers is really the most important thing you can do. Nobody is really quite sure at this point how the hackers got into Target. Target’s probably not saying even if they know and right now, they may not know how it happened. So, to some extent, if a big company like Target that presumably has good security, got their credit card readers broken into, it could happen to most anybody.

The biggest thing you can do for your small businesses to feel comfortable is the fact that you’re probably so small that nobody is going to bother with you because they are not going to make enough money off of your 15 customers that day.

Robin: So, being small then is an advantage?

Wayne: Yeah. They’re not going to waste a lot of resources on you because they’re not going to get enough out of you to make it worth the trouble.

Robin: Well, my wife and I have a business that’s our umbrella for writing and she sells some art, but not big We just process everything – a lot of stuff is checks, we just got one today from one of my writing clients, but we run our credit cards through PayPal, we lay off the risk.

Wayne: You’re not using a card reader. You’re just putting the number directly into PayPal.

Robin: That’s correct.

Wayne: And because of that, there is no way for anybody to infect your card reader because you don’t have one.

Robin: Right. But we might get what are those square card readers.

Wayne: The square card readers don’t work with chips. They currently only work with magstripes.

Robin: So, they are vulnerable?

Wayne: Well, theoretically, but remember, there is the issue of scale. Unless somebody broke into PayPal, which could happen, but it’s unlikely, but it could happen – then again Target was probably unlikely also – they’re not going to be able to infect your card reader. They are either going to have to get it from you or they are going to have to get it from PayPal and you’re probably too small to be worth the trouble.

Robin: I would say we run about 5 charges a month, so.

Wayne: They’re not going to bother with you. However they might decide to bother with PayPal. But that’s one of the situations where if they break into PayPal, they’d get credit card numbers out of that. That’s a different problem. And because of the type of card reader you have, again because of the sheer scale, they’re probably not going to bother getting the magstripe information because it’s just not worth their trouble. However, that doesn’t mean they can’t; it just means they probably won’t.

Robin: So basically, as individuals, a) we want to use credit cards rather than ATM or cash cards whenever possible.

Wayne: Yes.

Robin: As merchants, we rely on a fact that we’re tiny, primarily, and if we do have physical card readers, we get the new ones that can handle the chipped cards.

Wayne: If you can, yeah. You have to talk to whoever is your credit card processor because they may not offer those. Not everybody does. However you may also find out if you are a person who travels outside the United States on a regular basis that you’re going to need the ability to handle a credit card with a chip because once you get outside the United States, you may not be able to use it otherwise, especially for things like cash machines, for unattended things like kiosks and so forth, the chip is getting pretty much ubiquitous and pretty much required. If you’re not somebody who goes outside the United States, then it is a different story. The magstripe is going to be here in the US for a while. But I think after the Target situation, you are going to see a change pretty fast.

This discussion has been archived. No new comments can be posted.

How to Avoid a Target-Style Credit Card Security Breach (Video)

Comments Filter:
  • Re:For consumers (Score:4, Insightful)

    by hawguy (1600213) on Thursday January 02, 2014 @04:51PM (#45849789)

    Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

    Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

    Why use your cash to give the credit card company a free loan (and pay them for the privilege)?

    Just use a regular credit card, by law your liability is only $50 for fraud (and I haven't heard of any bank enforcing the $50 limit for fraud reported in a timely manner). Unless you're willing to walk away from your $100 prepaid card without reporting the fraud and requesting a refund, you're not saving yourself any effort by using a prepaid card.

    Never ever let your bank issue you a debit/ATM card that can be used as a credit card - request a PIN-only ATM card instead, and use it as little as possible, using the Bank's own ATM's where possible. Why risk letting a thief empty your bank account if they steal your card number? The bank may tell you that they will reimburse you upon reporting fraud, but if you started bouncing checks before you discovered the fraud, will they reimburse you for merchant returned check fees?

  • Re:For consumers (Score:5, Insightful)

    by PvtVoid (1252388) on Thursday January 02, 2014 @04:54PM (#45849825)
    Fees []:

    One-time Walmart fee: $3
    Montly fee: $2
    ATM withdrawal: $2 plus ATM fees
    International ATM withdrawal: $2 plus ATM fees
    ATM balance inquiry: $1
    Replacement card: $3
    Second card: $3
    Foreign purchases: Two percent of total purchase amount in U.S. dollars

    On top of all that, if the card is stolen or hacked, I lose whatever is spent off the card. If my credit card number is stolen, I am not responsible for charges.

    Debit cards are for suckers.
  • Re:Step One (Score:2, Insightful)

    by Anonymous Coward on Thursday January 02, 2014 @05:01PM (#45849949)

    1 - Whaddaya mean "cash only"?
    2 - Fine, I'll go the the ATM and get cash.
    3 - Fuck it, I'm halfway home already, I'll just order it from Amazon.

  • Re:What do I care? (Score:5, Insightful)

    by hawguy (1600213) on Thursday January 02, 2014 @05:07PM (#45850013)

    in this case Target did it for me

    Did they? I was part of an organization who had a CC breach due to our own utter stupidity, we called both the FBI, Visa, and Mastercard and asked them if they wanted the card numbers that were breached ... they didn't give a flying fuck, didn't want to know anything about it. The FBI eventually cared enough to go to the guys house ... after WE tracked him down for them.

    It wasn't a real breach, the guy just stumbled across an utterly stupid web app storing a massive list of CC #s in a log file that he happen to stumble on by playing with the URL path and going up a few directories ... turned out the guy really was just trying to get his damn purchase to go through.

    So the FBI investigated, found the guy, who claimed that he didn't have fraudulent intent, and the banks decided not to spend thousands of dollars to replace cards that apparently didn't need to be replaced? It's possible that they treat a 40 million card breach differently since that opens them up to much more exposure from fraudulent purchases (in theory, Visa and Mastercard issuing banks don't pay for fraudulent purchases, they charge it back to the merchants, but it's still more work for their customer service reps and they may not be able to recover from all merchants)

    Point to the story however is, Visa and MasterCard both told us to destroy the list of numbers and they wanted nothing to do with it. We of course moved the list off the server and saved it for the FBI, who of course DID want the evidence.

    You're lucky you didn't get a PCI audit and a fine for non-compliance.

    If you CC get stolen ... you will have to FIGHT to get charges removed unless you live in peter pan land where the fairy can fix it for you.

    I've had 2 credit card numbers stolen -- one was a Visa card and the bank called me about a suspicious $500 charge attempt thousands of miles away. I told them that I didn't attempt that purchase (which they had declined), and they canceled my card and fedex'ed me a new one.

    The other was an Amex card - this one had a series of small $20 - $50 charges. I called Amex to report the fraud, they canceled and reissued my card, I marked the fradulent charges online and they credited the charges back to me, then they sent me a letter that I had to sign and return to certify that I did not make those charges.

    It could hardly have been any easier.

  • Re:Use cash (Score:5, Insightful)

    by hawguy (1600213) on Thursday January 02, 2014 @05:09PM (#45850031)

    Nothing else needed, why are we even discussion this?

    Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

    Ever heard of checks?

    Checks are even worse than credit cards - anyone with your account number (which is printed right there on the check, no "secret" CVV code or anything else needed) can use an electronic check (or print his own) to debit direct from your checking account.

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]