Forgot your password?
typodupeerror
Security Businesses

How to Avoid a Target-Style Credit Card Security Breach (Video) 146

Posted by Roblimo
from the remember-when-cash-was-king? dept.
Wayne Rash has covered IT as a reporter and editor for over 35 years. NPR, Fox Business News, and NBC all call on him as a technology expert. A few weeks ago he had an article on eWeek titled How Target's Credit Card Security Breach Could Have Been Avoided. In this video, Wayne tells how you (or your business) can avoid being targeted by miscreants out to steal credit card data. It turns out that the security measures he advocates for businesses are common in other parts of the world but haven't hit the United States quite yet. But don't despair. There are things you can do right now, as an individual, to limit your potential losses from card number thefts. Still, the long-term fixes to the security vulnerability that bit Target need to be made by merchants and card issuers, some of whom are already transitioning to cards and card readers that use EMV chips, and some of whom aren't quite there yet -- but might speed up their efforts after seeing what happened to Target.

Robin: Wayne, some stores have “target” in their names, such as Target. But what if your business or your online retail operation isn’t a target and doesn’t want to be a target for people stealing your customers’ credit card information. What should we do?

Wayne : Well, I am told that the proper pronunciation for the store’s name according to my daughter is “Tarjay,” I guess, that makes it sound more upscale. The way to avoid being a target for that particular exploit is to not use the magstripe on a person’s credit card. The way to get around that is by using the chip and PIN capabilities, which is available from most credit card companies. They provide a credit card that’s got a little chip in it and they scan that and then you enter a PIN. Sometimes you may end up also signing for it. However, that means that the magstripe information is not available for cloning.

What’s happening with the Target exploit was that people were copying the magstripe as the card was passed through the reader and then using that to build a new cloned credit card, which they then used to go out and buy stuff. With what they call the EMV chip, you can’t clone that. The chip itself is encrypted and even when you get the information off of it, you can’t use it to either make a magstripe or a new card with a chip in it. So that prevents that particular kind of exploit.

Robin: So, really we cardholders have to rely on our card issuer, the bank, the credit union to handle that?

Wayne : Well, you can ask for the chip to be put in your card and if you get one, then you can use that instead of the magstripe in some stores. But you got to have a store that uses that. The readers are available from the credit card clearing companies. Some big retailers, notably Walmart, already have all the readers they need and already have the software in place, and if you present them with a card that’s got the chip in it, they read the chip, not the magstripe.

Robin Miller : How do we know which retailers have that capability and which don’t or can we or do we?

Wayne : You ask. When you go to them say, can you do the chip and PIN or can you read the chip that’s in my card and they can. I went to Walmart the other day to replace some light bulbs and they were able to read the chip that was in my credit card.

Robin: Well on the other side, my wife is a Target fan, I’ll admit and she gets prescriptions there. And she immediately, when she read about this, she went to our credit union. We use a smallish, local, very friendly and low fee credit union. And they told her, don’t worry about it. They said just keep an eye on your account and if you see any weird charges, the charges you or your husband ever made, let us know and we’ll cancel it after the fact. They said that they hadn’t had any of their customers at Grow Federal Financial, none of their customers have been hit yet, and they’ve a lot of Target shoppers, is this the case do you think?

Wayne: Well, obviously, the people who took the credit card numbers took 40 million credit card numbers. There’s a fairly good likelihood they are not going to use all of those magstripe copies that they got. So your chances of getting your number taken and somebody using it to make a cloned credit card are relatively low just because of the sheer numbers involved.

However, there is a couple of things you should remember when you’re using a system like that. One of which is do not use an ATM card to buy things at Target or any other retailer even if you have a good idea that the card reader is not being skimmed because they can take the magstripe information without using the card reader, without changing the card reader, they can do it directly out of the system. So if you are going to use an ATM card, use it in a bank and only at a bank .

Robin: Really, because all we have is a Debit/ATM card.

Wayne: Get a credit card then.

Robin: Okay. I take that back, we have a credit card, we just never use it.

Wayne: Well, a credit card gives you significant legal protection that you don’t have with ATM cards. For example if they find a bogus charge on your ATM card, they will give you the money back eventually. In the meantime, you have no money and you have to wait till they get around to it and it may take them several days to do so. You will get the money back from most banks or credit unions but it may not be right away. So while it’s happening, you’re basically broke.

