Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How to Avoid a Target-Style Credit Card Security Breach (Video)

Roblimo posted about 7 months ago | from the remember-when-cash-was-king? dept.

Security 146

Wayne Rash has covered IT as a reporter and editor for over 35 years. NPR, Fox Business News, and NBC all call on him as a technology expert. A few weeks ago he had an article on eWeek titled How Target's Credit Card Security Breach Could Have Been Avoided. In this video, Wayne tells how you (or your business) can avoid being targeted by miscreants out to steal credit card data. It turns out that the security measures he advocates for businesses are common in other parts of the world but haven't hit the United States quite yet. But don't despair. There are things you can do right now, as an individual, to limit your potential losses from card number thefts. Still, the long-term fixes to the security vulnerability that bit Target need to be made by merchants and card issuers, some of whom are already transitioning to cards and card readers that use EMV chips, and some of whom aren't quite there yet -- but might speed up their efforts after seeing what happened to Target.

cancel ×

146 comments

BITCOIN (-1)

Anonymous Coward | about 7 months ago | (#45849577)

BITCOIN !!!!

Re:BITCOIN (1)

Drethon (1445051) | about 7 months ago | (#45849673)

Yeah, perfectly safe: http://www.forbes.com/sites/erikamorphy/2013/12/31/with-bitcoin-in-your-pocket-is-your-identity-finally-safe/ [forbes.com]

“Due to the anonymized/cryptographic nature of the currency, it is almost impossible to track whether an individual has experienced a theft or loss due to other reasons–malware, a corrupt “wallet” which is stored on your hard drive, etc–and it’s especially difficult to determine with any accuracy where the stolen currency might have gone once ‘stolen’”

Re:BITCOIN (1)

PPH (736903) | about 7 months ago | (#45849835)

In that case, use Dogecoin [dogecoin.com] . They may still steal your money, but not without Shiba bite-marks on their ass.

Wow. Such money. Much volatile. Very safety.

Re:BITCOIN (1)

Drethon (1445051) | about 7 months ago | (#45849953)

Re:BITCOIN (1)

jandrese (485) | about 7 months ago | (#45850383)

Why do you have a picture of Jamie from Mythbusters?

way to much volatility in that (1)

Joe_Dragon (2206452) | about 7 months ago | (#45849771)

way to much volatility in that

Step One (0)

Anonymous Coward | about 7 months ago | (#45849601)

1 - Only accept cash.
2 - Don't collect names or other contact info.
3 - Remember how well this worded since the beginning of commerce.

Re:Step One (1)

Koby77 (992785) | about 7 months ago | (#45849861)

The basis for accepting plastic is the card companies can demonstrate to the merchants that they generate more profit when used. You are opposing a mighty and powerful force by advocating the use of cash only, my friend.

Re:Step One (2, Insightful)

Anonymous Coward | about 7 months ago | (#45849949)

1 - Whaddaya mean "cash only"?
2 - Fine, I'll go the the ATM and get cash.
3 - Fuck it, I'm halfway home already, I'll just order it from Amazon.

Re:Step One (1)

Soluzar (1957050) | about 7 months ago | (#45850083)

There are only a very limited number of needs for which I will stand the inconvenience of using cash. I'm literally never carrying any, unless I'm on my way to a bar, or some other pre-meditated cash use.

drinkypoo is a fat faggot (-1)

Anonymous Coward | about 7 months ago | (#45849609)

drinkypoo [slashdot.org] is a disgusting, smelly, fat slob. He has never had sex and he still lives with his mother. No woman would ever want him unless they are disgustingly fat too. Anybody, even Justin Bieber, could kick his obese, flabby, gelatin-like ass.

I tracked down this picture of drinkypoo [ytimg.com]

Avoiding credit card breaches? (1)

Chris Mattern (191822) | about 7 months ago | (#45849611)

I find paying cash works remarkably well.

Re:Avoiding credit card breaches? (2)

Drethon (1445051) | about 7 months ago | (#45849697)

With the same security a credit card provides if you get mugged?

Re:Avoiding credit card breaches? (1)

jedidiah (1196) | about 7 months ago | (#45849881)

> With the same security a credit card provides if you get mugged?

Better even. Theft of cash doesn't leave me open to identity theft. While cash represents a fixed amount of loss that will never be recovered, it is a finite amount. I don't have to worry about ALL of my resources being drained. Nor do I have to worry about fighting with banks or credit card issuers or collections agencies to ensure that "security measures" are properly applied.

Re:Avoiding credit card breaches? (1)

RightSaidFred99 (874576) | about 7 months ago | (#45850077)

Yes, because it's 1987 and you'll be personally stuck with the losses incurred by identity theft.

Re:Avoiding credit card breaches? (0)

Anonymous Coward | about 7 months ago | (#45851015)

Yes, because it's 1987 and you'll be personally stuck with the losses incurred by identity theft.

It's really not difficult to get someone to give you their PIN number for the ATM when you have a gun.

Re:Avoiding credit card breaches? (1)

JeffAtl (1737988) | about 7 months ago | (#45850169)

Cash can also be seized by law enforcement. That is why it is dangerous to carry around cash to pay for large purchase.

Re:Avoiding credit card breaches? (2)

EdIII (1114411) | about 7 months ago | (#45850297)

That's a danger the government represents through its corruption.

The only reason a credit card is different is they have lobbyists and can purchase influence. The government may rob a plebe for their cash, but they're not going to mount a full frontal assault on the privileged corporations.

It's really no different than the risk of being mugged. Actually, it's exactly like the risk of being mugged.

Re:Avoiding credit card breaches? (1)

EdIII (1114411) | about 7 months ago | (#45850389)

I've gone my whole life without being mugged, and that includes time spent in third world countries and dangerous places.

I would think you should look at the percentages and assess the risk.

In my case, I've been the victim of credit card fraud about 5 times I think. In the worst case, against my better judgement, I lost around $150 in a PayPal transaction. That was because they are a criminal organization that encourages fraudulent merchants. PayPal doesn't give two shits about the consumer and the lack of regulation allows them to be extra shitty.

In all the other cases, the bank made it quite easy for me to get my money back.

OTOH, I've actually lost a couple hundred dollars over the years simply by dropping money, flying away in the wind, and losing my wallet.

It's really about the same risk for me when I look at all the incidents together.

P.S - All of that being said, I lean towards cash so the government can't review my purchases and further categorize me into their "subversive" categories.

Re:Avoiding credit card breaches? (1)

plopez (54068) | about 7 months ago | (#45850961)

Not just the government monitoring you. I can see insurance companies data mining you and rejecting your application for car, or health, insurance because you occasionally use a credit card at a liquor store. Or increasing your rates.

Re:Avoiding credit card breaches? (1)

Gordon Baldwin (3483065) | about 7 months ago | (#45849723)

I find it doesn't. I have to pre plan what I'm going to need, then make sure I go by a cash machine that doesn't charge me extra. I don't want to carry too much, because I lose my wallet it is gone. I can't order on-line easily. major hassle. If my credit card gets stolen, I call the bank and owe nothing and switch to a backup card until a replacement arrives. minor hassle.

Re:Avoiding credit card breaches? (1)

cusco (717999) | about 7 months ago | (#45850111)

We take X-amount of money out of the cash machine every Friday. If we have money left on Thursday we know we've stayed under budget. If we need more cash we know where we spent it and what on, since it's unusual. Since we belong to a credit union rather than a bank there's no issue with finding no-fee machines.

We tried using mostly credit cards for a while, but neither of us could really tell how much we were spending on a weekly or monthly basis. The last time I lost my wallet was in the 1990s, and it turned up inside the couch a few months later.

We have one credit card which we use mostly to buy airline tickets or things online, and which we pay off in full pretty much every month. Some small portion of my purchases goes to the Planetary Society. It had to be reissued once, when someone stole the stupid "courtesy checks" out of the mailbox and tried to pay a bill with it. Since we had cash it was just an annoyance, not an inconvenience.

Re:Avoiding credit card breaches? (1)

EdIII (1114411) | about 7 months ago | (#45850449)

I never found that credit unions eliminated ATM fees. Sometimes the fee comes from the ATM operator themselves, which means that the credit union would need to compensate you for it.

It's pretty cool that you don't have the fees, but I'm not sure that's universal.

Budget wise, it's a good process that you have.

Re:Avoiding credit card breaches? (1)

cusco (717999) | about 7 months ago | (#45850511)

Almost all credit unions belong to the same network, so I can withdraw money from my Seattle credit union account from some random credit union ATM in Michigan or Hawaii for no charge. As an additional benefit, international withdrawals are cheaper (by half) than any of the bank accounts we've had.

Re:Avoiding credit card breaches? (1)

Jah-Wren Ryel (80510) | about 7 months ago | (#45850849)

Yes, roughly 30,000 fee-free ATMS.

http://co-opatm.org/ [co-opatm.org]

Re:Avoiding credit card breaches? (1)

i kan reed (749298) | about 7 months ago | (#45849775)

If you want to be some sort of 19th century peasant.

Re:Avoiding credit card breaches? (1)

jedidiah (1196) | about 7 months ago | (#45849909)

It also works equally well if you want to be some sort of 19th century merchant or landlord.

Re:Avoiding credit card breaches? (1)

i kan reed (749298) | about 7 months ago | (#45850323)

The peasant wasn't intended as classism but I was looking for a term of summary dismissal that didn't imply stupidity. I felt like there might have been a better choice, but I couldn't come up with one.

Re:Avoiding credit card breaches? (1)

DutchSter (150891) | about 7 months ago | (#45849907)

I can and do pay cash for a lot of things. But I use my credit card whenever it's convenient to me. It's a question of utility. My credit card was among those swept up in the Target breach. My hassle consisted of two days without said credit card and having to sign a form and mail it back.

No liability, no problems. If I lose cash that's on me baby.

Other than for some altruistic "for the greater good because merchants just pass down the cost of fraud to their customers" why should I care? I mean, seriously, why should I care? Debit card interchange fees were statutorily capped a few years ago and all of the merchants stoically supported the idea because it would be great for consumer's bottom lines. A study conducted by the Wall Street Journal six months later found that despite merchants generating substantial savings from the interchange fees being cut virtually none of it made its way back to the consumers. In fact some merchants even boasted in their earnings statements about how the savings went straight to the corporate bottom line. If credit card fraud went "poof" tomorrow, where do you think those savings would go?

So I ask again, if I bust my ass and Initech saves a few units, I don't see another dime, so what's in it for me?

Re:Avoiding credit card breaches? (1)

EdIII (1114411) | about 7 months ago | (#45850463)

So I ask again, if I bust my ass and Initech saves a few units, I don't see another dime, so what's in it for me?

You get to work with Michael Bolton?

Re:Avoiding credit card breaches? (1)

Jah-Wren Ryel (80510) | about 7 months ago | (#45851009)

A study conducted by the Wall Street Journal six months later found that despite merchants generating substantial savings from the interchange fees being cut virtually none of it made its way back to the consumers

That seems implausible, publishing results of a study just six months after the fees were capped would be really hard to do with any sort of rigor. First there is an awful lot of inertia in the system, I wouldn't be surprised if the effects were just starting to trickle down six months in. Then I have to wonder about their methodology, which merchants would volunteer this information?

I did a search on the wsj.com website for "interchange fees" and while there were a lot of articles, I couldn't pick out any that mentioned this study. Perhaps you can provide a link?

Use cash (1)

BitZtream (692029) | about 7 months ago | (#45849621)

Nothing else needed, why are we even discussion this?

Re:Use cash (3, Interesting)

hawguy (1600213) | about 7 months ago | (#45849837)

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Re:Use cash (1)

geek (5680) | about 7 months ago | (#45849913)

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Ever heard of checks?

Re:Use cash (4, Insightful)

hawguy (1600213) | about 7 months ago | (#45850031)

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Ever heard of checks?

Checks are even worse than credit cards - anyone with your account number (which is printed right there on the check, no "secret" CVV code or anything else needed) can use an electronic check (or print his own) to debit direct from your checking account.