The credit card on the other hand, those charges ____5:09. There’s federal law that protects you. Even if the bank who issues the credit card won’t protect you, you are still limited by federal law to a loss of no more than $50 and almost every card issuer actually protects you completely. So, even if you only use the card to buy things, well if you pay it off immediately, you’re much safer using a credit card than an ATM card.

Robin: Okay. Our credit union says that they back their ATM/cash cards, same as the credit card that they run through Visa. And they told us not to worry, but this may be just this local out in MacDill Air Force Base in Tampa Credit Union.

Wayne: It may be. And the fact is, is that you are exposing yourself to that kind of a loss. The other thing quite frankly is with an ATM card, you also find yourself subject to periodic brief holds on your money at gas stations.

Robin: Yes.

Wayne: And you don’t have credit cards either.

Robin: Okay. What about from the merchant side? So, assuming I’m a merchant whether online or off, or a combination, aside from getting the newer readers, what can I do to make my customers safe?

Wayne: Well, getting the newer readers is really the most important thing you can do. Nobody is really quite sure at this point how the hackers got into Target. Target’s probably not saying even if they know and right now, they may not know how it happened. So, to some extent, if a big company like Target that presumably has good security, got their credit card readers broken into, it could happen to most anybody.

The biggest thing you can do for your small businesses to feel comfortable is the fact that you’re probably so small that nobody is going to bother with you because they are not going to make enough money off of your 15 customers that day.

Robin: So, being small then is an advantage?

Wayne: Yeah. They’re not going to waste a lot of resources on you because they’re not going to get enough out of you to make it worth the trouble.

Robin: Well, my wife and I have a business that’s our umbrella for writing and she sells some art, but not big We just process everything – a lot of stuff is checks, we just got one today from one of my writing clients, but we run our credit cards through PayPal, we lay off the risk.

Wayne: You’re not using a card reader. You’re just putting the number directly into PayPal.

Robin: That’s correct.

Wayne: And because of that, there is no way for anybody to infect your card reader because you don’t have one.

Robin: Right. But we might get what are those square card readers.

Wayne: The square card readers don’t work with chips. They currently only work with magstripes.

Robin: So, they are vulnerable?

Wayne: Well, theoretically, but remember, there is the issue of scale. Unless somebody broke into PayPal, which could happen, but it’s unlikely, but it could happen – then again Target was probably unlikely also – they’re not going to be able to infect your card reader. They are either going to have to get it from you or they are going to have to get it from PayPal and you’re probably too small to be worth the trouble.

Robin: I would say we run about 5 charges a month, so.

Wayne: They’re not going to bother with you. However they might decide to bother with PayPal. But that’s one of the situations where if they break into PayPal, they’d get credit card numbers out of that. That’s a different problem. And because of the type of card reader you have, again because of the sheer scale, they’re probably not going to bother getting the magstripe information because it’s just not worth their trouble. However, that doesn’t mean they can’t; it just means they probably won’t.

Robin: So basically, as individuals, a) we want to use credit cards rather than ATM or cash cards whenever possible.

Wayne: Yes.

Robin: As merchants, we rely on a fact that we’re tiny, primarily, and if we do have physical card readers, we get the new ones that can handle the chipped cards.

Wayne: If you can, yeah. You have to talk to whoever is your credit card processor because they may not offer those. Not everybody does. However you may also find out if you are a person who travels outside the United States on a regular basis that you’re going to need the ability to handle a credit card with a chip because once you get outside the United States, you may not be able to use it otherwise, especially for things like cash machines, for unattended things like kiosks and so forth, the chip is getting pretty much ubiquitous and pretty much required. If you’re not somebody who goes outside the United States, then it is a different story. The magstripe is going to be here in the US for a while. But I think after the Target situation, you are going to see a change pretty fast.

This discussion has been archived. No new comments can be posted.

How to Avoid a Target-Style Credit Card Security Breach (Video)

Comments Filter:
  • I find paying cash works remarkably well.

    • by Drethon (1445051)
      With the same security a credit card provides if you get mugged?
      • by jedidiah (1196)

        > With the same security a credit card provides if you get mugged?

        Better even. Theft of cash doesn't leave me open to identity theft. While cash represents a fixed amount of loss that will never be recovered, it is a finite amount. I don't have to worry about ALL of my resources being drained. Nor do I have to worry about fighting with banks or credit card issuers or collections agencies to ensure that "security measures" are properly applied.

        • by JeffAtl (1737988)

          Cash can also be seized by law enforcement. That is why it is dangerous to carry around cash to pay for large purchase.