Re:Use cash (0)

Anonymous Coward | about 7 months ago | (#45850625)

. . . are you serious?? checks? safer? o.O

Re:Use cash (2)

jedidiah (1196) | about 7 months ago | (#45849933)

Avoiding much of the baggage that comes with credit cards is the most effective way to ensure that you actually have the $1000 around to worry about.

Re:Use cash (1)

hawguy (1600213) | about 7 months ago | (#45850067)

Avoiding much of the baggage that comes with credit cards is the most effective way to ensure that you actually have the $1000 around to worry about.

I thought it was good financial sense that helped make sure you have $1000 in your bank account, not whether or not you use a credit card.

I have 3 credit cards, I haven't paid any interest charges in years. 2 are 'free', but I still carry an Amex card since I've found their international services to be helpful, though perhaps less useful today than it used to be. I still remember losing my card overseas and walking into a local Amex office and walking out with $1000 in travelers checks to tide me over while waiting for a replacement card to be delivered after the holiday weekend.

Re:Use cash (1)

plopez (54068) | about 7 months ago | (#45851019)

I was relocating and I needed a fast short term loan. I walked out of an Amex office with several thousand dollars in travelers checks. I didn't use all of it so I made my first monthly payment. Then I was reimbursed by my employer and paid off the loan in two months.

Re:Use cash (3, Interesting)

zifn4b (1040588) | about 7 months ago | (#45850343)

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Um you didn't even point out the obviously flaw in today's day and age of using cash especially among slashdotters. So, I should stuff $2,000 in an envelope with purchase order and mail it to NewEgg to purchase the parts for my next gaming rig? NOT! "I'm sorry sir, but there was no cash in the envelope you sent us. Can you try re-sending it?" It really drives me nuts when snarky people are like just use cash! Oh yeah let's just drop the e-commerce market that's been built up around the internet and been an economic boon and go back to the dark ages. How about let's make electronic purchases better? Or better yet how about companies hire better people and/or train the people to follow best security practices?

Re:Use cash (1)

JeffAtl (1737988) | about 7 months ago | (#45850123)

Any cash that a person carries can be seized by law enforcement - whether they charge you with a crime or not.

For consumers (1)

Dan East (318230) | about 7 months ago | (#45849643)

Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

Re:For consumers (3, Insightful)

hawguy (1600213) | about 7 months ago | (#45849789)

Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

Why use your cash to give the credit card company a free loan (and pay them for the privilege)?

Just use a regular credit card, by law your liability is only $50 for fraud (and I haven't heard of any bank enforcing the $50 limit for fraud reported in a timely manner). Unless you're willing to walk away from your $100 prepaid card without reporting the fraud and requesting a refund, you're not saving yourself any effort by using a prepaid card.

Never ever let your bank issue you a debit/ATM card that can be used as a credit card - request a PIN-only ATM card instead, and use it as little as possible, using the Bank's own ATM's where possible. Why risk letting a thief empty your bank account if they steal your card number? The bank may tell you that they will reimburse you upon reporting fraud, but if you started bouncing checks before you discovered the fraud, will they reimburse you for merchant returned check fees?

Re:For consumers (3, Interesting)

Gordon Baldwin (3483065) | about 7 months ago | (#45849929)

Also, always use a backup card when traveling to higher fraud areas. We vacation in Mexico regularly, for a while every time I went I would get hit with fraudulent charges after getting home. I switched to using one of our backup credit cards while on the trip, then calling the bank when I got home. I would tell them that I was traveling and suspect that my number might have been compromised. They have been more than happy to cancel my old number and reissue me a new one. A few days later I had a new card and was ready to travel again. No issues with fraud since we started doing that.

Re:For consumers (4, Insightful)

PvtVoid (1252388) | about 7 months ago | (#45849825)

Fees [toptenreviews.com] :

One-time Walmart fee: $3
Montly fee: $2
ATM withdrawal: $2 plus ATM fees
International ATM withdrawal: $2 plus ATM fees
ATM balance inquiry: $1
Replacement card: $3
Second card: $3
Foreign purchases: Two percent of total purchase amount in U.S. dollars

On top of all that, if the card is stolen or hacked, I lose whatever is spent off the card. If my credit card number is stolen, I am not responsible for charges.

Debit cards are for suckers.

Re:For consumers (1)

Dan East (318230) | about 7 months ago | (#45850007)

Then don't use it at an ATM. I use my card for online purchases and POS. As I said, it's $3 for a new card, whether that's a replacement or second card or whatever. There is no monthly fee depending on how much you load onto the card each month.

Oh, and how anonymous are you using your credit card, which is as intimately and personally attached to you as any financial instrument can be? With a preloaded card you slap down cash to load the card, and that's it. Next time you just use a new card for the same price.

Debit cards are most certainly not for "suckers". It's like any other tool. Use it intelligently based on its strengths and weaknesses.

Re:For consumers (1)

hawguy (1600213) | about 7 months ago | (#45850193)

Then don't use it at an ATM. I use my card for online purchases and POS. As I said, it's $3 for a new card, whether that's a replacement or second card or whatever. There is no monthly fee depending on how much you load onto the card each month.

Oh, and how anonymous are you using your credit card, which is as intimately and personally attached to you as any financial instrument can be? With a preloaded card you slap down cash to load the card, and that's it. Next time you just use a new card for the same price.

Debit cards are most certainly not for "suckers". It's like any other tool. Use it intelligently based on its strengths and weaknesses.

There is a decreasing likelyhood of anonymity with any face to face transaction -- with facial recognition cameras (ostensibly to "prevent fraud", but also a valuable marketing tool), merchants will be able to uniquely identify you when you walk in the store (not just when you make a purchase), and can identify you even if you use a different card number every time you shop. That information is very valuable to them, that's why Safeway will "give" you a 10 - 20% discount when you swipe your safeway card.

Re:For consumers (1)

EdIII (1114411) | about 7 months ago | (#45850551)

The anonymity attribute only applies to online transactions. Not physical ones, even if you refuse the discount. You have to find a kid or teenager and pay them more to go get it for you.

For certain categories of online purchases those prepaid are just not working anymore. I have not seen a single purchase go through PayPal lately with a prepaid card. That's even if you "register" information against the prepaid card and lie about the info.

The government worked damn hard to close that loophole apparently and it shows.

You can still get money orders with cash though. It takes a lot of effort to get one anonymously.

Re:For consumers (1)

Moses48 (1849872) | about 7 months ago | (#45850645)

My debit card is insured like my credit card. My bank has no ATM fees pays others ATM fees for me (up to a certain amount per month). There are always companies that will screw you, but don't throw the baby out with the bathwater.

Re:For consumers (1)

hawguy (1600213) | about 7 months ago | (#45851255)

My debit card is insured like my credit card. My bank has no ATM fees pays others ATM fees for me (up to a certain amount per month). There are always companies that will screw you, but don't throw the baby out with the bathwater.

Well, it's *almost* the same as a credit card. The difference is that if someone steals your debit card and makes $500 in fraudulent purchases, that $500 comes out of your checking account -- possibly the same $500 that you had left in the account to pay your rent. So your rent check bounces, the landlord charges you a $20 returned check fee, a $50 late fee, and requires you to pay via cashiers check for the next 3 months.

And read the fine print in your statement every month and keep an eye on the online terms to make sure they don't change the terms of your anti-fraud protection without you knowing about it.

Re:For consumers (1)

Rob the Bold (788862) | about 7 months ago | (#45849927)

Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

At three dollars a reload, you're paying quite a premium to load a card with two-hundred bucks at a time. Even in absolute terms, $36/year is a substantial fraction of the $50 worst-case liability limit you might get hit with if your credit card was compromised. Also, using pre-loaded cards (or bank debit cards) for gas purchases can be a hassle (or worse) when they sometimes hold $100 or so until your purchase transaction is finalized -- a process that could take days.

It may be an effective spending limiter, but that's a different financial story.

Re:For consumers (1)

tiberus (258517) | about 7 months ago | (#45849973)

You only have to worry amount the monthly fees and losing your money. While YMMV, I don't have to worry about losing funds (the pre-paids I've used don't offer refunds of lost/stolen funds) and the monthly fees (pay your CC off monthly and no interest, again YMMV) seem to be high. It's also still connected to you and your connected to your accounts, so it's only disconnected in the sense that it doesn't directly contain you other account information. Seems the costs are borne by the issuer and vendors (which of course are passed on...) so it more a concern for them than me. It's just not that big a hassle from my POV.

What do I care? (4, Informative)

cayenne8 (626475) | about 7 months ago | (#45849647)

It isn't like I'm going to lose any money if I get a CC stolen. I just call it in (in this case Target did it for me)...and they and the banks take the hit, doesn't affect me.

Why don't they just go back to having to have the physical card, take an imprint of it at the register manually, and help track the usage at the stores that way?

Re:What do I care? (1)

BitZtream (692029) | about 7 months ago | (#45849739)

in this case Target did it for me

Did they? I was part of an organization who had a CC breach due to our own utter stupidity, we called both the FBI, Visa, and Mastercard and asked them if they wanted the card numbers that were breached ... they didn't give a flying fuck, didn't want to know anything about it. The FBI eventually cared enough to go to the guys house ... after WE tracked him down for them.

It wasn't a real breach, the guy just stumbled across an utterly stupid web app storing a massive list of CC #s in a log file that he happen to stumble on by playing with the URL path and going up a few directories ... turned out the guy really was just trying to get his damn purchase to go through.

Point to the story however is, Visa and MasterCard both told us to destroy the list of numbers and they wanted nothing to do with it. We of course moved the list off the server and saved it for the FBI, who of course DID want the evidence.

If you CC get stolen ... you will have to FIGHT to get charges removed unless you live in peter pan land where the fairy can fix it for you.

Re:What do I care? (5, Insightful)

hawguy (1600213) | about 7 months ago | (#45850013)

in this case Target did it for me

Did they? I was part of an organization who had a CC breach due to our own utter stupidity, we called both the FBI, Visa, and Mastercard and asked them if they wanted the card numbers that were breached ... they didn't give a flying fuck, didn't want to know anything about it. The FBI eventually cared enough to go to the guys house ... after WE tracked him down for them.

It wasn't a real breach, the guy just stumbled across an utterly stupid web app storing a massive list of CC #s in a log file that he happen to stumble on by playing with the URL path and going up a few directories ... turned out the guy really was just trying to get his damn purchase to go through.

So the FBI investigated, found the guy, who claimed that he didn't have fraudulent intent, and the banks decided not to spend thousands of dollars to replace cards that apparently didn't need to be replaced? It's possible that they treat a 40 million card breach differently since that opens them up to much more exposure from fraudulent purchases (in theory, Visa and Mastercard issuing banks don't pay for fraudulent purchases, they charge it back to the merchants, but it's still more work for their customer service reps and they may not be able to recover from all merchants)

Point to the story however is, Visa and MasterCard both told us to destroy the list of numbers and they wanted nothing to do with it. We of course moved the list off the server and saved it for the FBI, who of course DID want the evidence.

You're lucky you didn't get a PCI audit and a fine for non-compliance.

If you CC get stolen ... you will have to FIGHT to get charges removed unless you live in peter pan land where the fairy can fix it for you.

I've had 2 credit card numbers stolen -- one was a Visa card and the bank called me about a suspicious $500 charge attempt thousands of miles away. I told them that I didn't attempt that purchase (which they had declined), and they canceled my card and fedex'ed me a new one.

The other was an Amex card - this one had a series of small $20 - $50 charges. I called Amex to report the fraud, they canceled and reissued my card, I marked the fradulent charges online and they credited the charges back to me, then they sent me a letter that I had to sign and return to certify that I did not make those charges.

It could hardly have been any easier.

Re:What do I care? (1)

Jim Sadler (3430529) | about 7 months ago | (#45850729)

Some debit cards offer a guarantee of loss prevention. Chase issues such cards. Since I got used to using a debit card I rarely handle any cash at all. Most months I have less than $5. in cash for the entire month. It is rare that I go anywhere that won't accept my Chase Visa debit card.

Re:What do I care? (1)

cayenne8 (626475) | about 7 months ago | (#45850853)

Some debit cards offer a guarantee of loss prevention. Chase issues such cards. Since I got used to using a debit card I rarely handle any cash at all. Most months I have less than $5. in cash for the entire month. It is rare that I go anywhere that won't accept my Chase Visa debit card.