          • by EdIII (1114411)

            That's a danger the government represents through its corruption.

            The only reason a credit card is different is they have lobbyists and can purchase influence. The government may rob a plebe for their cash, but they're not going to mount a full frontal assault on the privileged corporations.

            It's really no different than the risk of being mugged. Actually, it's exactly like the risk of being mugged.

      • by EdIII (1114411)

        I've gone my whole life without being mugged, and that includes time spent in third world countries and dangerous places.

        I would think you should look at the percentages and assess the risk.

        In my case, I've been the victim of credit card fraud about 5 times I think. In the worst case, against my better judgement, I lost around $150 in a PayPal transaction. That was because they are a criminal organization that encourages fraudulent merchants. PayPal doesn't give two shits about the consumer and the lack of

        • by plopez (54068)

          Not just the government monitoring you. I can see insurance companies data mining you and rejecting your application for car, or health, insurance because you occasionally use a credit card at a liquor store. Or increasing your rates.

          • by EdIII (1114411)

            And doing it while completely denying that they are ever doing anything like that.

            They would be so compelled to do it because of how accurate their risk models would get, that I doubt that they don't. Even in the face of stiff federal laws.

            Those risk models represent billions or perhaps trillions of dollars in premiums for the industry along with competitive advantages.

            It's not just control over people that comes with violating privacy. Huge economic gains as well.

        • I have never understood why anybody would spend more than about 5 seconds mulling it over before coming to the conclusion that PayPal is a huge scam and has been since Day 1.

        • by aaarrrgggh (9205)

          I would suggest you look at it from a broader economic perspective: how much do you spend per year in credit card transactions? Divide by 50. For you, how much do the credit card transaction fees (albeit paid by merchant) compare against the costs associated with cash?

          For me, i spend well over $50k per year on credit cards, and would have to say that cash has about a 50% transaction cost advantage, although the merchant sees 75% of that unless I am able to bargain better.

          With things like airfare though, i

    • If you want to be some sort of 19th century peasant.

      • by jedidiah (1196)

        It also works equally well if you want to be some sort of 19th century merchant or landlord.

        • The peasant wasn't intended as classism but I was looking for a term of summary dismissal that didn't imply stupidity. I felt like there might have been a better choice, but I couldn't come up with one.

    • by DutchSter (150891)

      I can and do pay cash for a lot of things. But I use my credit card whenever it's convenient to me. It's a question of utility. My credit card was among those swept up in the Target breach. My hassle consisted of two days without said credit card and having to sign a form and mail it back.

      No liability, no problems. If I lose cash that's on me baby.

      Other than for some altruistic "for the greater good because merchants just pass down the cost of fraud to their customers" why should I care? I mean, serio

      • by EdIII (1114411)

        So I ask again, if I bust my ass and Initech saves a few units, I don't see another dime, so what's in it for me?

        You get to work with Michael Bolton?

      • A study conducted by the Wall Street Journal six months later found that despite merchants generating substantial savings from the interchange fees being cut virtually none of it made its way back to the consumers

        That seems implausible, publishing results of a study just six months after the fees were capped would be really hard to do with any sort of rigor. First there is an awful lot of inertia in the system, I wouldn't be surprised if the effects were just starting to trickle down six months in. Then I have to wonder about their methodology, which merchants would volunteer this information?

        I did a search on the wsj.com website for "interchange fees" and while there were a lot of articles, I couldn't pick out

  • Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relative

    • Re:For consumers (Score:4, Insightful)

      by hawguy (1600213) on Thursday January 02, 2014 @04:51PM (#45849789)

      Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

      Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

      Why use your cash to give the credit card company a free loan (and pay them for the privilege)?

      Just use a regular credit card, by law your liability is only $50 for fraud (and I haven't heard of any bank enforcing the $50 limit for fraud reported in a timely manner). Unless you're willing to walk away from your $100 prepaid card without reporting the fraud and requesting a refund, you're not saving yourself any effort by using a prepaid card.

      Never ever let your bank issue you a debit/ATM card that can be used as a credit card - request a PIN-only ATM card instead, and use it as little as possible, using the Bank's own ATM's where possible. Why risk letting a thief empty your bank account if they steal your card number? The bank may tell you that they will reimburse you upon reporting fraud, but if you started bouncing checks before you discovered the fraud, will they reimburse you for merchant returned check fees?