See, now I'm the opposite...I refuse to have a debit card. They've tried sending me ATM/Debit cards, and I sent them back asking for ATM only cards.

Maybe things are getting better, but last year, I heard one of the horror stories. A lady had gotten her Visa debit card compromised and cash was withdrawn (a good bit of it too) from her checking account. In this case, like many others I've heard, it was basically "guilty until proven innocent".

Her funds were gone for over a month...which of course, meant she had trouble paying a couple of bills, etc.

With a credit card, I've lost none of my cash and don't have a risk of losing cash via direct access to my main deposit account.

Again, maybe things are better now..and at different banks, but I'd sure be cautious about using them, or at least verifying the exact terms of that debit card agreement.

I don't mind carrying cash, or periodically stopping by an ATM for some cash if I'm going shopping locally. I prefer the anonymity of shopping with cash too.

Re:What do I care? (2)

hawguy (1600213) | about 7 months ago | (#45850883)

Some debit cards offer a guarantee of loss prevention. Chase issues such cards. Since I got used to using a debit card I rarely handle any cash at all. Most months I have less than $5. in cash for the entire month. It is rare that I go anywhere that won't accept my Chase Visa debit card.

They may have a guarantee that says they will credit the money to your account after you report the fraud to them, but the guarantee probably doesn't cover the secondary effects that could result from someone stealing your debit card number. If you start bouncing checks because someone stole your card and drew your balance down to zero before you realized it, Chase is probably not going to reverse all of the returned check fees and possibly late fees from merchants you've sent bad checks to, and your landlord may even start requiring rent payment by cash or cashier's check after you've bounced a rent check.

Re:What do I care? (1)

140Mandak262Jamuna (970587) | about 7 months ago | (#45850453)

If you CC get stolen ... you will have to FIGHT to get charges removed unless you live in peter pan land where the fairy can fix it for you.

Well, I had two CC and one Debit card breach and one false alarm.

CC 1: @ Chicago, at a Target in fact. Did not use that card anywhere else in Chicago. No hassle to get the charges reversed. Some 5000$ in damage.

CC 2: @ London. Told them we were going out of the country. The fraudsters were charging it even after we returned and charged card in USA. Dim witted CC company did not smell a rat. But no hassles to reverse about 4000$ in damage.

Debit card: @ Aldi. The crooks pretended to be service technicians and installed skimmers at the check out counters. About 5000$ in damage, reversed without issues. But my debit card company will refund third party ATM charges too. So they refunded some 15$ in 3rd party ATM fees, then reversed all charges including the ATM fees. Was planning to call back and let them know they had refunded too much, but the cost of handling that call would exceed 15$ for them, so gave them a break and kept that 15$. :-)

False alarm: Charged a Las Vegas package, couple of watches and some dresses in 15 minute span as an anniversary surprise gift for the missus. Triggered a fraud alert call that let the cat out of the bag and spoiled the surprise. Thanks Obama.

So it is quite easy to get the fraudulent charges reversed. But the credit card companies could send SMS text for every charge and make a big dent in fraud charges. They don't seem to care. In India my brother gets SMS as soon as the merchant charges something. Funny, in India, they put ATM machines inside tiny stores with armed guards.

Re:What do I care? (1)

MozeeToby (1163751) | about 7 months ago | (#45850539)

I've had my CC stolen twice. Plus another 4-5 false alarms. Every time was the exact same thing, got a call, verified/denied a half dozen or so chargers. If there were charges that weren't mine I was told to dispose of my card and that a new one was on the way. Other than being without a card for a few days the hassle level was basically zero. In at least one of those cases the card was denied on the first fraudulent charge, most likely based on it being impossible for me to have physically been in 2 places at once.

They are liable, they know they are liable, they work hard to keep what they are liable for as small as possible.

hacks against contactless? (1)

the_B0fh (208483) | about 7 months ago | (#45849657)

I could have sworn a number of hacks against contactless credit cards have been demonstrated?

How does it protect against inadvertent charges or someone copying data off the cards in my wallet by waving a reader near my wallet?

Re:hacks against contactless? (1)

icebike (68054) | about 7 months ago | (#45849877)

It isn't the contact-less cards that are being proposed here.
Its the cards with smart chips built in, unlike those with mere NFC chips that you see in the US.

While traveling in the EU, we were advised by our bank to use a chip card, which they provided to us for nothing.
Image: http://www.mastercard.com/au/personal/en/images/Chip%20Card.jpg [mastercard.com]

The only difference here is that the chip on the card can validate the reader, and transmits data encrypted, so the entire transaction takes place encrypted from your card, to the bank, and back to the merchant's bank. Even if data is stored in the merchant's terminal, or intercepted along the way, its all encrypted.

And, as we all know that encryption is totally unbreakable, and completely safe. *cough*

This requires a change out of every credit card terminal in the country to be useful, and that will take a while.
Still its no guarantee, because the processing power to break the encryption is becoming more readily available, and the whole scheme is likely to encounter breaches in the future.

Re:hacks against contactless? (2)

Goldenhawk (242867) | about 7 months ago | (#45849995)

My American family spent about a week in Canada and never once had our card merely swiped - every single terminal was a push-click chip-n-pin setup. They looked at us funny when we said nobody in America uses them yet. But it still worked with our non-chip cards. So apparently while all the terminals are chip-n-pin, they don'all have to ACT like it all the time.

Re:hacks against contactless? (1)

icebike (68054) | about 7 months ago | (#45850113)

Probably in Canada they are still in the change-over period, where they have to be able to handle both types of cards.
In the EU, we were told most places don't have the ability to take the Mag stipe only cards at all any more.
Further, almost all restaurant transactions were completed at our table with portable readers, and the card never left our sight.

Its not like this requires totally new technology. The mag stripe could simply be encrypted, and the terminals reprogrammed to send it encrypted. However, the capacity of the magnetic strip is marginal for this, and mag strips are aren't that durable. (I've killed more then one just by wear and tear, never mind that incident when somebody gave me a magnetic money clip as a present).

Its an arms race, and it always will be.