      • Re: (Score:3, Interesting)

        Also, always use a backup card when traveling to higher fraud areas. We vacation in Mexico regularly, for a while every time I went I would get hit with fraudulent charges after getting home. I switched to using one of our backup credit cards while on the trip, then calling the bank when I got home. I would tell them that I was traveling and suspect that my number might have been compromised. They have been more than happy to cancel my old number and reissue me a new one. A few days later I had a new card
    • Re:For consumers (Score:5, Insightful)

      by PvtVoid (1252388) on Thursday January 02, 2014 @04:54PM (#45849825)
      Fees [toptenreviews.com]:

      One-time Walmart fee: $3
      Montly fee: $2
      ATM withdrawal: $2 plus ATM fees
      International ATM withdrawal: $2 plus ATM fees
      ATM balance inquiry: $1
      Replacement card: $3
      Second card: $3
      Foreign purchases: Two percent of total purchase amount in U.S. dollars

      On top of all that, if the card is stolen or hacked, I lose whatever is spent off the card. If my credit card number is stolen, I am not responsible for charges.

      Debit cards are for suckers.
      • by Dan East (318230)

        Then don't use it at an ATM. I use my card for online purchases and POS. As I said, it's $3 for a new card, whether that's a replacement or second card or whatever. There is no monthly fee depending on how much you load onto the card each month.

        Oh, and how anonymous are you using your credit card, which is as intimately and personally attached to you as any financial instrument can be? With a preloaded card you slap down cash to load the card, and that's it. Next time you just use a new card for the sam

        • by hawguy (1600213)

          Then don't use it at an ATM. I use my card for online purchases and POS. As I said, it's $3 for a new card, whether that's a replacement or second card or whatever. There is no monthly fee depending on how much you load onto the card each month.

          Oh, and how anonymous are you using your credit card, which is as intimately and personally attached to you as any financial instrument can be? With a preloaded card you slap down cash to load the card, and that's it. Next time you just use a new card for the same price.

          Debit cards are most certainly not for "suckers". It's like any other tool. Use it intelligently based on its strengths and weaknesses.

          There is a decreasing likelyhood of anonymity with any face to face transaction -- with facial recognition cameras (ostensibly to "prevent fraud", but also a valuable marketing tool), merchants will be able to uniquely identify you when you walk in the store (not just when you make a purchase), and can identify you even if you use a different card number every time you shop. That information is very valuable to them, that's why Safeway will "give" you a 10 - 20% discount when you swipe your safeway card.

          • by EdIII (1114411)

            The anonymity attribute only applies to online transactions. Not physical ones, even if you refuse the discount. You have to find a kid or teenager and pay them more to go get it for you.

            For certain categories of online purchases those prepaid are just not working anymore. I have not seen a single purchase go through PayPal lately with a prepaid card. That's even if you "register" information against the prepaid card and lie about the info.

            The government worked damn hard to close that loophole apparently an

      • by Moses48 (1849872)

        My debit card is insured like my credit card. My bank has no ATM fees pays others ATM fees for me (up to a certain amount per month). There are always companies that will screw you, but don't throw the baby out with the bathwater.

        • by hawguy (1600213)

          My debit card is insured like my credit card. My bank has no ATM fees pays others ATM fees for me (up to a certain amount per month). There are always companies that will screw you, but don't throw the baby out with the bathwater.

          Well, it's *almost* the same as a credit card. The difference is that if someone steals your debit card and makes $500 in fraudulent purchases, that $500 comes out of your checking account -- possibly the same $500 that you had left in the account to pay your rent. So your rent check bounces, the landlord charges you a $20 returned check fee, a $50 late fee, and requires you to pay via cashiers check for the next 3 months.

          And read the fine print in your statement every month and keep an eye on the online t

          • Depends on the card issuer. Our credit union (Grow Financial, Tampa FL) issues Visa debit cards under the "Visa Zero Liability" policy, so we are not liable for any theft- or fraud-based charges. They just reiterated this policy in a letter we got today telling us they're replacing my wife's card due to Target charges on it "just in case." My card? I haven't charged anything at Target in many months, so no prob - and my card expires and is due for replacement next month, anyway.

            • by hawguy (1600213)

              Depends on the card issuer. Our credit union (Grow Financial, Tampa FL) issues Visa debit cards under the "Visa Zero Liability" policy, so we are not liable for any theft- or fraud-based charges. They just reiterated this policy in a letter we got today telling us they're replacing my wife's card due to Target charges on it "just in case." My card? I haven't charged anything at Target in many months, so no prob - and my card expires and is due for replacement next month, anyway.

              Make sure you read the fine print. Visa's policy (though your issuer's may) doesn't apply to PIN transactions so if a skimmer captures your card number and PIN, you may find that you're not covered. Also the policy allows up to 5 days to credit the funds to your account, which could be a long time to wait if your checking account was drained and you have bills to pay. And, I couldn't find anything in the policy that says they will cover secondary charges like bounced check fees, etc.

    • Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

      Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

      At three dollars a reload, you're paying quite a premium to load a card with two-hundred bucks at a time. Even in absolute terms, $36/year is a substantial fraction of the $50 worst-case liability limit you might get hit with if your credit card was compromised. Also, using pre-loaded cards (or bank debit cards) for gas purchases can be a hassle (or worse) when they sometimes hold $100 or so until your purchase transaction is finalized -- a process that could take days.

      It may be an effective spending limite

    • by tiberus (258517)
      You only have to worry amount the monthly fees and losing your money. While YMMV, I don't have to worry about losing funds (the pre-paids I've used don't offer refunds of lost/stolen funds) and the monthly fees (pay your CC off monthly and no interest, again YMMV) seem to be high. It's also still connected to you and your connected to your accounts, so it's only disconnected in the sense that it doesn't directly contain you other account information. Seems the costs are borne by the issuer and vendors (w
  • What do I care? (Score:5, Informative)

    by cayenne8 (626475) on Thursday January 02, 2014 @04:41PM (#45849647) Homepage Journal
    It isn't like I'm going to lose any money if I get a CC stolen. I just call it in (in this case Target did it for me)...and they and the banks take the hit, doesn't affect me.

    Why don't they just go back to having to have the physical card, take an imprint of it at the register manually, and help track the usage at the stores that way?

    • by bloodhawk (813939)
      of course you are losing money because of it. Directly through wasted time in checking statements and potentially getting a new card and indirectly through the increased costs of insurance and cleanup costs all which end up added to the costs of the goods they sell.
  • I could have sworn a number of hacks against contactless credit cards have been demonstrated?

    How does it protect against inadvertent charges or someone copying data off the cards in my wallet by waving a reader near my wallet?

    • by icebike (68054)

      It isn't the contact-less cards that are being proposed here.
      Its the cards with smart chips built in, unlike those with mere NFC chips that you see in the US.

      While traveling in the EU, we were advised by our bank to use a chip card, which they provided to us for nothing.
      Image: http://www.mastercard.com/au/personal/en/images/Chip%20Card.jpg [mastercard.com]

      The only difference here is that the chip on the card can validate the reader, and transmits data encrypted, so the entire transaction takes place encrypted from your card

      • My American family spent about a week in Canada and never once had our card merely swiped - every single terminal was a push-click chip-n-pin setup. They looked at us funny when we said nobody in America uses them yet. But it still worked with our non-chip cards. So apparently while all the terminals are chip-n-pin, they don'all have to ACT like it all the time.

        • by icebike (68054)

          Probably in Canada they are still in the change-over period, where they have to be able to handle both types of cards.
          In the EU, we were told most places don't have the ability to take the Mag stipe only cards at all any more.
          Further, almost all restaurant transactions were completed at our table with portable readers, and the card never left our sight.

          Its not like this requires totally new technology. The mag stripe could simply be encrypted, and the terminals reprogrammed to send it encrypted. However,

          • by compro01 (777531)

            Probably in Canada they are still in the change-over period, where they have to be able to handle both types of cards.

            Yes. I think the swipe-only capability is supposed to go away entirely by 2016.

        • by compro01 (777531)

          My American family spent about a week in Canada and never once had our card merely swiped - every single terminal was a push-click chip-n-pin setup. They looked at us funny when we said nobody in America uses them yet. But it still worked with our non-chip cards. So apparently while all the terminals are chip-n-pin, they don'all have to ACT like it all the time.

          Yeah, backwards comparability. The strip will only work if the card doesn't have a chip (e.g. American cards) or the terminal isn't capable of using a chip (usually very new businesses that don't have chip capability set up yet).

          I think I've swipped my card maybe twice in the past year.

        • by xaxa (988988)

          The UK was one of the first countries to change to EMV (Chip+PIN), almost everyone had chip cards by mid 2005.

          Most shops still have terminals that accept swipe cards, although unless it's a place popular with (American) tourists the staff might not be willing to swipe a card. (It depends on the risk, since the shop takes the loss on fraudulent swipe transactions, but the bank covers fraudulent PIN ones.)