Re:hacks against contactless? (1)

compro01 (777531) | about 7 months ago | (#45850317)

Probably in Canada they are still in the change-over period, where they have to be able to handle both types of cards.

Yes. I think the swipe-only capability is supposed to go away entirely by 2016.

Re:hacks against contactless? (1)

compro01 (777531) | about 7 months ago | (#45850125)

My American family spent about a week in Canada and never once had our card merely swiped - every single terminal was a push-click chip-n-pin setup. They looked at us funny when we said nobody in America uses them yet. But it still worked with our non-chip cards. So apparently while all the terminals are chip-n-pin, they don'all have to ACT like it all the time.

Yeah, backwards comparability. The strip will only work if the card doesn't have a chip (e.g. American cards) or the terminal isn't capable of using a chip (usually very new businesses that don't have chip capability set up yet).

I think I've swipped my card maybe twice in the past year.

Re:hacks against contactless? (0)

Anonymous Coward | about 7 months ago | (#45850157)

The presence of C&P is known to the system. It can be made to require use of it iff present. Often it's useful to be able to fall back to the magstrip, even though this reduces the security of the system. You could probably destroy your own strip if you cared about that and felt that you'd never need that option.

Unfortunately I'm in a constant battle with oxidation on my cards, so it's nice to be able to have the cashier draw the card instead (and maybe check ID or something as they feel necessary).

Re:hacks against contactless? (0)

Anonymous Coward | about 7 months ago | (#45850175)

Canada rolled themout a coupkle of years ago.
Unfortunately, they used the first gen systems which and been broken for about 5 years before they were rolled out. They are essentially worthless.

Chip-and-Pin Still Broken? (1)

Capt.Albatross (1301561) | about 7 months ago | (#45850385)

A number of hacks against non-contactless chip-and-pin cards have been demonstrated, and I would be suspicious of any claim that the contactless ones are more secure. Search for 'chip and pin is broken' for details of the exploits, and also a number of self-serving non-sequiturs supposedly justifying the issuers' inaction over the issue (for example, 'the protocol is sound', as if consumers can choose to use a sound implementation, and 'the exploit is too difficult in practice' despite good evidence that it has been used in the wild.)

Mr. Rash's article gives no indication that he is aware of these issues, and the way he describes how he found out about these cards suggests he doesn't have his finger on the pulse of security matters.

do not cross the beams. (0)

Anonymous Coward | about 7 months ago | (#45849663)

Do not connect the payment system to the shops own computer system. These are separate things and should not be integrated.
In fact, is should be illegal.

Re:do not cross the beams. (1)

icebike (68054) | about 7 months ago | (#45849901)

In the target case, they did not breach targets computer system, the breached the terminals in the stores, by breaching the separate network they use to connect them to the banks.

VPNs are easily breached these days.

website security (4, Interesting)

gbjbaanb (229885) | about 7 months ago | (#45849721)

... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.

Last place I worked, my boss had a pet website thing written in the usual way - client web code running on the web server that directly read DB tables. When he told the admin guys to put it live they told him they couldn't - there wasn't access to the DB from the webserver, so he told them to "just punch a hole in the firewall"... and they told him there was no firewall. There was no physical cabling between these servers.

That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.

Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.

This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.

Re:website security (0)

Anonymous Coward | about 7 months ago | (#45849983)

How are your api boxes magically secure in a way that the webservers are not?

For smaller sites credit card security is much easier. Don't store credit card data. That is the job of whatever payment provider you use.

Re:website security (1)

WaffleMonster (969671) | about 7 months ago | (#45850809)

... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.

If you assume your webserver is compromised do you think it is a good idea to be entering credit card numbers into it?

That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.

Compromise of *any* tier still results in an unacceptable breach. While access might be curtailed your still screwed.

Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.

Until someone hacks your web server and configures it to exfils every credit card number it ever dealt with from then on.

This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.

My own opinion with regards to non-physical presence is PayPal is the correct model and CC need to be phased out entirely. Security problems mostly evaporate if payment is *given* rather than *taken*. Simple change in philosophy solves most of the payment security issues.

Chip with no CC fallback solves physical problems although physical "what you know" (e.g. pin) entry needs to be integrated on-card rather than entered into POS terminals.

Re:website security (1)

guruevi (827432) | about 7 months ago | (#45851197)

How about not storing CC data AT ALL. You don't need the full number unless you are your own payment processor, you're required to ask for the 3 digit number every time (you're not allowed to store it).

The only reason you would store full numbers with all the info attached is for batch processing... or if you don't know what you're doing which simply means you're not prepared for peak demand.

As far as API's - SQL is already an API, Prepared Statements should do everything you require, decent db login management so your scripts can't just SELECT what they don't need...

Easy (1)

msobkow (48369) | about 7 months ago | (#45849759)

Pay cash. Drive them crazy. Make them count instead of swipe.

Could someone explain EMV chips? (2)

guanxi (216397) | about 7 months ago | (#45849813)

Could someone explain how EMV chips work, especially,

1) If every consumer and retailer in the world will be able to utilize them to process purchases, how can we stop people from using the same devices fraudulently? If the answer is that they use a PIN, then why not use the old mag-stripes with a PIN?

2) Is anything stored on them besides payment data, such as other personal data? In addition to a payment mechanism, is it also yet another way to track and collect information about people? Could other data potentially be stored on them?

3) Is wireless necessary or even a good idea? Why not require contact with the credit card machine?

Re:Could someone explain EMV chips? (5, Informative)

Enderxeno (1331501) | about 7 months ago | (#45849941)

The reason EMV is better is because the chip allows you to sign the transaction datagram before it is sent to the bank. The chip stores the specific cards signing cert and it can't be accessed, every time there is a transaction, the pin pad sends the transaction info to the card which encodes and signs it then it is sent to the processor. NFC and other tap transactions are just as safe because even if you intercept the info you can capture the signing cert and can't duplicate the transaction.

Re:Could someone explain EMV chips? (1)

guanxi (216397) | about 7 months ago | (#45850955)

Thanks, that makes sense.

The chip stores the specific cards signing cert and it can't be accessed

Hmmm ... given the amount of money involved, doesn't it seem likely that methods for breaking the security are already known?