          (Most machines etc only accept chip cards.)

    • A number of hacks against non-contactless chip-and-pin cards have been demonstrated, and I would be suspicious of any claim that the contactless ones are more secure. Search for 'chip and pin is broken' for details of the exploits, and also a number of self-serving non-sequiturs supposedly justifying the issuers' inaction over the issue (for example, 'the protocol is sound', as if consumers can choose to use a sound implementation, and 'the exploit is too difficult in practice' despite good evidence that i

  • website security (Score:5, Interesting)

    by gbjbaanb (229885) on Thursday January 02, 2014 @04:47PM (#45849721)

    ... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.

    Last place I worked, my boss had a pet website thing written in the usual way - client web code running on the web server that directly read DB tables. When he told the admin guys to put it live they told him they couldn't - there wasn't access to the DB from the webserver, so he told them to "just punch a hole in the firewall"... and they told him there was no firewall. There was no physical cabling between these servers.

    That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.

    Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.

    This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.

    • ... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.

      If you assume your webserver is compromised do you think it is a good idea to be entering credit card numbers into it?

      That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.

      Compromise of *any* tier still results in an unacceptable breach. While access might be curtailed your still screwed.

      Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.

      Until someone hacks your web server and configures it to exfils every credit card number it ever dealt with from then on.

      This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.

      My own opinion with regards to non-physical presence is PayPal is the correct model and CC need to be phased out entirely. Security problems mostly evap

    • by guruevi (827432)

      How about not storing CC data AT ALL. You don't need the full number unless you are your own payment processor, you're required to ask for the 3 digit number every time (you're not allowed to store it).

      The only reason you would store full numbers with all the info attached is for batch processing... or if you don't know what you're doing which simply means you're not prepared for peak demand.

      As far as API's - SQL is already an API, Prepared Statements should do everything you require, decent db login manage

      • by gbjbaanb (229885)

        at the last place I worked the middle tier didn't have select access to the DB either - only execute. That way it was easier to control all access to the DB. It had other benefits in terms of being able to restructure the DB if we wanted, and to keep the SQL in 1 place. In a way its exactly like your prepared statements idea, only it adds an additional layers of security by hiding and controlling those SQL statements.

        As for not storing CC data, well this place stored a lot more than that! Sometimes you have

    • Target broke several cardinal rules. Not only was the DB accessible, they were storing PIN numbers in addition to card data.

      The whole point of PCI is to control what and who can access the Database, Encrypt the Database, and separate data into different databases so that if you get a single DB server hacked a hacker does not have everything needed to commit fraud. Target admitted to storing PIN numbers (wholly fuck you have to be kidding me) in addition to having no separation to the DB as well as direct

      • by hibiki_r (649814)

        There are uses for storing credit card numbers longer than the transaction: Plenty of very big online retailers do it. Now, the issue is that if you do store said numbers, you better take it very seriously: What I've seen done is encryption keys that are rotated often, and who are stored encrypted in the database. That 'key to the keys' was never actually stored in the DB: It only existed in memory, and generated using a shared secret scheme, so no single person had access to said key.

        When we tried to penet

        • by s.petry (762400)
          If you are storing passed the duration of the transaction the Database should be off line and inaccessible. That is common sense for anyone that worked in compliance and security.
  • by msobkow (48369)

    Pay cash. Drive them crazy. Make them count instead of swipe.

  • by guanxi (216397) on Thursday January 02, 2014 @04:53PM (#45849813)

    Could someone explain how EMV chips work, especially,

    1) If every consumer and retailer in the world will be able to utilize them to process purchases, how can we stop people from using the same devices fraudulently? If the answer is that they use a PIN, then why not use the old mag-stripes with a PIN?

    2) Is anything stored on them besides payment data, such as other personal data? In addition to a payment mechanism, is it also yet another way to track and collect information about people? Could other data potentially be stored on them?

    3) Is wireless necessary or even a good idea? Why not require contact with the credit card machine?

    • by Enderxeno (1331501) on Thursday January 02, 2014 @05:01PM (#45849941)
      The reason EMV is better is because the chip allows you to sign the transaction datagram before it is sent to the bank. The chip stores the specific cards signing cert and it can't be accessed, every time there is a transaction, the pin pad sends the transaction info to the card which encodes and signs it then it is sent to the processor. NFC and other tap transactions are just as safe because even if you intercept the info you can capture the signing cert and can't duplicate the transaction.
      • by guanxi (216397)

        Thanks, that makes sense.

        The chip stores the specific cards signing cert and it can't be accessed

        Hmmm ... given the amount of money involved, doesn't it seem likely that methods for breaking the security are already known?

    • by ADRA (37398) on Thursday January 02, 2014 @05:25PM (#45850185)

      1. The card readers still have to make it to a compatible merchant services provider, so not usable everywhere. In Canada, its pretty rare for any small to large service providers not providing readers for chip cards. Only really little merch's that accept square or paypal haven't made the switch, or some big box american stores who's unified infrastructure apparently makes this too hard for the effort.

      2. The chip is a digest encryptor to my knowledge. I don't know if anything besides the merch and most likely an account number are on the card unencrypted (or should be anyways), but yes, any and everything usable to track people's unique info can and will be used to track you. That is a 'freedom' long lost.

      3. Wireless can be an issue (my Android phone's NFC pings when its laying on the wallet) but realistically, all companies supporting wireless transactions support VERY LOW payment methods, like $50 and most likely rejecting duplicate purchases. I bought movie tickets yesterday with pay wave and I then went to the popcorn stand and waved again. The second time, it required chip usage, so there's probably logic to cap the potential losses of fraudulent wireless payment charges.

  • by Rich0 (548339) on Thursday January 02, 2014 @05:04PM (#45849967) Homepage

    Anybody with even a minute knowledge of cryptography/security/etc could predict all the problems the payment card industry is having. 95% of the issues are derived from using an account number as a shared secret, and then sharing it with half the planet.

    A secure system would not be that difficult to design or operate. Have the POS terminal generate a CSR containing the vendor name, date, amount of transaction, and a unique transaction ID. That gets transmitted to the customer's payment terminal, which they carry with them. The terminal decodes the CSR and displays the amount, etc on the screen in a standard presentation for the customer's approval. They hit approve and enter their PIN, which is typed onto the terminal itself. The device then generates a certificate including the users's account number, timestamp, and another unique ID. The terminal transmits this to the POS terminal, which then transmits it to the bank. The bank verifies the certificate and performs the transaction, and issues a certificate against the whole thing back to the vendor.

    Such a system could only be spoofed if the terminal and PIN are stolen and used prior to a report of theft, or if the private key embedded in the terminal were extracted. The latter would be extremely difficult - modern TPMs are very difficult to break into. The PIN and key never leave the device, and the user only interacts with a device whose integrity they have control over. The POS can't display one transaction on the screen and apply the user's signature to another, the POS can't store keys/PINs/etc, and so on. The system is also immune to replay attacks - if you authorize one transaction you'll never be billed for two. The protocol could of course be extended to allow for recurring payments. The payment terminal could have a USB port for easy use with online purchases, and could have a modem for phone purchases (just hold the thing up to the earpiece and then microphone - no need for a 2-way handshake for either transmission).

    Sure, that little terminal would cost more than a plastic card, but a single terminal could store credentials for many accounts, and probably would cost less than $100. It doesn't need a fancy color touchscreen - a 1990s LCD display and a 12-key keypad would be plenty.

    • by plover (150551)

      You just (sort of) described the VASCO DIGIPASS readers. They're given away by the banks to their customers, and cost less than $20 apiece. The user inserts their card into their own reader. The reader is nothing more than a battery, LCD and 10-key pad the user can trust. Because the user carries it with him or her, they can trust there's no PIN skimmer they have to worry about. And because it's a sealed device, with no data ports and no USB connections, there is not a way for malware to corrupt it.

      The

      • by Rich0 (548339)

        In an ideal world the user really needs to associate the token with the merchant they're buying from, and that turns out to be very hard. Just posting a sign that says "Here's a 14 digit merchant number you should enter" proves very little. An attacker could place their own sticker on the sign, or display their own 14 digit number on a hacked web site. A barcode is not much good either, because an ordinary human isn't capable of verifying that the stripes actually say "Friendly Store" instead of "Evil Hackers".

        While I agree that it is more complex, these problems at least are solved in my proposed solution. The only thing the user enters is a PIN to confirm the transaction. The device communicates digitally with the POS terminal to get all the transaction details (this could happen in many ways, but would be unidirectional). The POS's merchant identity could be protected by a certificate as well, so if your terminal says that you're paying "Acme Co" then they managed to obtain a certificate for "Acme Co" from

  • How about protection for online purchases (which doesn't involve a credit card terminal hooked up to my computer) since I don't want to deal with drivers or other setup to make it work.