Re:Could someone explain EMV chips? (1)

Anonymous Coward | about 7 months ago | (#45850119)

When you use EMV for transaction (chip read) the card generates a unique authorization request cryptogram (ARQC) that must be answered with a valid authorisation response cryptogram (ARPC) from the issuer (bank). If not, the card invalidates the transaction.

Some issuers only allow chip read (EMV) so even if the card data is stolen (PAN or Track2) the thief cannot generate a valid ARQC for a authorisation request.
Issuer then declines the transaction since the ARQC request var missing/incorrect.

You can store all sorts of data on the chip, including private keys for PKI or other data.

Re:Could someone explain EMV chips? (3, Interesting)

ADRA (37398) | about 7 months ago | (#45850185)

1. The card readers still have to make it to a compatible merchant services provider, so not usable everywhere. In Canada, its pretty rare for any small to large service providers not providing readers for chip cards. Only really little merch's that accept square or paypal haven't made the switch, or some big box american stores who's unified infrastructure apparently makes this too hard for the effort.

2. The chip is a digest encryptor to my knowledge. I don't know if anything besides the merch and most likely an account number are on the card unencrypted (or should be anyways), but yes, any and everything usable to track people's unique info can and will be used to track you. That is a 'freedom' long lost.

3. Wireless can be an issue (my Android phone's NFC pings when its laying on the wallet) but realistically, all companies supporting wireless transactions support VERY LOW payment methods, like $50 and most likely rejecting duplicate purchases. I bought movie tickets yesterday with pay wave and I then went to the popcorn stand and waved again. The second time, it required chip usage, so there's probably logic to cap the potential losses of fraudulent wireless payment charges.

Wait (1)

Nemura (3452793) | about 7 months ago | (#45849851)

People still use magstripes?

Re:Wait (2)

msobkow (48369) | about 7 months ago | (#45849919)

In the US, yes. They've been out of use and restricted in Canada for many years now, but as per usual the US "it's too expensive" lobbyists have kept old, insecure technology online far past it's due date.

How about "avoid emv chips"? (0)

davecb (6526) | about 7 months ago | (#45849865)

Using a 4-digit pin is immensely less secure than using a handwritten signature, For the thief, it's guessing 4 digits instead of practicing for hours and hours to perfect a good-enough forgery (;-))

Re:How about "avoid emv chips"? (0)

Anonymous Coward | about 7 months ago | (#45849979)

Using a 4-digit pin is immensely less secure than using a handwritten signature, For the thief, it's guessing 4 digits instead of practicing for hours and hours to perfect a good-enough forgery (;-))

The signature is not for identify verification. It's your agreement to comply with the credit card rules.

Re:How about "avoid emv chips"? (0)

Anonymous Coward | about 7 months ago | (#45850209)

Most people don't verify the signature, or even have the necessary skill to do signature verification. PINs are easy to verify and are REQUIRED EVERY TIME.

Re:How about "avoid emv chips"? (1)

ADRA (37398) | about 7 months ago | (#45850243)

No, its guessing 4 digit pin soon enough before the CC company freezes the card, which is generally like 4-5 attempts period. Whereas the CC signature route can be forged and the crook is long gone before the fraud is detected. My writing is crap, and I can guarantee that I've signed the VISA receipt in an almost completely diff. sig from the card and have never been stopped on it.

Re:How about "avoid emv chips"? (1)

danlip (737336) | about 7 months ago | (#45850325)

Except no one ever checks the signature, while the 4 digit PIN is checked automatically.

Signatures are not secure (0)

Anonymous Coward | about 7 months ago | (#45850479)

You are assuming that people actually check signatures.

When I bought a laptop several years ago, despite it being a purchase of over $2,000, the person behind the counter did not even watch me sign, or check the signature against the back of the card. That's when I changed my card signature to 'REQUIRE PHOTO ID'.

Signatures are an anachronism - much like the idea of carrying a wax seal around.

Re:Signatures are not secure (0)

Anonymous Coward | about 7 months ago | (#45851239)

You are assuming that people actually check signatures.

When I bought a laptop several years ago, despite it being a purchase of over $2,000, the person behind the counter did not even watch me sign, or check the signature against the back of the card. That's when I changed my card signature to 'REQUIRE PHOTO ID'.

Signatures are an anachronism - much like the idea of carrying a wax seal around.

The signature on the back of the card simply tells the vendor that you have agreed to abide by the terms of the credit card. It is the same with the receipt, only an agreement to pay the charge you just made. Neither ID is intended as a authentication of the person presenting the card. In fact many CC companies specifically prohibit vendors (through their vendor agreements) from verifying any form of ID as a requirement to accepting the card as payment. However if you have not signed the CC (i.e. put "Require Photo ID') then the vendor should not accept the card at all because you have not agreed to pay their bill essentially.

Expecting a clerk at Best Buy to be an expert on signature verification is ridiculous. I have had many conversations with clerks at many retail chains explaining why their manager who told them to check IDs for credit card purchases are idiots and are breaking the stores agreement with their CC processing companies. If you don't believe what I am saying please verify it with your CC company, all but Discover will tell you the same thing. Discover is a bit different as they were started by a retailer and tend to add more protections for the vendors than the card holders.

Simple - talk to a cryptographer (2)

Rich0 (548339) | about 7 months ago | (#45849967)

Anybody with even a minute knowledge of cryptography/security/etc could predict all the problems the payment card industry is having. 95% of the issues are derived from using an account number as a shared secret, and then sharing it with half the planet.

A secure system would not be that difficult to design or operate. Have the POS terminal generate a CSR containing the vendor name, date, amount of transaction, and a unique transaction ID. That gets transmitted to the customer's payment terminal, which they carry with them. The terminal decodes the CSR and displays the amount, etc on the screen in a standard presentation for the customer's approval. They hit approve and enter their PIN, which is typed onto the terminal itself. The device then generates a certificate including the users's account number, timestamp, and another unique ID. The terminal transmits this to the POS terminal, which then transmits it to the bank. The bank verifies the certificate and performs the transaction, and issues a certificate against the whole thing back to the vendor.