    Maybe something as simple as a time-based rotating 4 or 5 digit code (similar to an RSA token) that I type in when I make a transaction (whether online or at a merchant). Lock the card after the wrong code is entered 5 times in a row to prevent brute forcing.

    • by xaxa (988988)

      In much of Europe online banking transactions can be authenticated with a battery powered reader like this: http://fstop57.com/freshstock/wp-content/uploads/2012/07/stock-photo-online-banking-6526.jpg [fstop57.com] . Most banks, as far as I know, only use them for online banking.

      I'm not sure it's a good idea to use the same device to verify purchases. If they did, then how would you prevent a fraudulent website from collecting the one-time-code generated and using it to authenticate a banking transaction? (Remembering

      • by hawguy (1600213)

        In much of Europe online banking transactions can be authenticated with a battery powered reader like this: http://fstop57.com/freshstock/wp-content/uploads/2012/07/stock-photo-online-banking-6526.jpg [fstop57.com] . Most banks, as far as I know, only use them for online banking.

        I'm not sure it's a good idea to use the same device to verify purchases. If they did, then how would you prevent a fraudulent website from collecting the one-time-code generated and using it to authenticate a banking transaction? (Remembering that users aren't very good at following instructions.)

        Interesting -- once again Europe is way ahead of the USA in credit card fraud protection.

        Seems like it would be a natural extension to allow the user to enter the amount of the transaction for purhchase transactions and use that as a part of the PIN generation. So a token generated for a €25 purchase could only be used to authenticate a €25 purchase transaction and the merchant couldn't use it to authenticate an online banking session or change it into a €250 purchase.

        • by xaxa (988988)

          That's a good idea.

          The three banks I've used all incorporated part of the receiving bank's account number into the token that must be input into the reader, which wouldn't help for online shopping. Wikipedia: http://en.wikipedia.org/wiki/Chip_Authentication_Program [wikipedia.org] suggests what you suggest is implemented. (And also that it's Sweden and the UK that have this, so my generalisation to all of Europe from my personal experience might be wrong -- those are the two countries I have/had accounts in.)

          At the momen

  • The commenters on the eweek article point out that EMV would not have prevented the problem Target had. (I didn't see any video though.)

    The relevant comments:

    GWsaid on January 2, 2014 12:43 pm
    ...The security breach happened most likely because the data was unencrypted as it crossed from the terminal to the register. What is needed is encryption that happens at the terminal.

    Shawn Ackersaid on December 25, 2013 10:16 pm
    Your article makes a number of good points regarding EMV. However, EMV chipped cards don't force the data to be encrypted as it leaves the PIN Pad. In fact much of the data including the PAN(Card #), Expiration date, etc. is by default sent unencrypted and may be captured during transmission over the merchants network. But, it would be next to impossible to reproduce an EMV card unlike magstripe. This would prevent the in person fraud occurring as a result of the Target breach.

  • Yet another simplistic "smart cards would have prevented..." article. Do we really believe these glib summaries from MSM "Experts"? Will we simply accept the premise?

    Time for a reality check. In an earlier thread after the breach, there was an entry from a @girlintraining that was at minimum though-provoking, and arguably much more credible than a lot of the puff pieces on offer. Take a moment and read it:

    http://yro.slashdot.org/comments.pl?sid=4574335&cid=45733709 [slashdot.org]

    A conspiracy theory, for sure.

  • I love how commentators come out of the woodwork after a breach to say how they would have stopped that particular event...after the event has happened, and especially after the full details have come out. The problem, of course, is that the actual defenders don't know how the attack will come, where it will come from, or when it will happen. I think it's particularly noteworthy that even after the fact, it took this guy weeks to come out with his suggestion, as single-minded as it is. Weak.

    The premise t

  • "When thieves broke into the point-of-sale (POS) system at Target, they stole the data from the magnetic stripe on the back of credit and debit cards."

    At the time. there were chipped solutions but the banks chose to go with magnetic stripes as it was the cheaper solution, this made it easy to steal the data and to replicate the cards.
  • The 3 digit security code, expiration date and the account holder name is not on the magstripe. Since those got stolen too, we know it's a database that got ripped from a computer system. A database that should not have existed, since it's illegal for anyone processing card data to store the 3 digit security code. Assuming this is because of a magstripe skimming device in *every* Target store card reading device at the same time is just not logical at all.

There is hardly a thing in the world that some man can not make a little worse and sell a little cheaper.

Working...