Such a system could only be spoofed if the terminal and PIN are stolen and used prior to a report of theft, or if the private key embedded in the terminal were extracted. The latter would be extremely difficult - modern TPMs are very difficult to break into. The PIN and key never leave the device, and the user only interacts with a device whose integrity they have control over. The POS can't display one transaction on the screen and apply the user's signature to another, the POS can't store keys/PINs/etc, and so on. The system is also immune to replay attacks - if you authorize one transaction you'll never be billed for two. The protocol could of course be extended to allow for recurring payments. The payment terminal could have a USB port for easy use with online purchases, and could have a modem for phone purchases (just hold the thing up to the earpiece and then microphone - no need for a 2-way handshake for either transmission).

Sure, that little terminal would cost more than a plastic card, but a single terminal could store credentials for many accounts, and probably would cost less than $100. It doesn't need a fancy color touchscreen - a 1990s LCD display and a 12-key keypad would be plenty.

Re:Simple - talk to a cryptographer (0)

Anonymous Coward | about 7 months ago | (#45850311)

I wonder what theft is going to look like once CC are properly secured. Probably people stealing phones, and forcing victims to hand over their PIN.

Re:Simple - talk to a cryptographer (1)

plover (150551) | about 7 months ago | (#45851253)

You just (sort of) described the VASCO DIGIPASS readers. They're given away by the banks to their customers, and cost less than $20 apiece. The user inserts their card into their own reader. The reader is nothing more than a battery, LCD and 10-key pad the user can trust. Because the user carries it with him or her, they can trust there's no PIN skimmer they have to worry about. And because it's a sealed device, with no data ports and no USB connections, there is not a way for malware to corrupt it.

The user inserts their smart card, enters their PIN, and their card generates a one-time use 8 digit token that authorizes their transaction. The PIN pad does nothing other than display the token. All security and encryption happens on the chip in the card.

I think there's an option to enter the transaction amount as well as the PIN.

The merchant enters the token along with the card number, and the bank knows the user's card plus PIN could have been the only way to generate that token.

The drawbacks are the complexity and the time. Telling a user "put your card in the reader, enter your PIN into the reader, enter the transaction amount in the reader, then type the displayed 8 digit number into the store's PIN pad" is way too confusing for a disturbingly large segment of the population. Even getting people to type 8 digits without making a mistake is also difficult. All these complexities means that using your credit card will take a lot of time, and neither stores nor card brands nor customers want to spend their time on security.

Worse, even this isn't good enough. The token could be stolen by anyone in transit, and used on a different transaction to pay a thief. In an ideal world the user really needs to associate the token with the merchant they're buying from, and that turns out to be very hard. Just posting a sign that says "Here's a 14 digit merchant number you should enter" proves very little. An attacker could place their own sticker on the sign, or display their own 14 digit number on a hacked web site. A barcode is not much good either, because an ordinary human isn't capable of verifying that the stripes actually say "Friendly Store" instead of "Evil Hackers". The user needs a friendly name, plus the ability to spell it. And that's one more piece of complexity that nobody wants to add.

Bottom line: security is too hard for most people to do well.

What about online purchase? (1)

hawguy (1600213) | about 7 months ago | (#45850153)

How about protection for online purchases (which doesn't involve a credit card terminal hooked up to my computer) since I don't want to deal with drivers or other setup to make it work.

Maybe something as simple as a time-based rotating 4 or 5 digit code (similar to an RSA token) that I type in when I make a transaction (whether online or at a merchant). Lock the card after the wrong code is entered 5 times in a row to prevent brute forcing.

Meaningless article (1)

MobyDisk (75490) | about 7 months ago | (#45850167)

The commenters on the eweek article point out that EMV would not have prevented the problem Target had. (I didn't see any video though.)

The relevant comments:

GWsaid on January 2, 2014 12:43 pm
...The security breach happened most likely because the data was unencrypted as it crossed from the terminal to the register. What is needed is encryption that happens at the terminal.

Shawn Ackersaid on December 25, 2013 10:16 pm
Your article makes a number of good points regarding EMV. However, EMV chipped cards don't force the data to be encrypted as it leaves the PIN Pad. In fact much of the data including the PAN(Card #), Expiration date, etc. is by default sent unencrypted and may be captured during transmission over the merchants network. But, it would be next to impossible to reproduce an EMV card unlike magstripe. This would prevent the in person fraud occurring as a result of the Target breach.

Simpler (0)

Anonymous Coward | about 7 months ago | (#45850391)

A simpler and cheaper way is to require credit card holder to create their 6 digit secret code
buyer would have to enter their secret code during check out

Simplistic. Not Credible. (1)

Geste (527302) | about 7 months ago | (#45850469)

Yet another simplistic "smart cards would have prevented..." article. Do we really believe these glib summaries from MSM "Experts"? Will we simply accept the premise?

Time for a reality check. In an earlier thread after the breach, there was an entry from a @girlintraining that was at minimum though-provoking, and arguably much more credible than a lot of the puff pieces on offer. Take a moment and read it:

http://yro.slashdot.org/comments.pl?sid=4574335&cid=45733709 [slashdot.org]

A conspiracy theory, for sure. But more sophisticated than any other Target analysis I have seen.

Technology that is NOT being used is his answer... (0)

Anonymous Coward | about 7 months ago | (#45850631)

He is talking about technology that is not commonly being used yet by most consumers to be used as protection against Target's exploit. You won't be in business long if you only take that type of technology card now, since not enough people use it AND you can exploit it as well.

He's recommending...a time machine? (1)

Shoten (260439) | about 7 months ago | (#45851017)

I love how commentators come out of the woodwork after a breach to say how they would have stopped that particular event...after the event has happened, and especially after the full details have come out. The problem, of course, is that the actual defenders don't know how the attack will come, where it will come from, or when it will happen. I think it's particularly noteworthy that even after the fact, it took this guy weeks to come out with his suggestion, as single-minded as it is. Weak.

The premise that any form of payment will be inured against breach is ridiculous. This has never happened...of course, it's supposed to be a feature of each new system, but it never quite works out that way. I see no reason to think that this will change anytime soon.

Asia-Pacific Markets (1)

WinstonWolfIT (1550079) | about 7 months ago | (#45851215)

I've been working on a very large commercial web account for the past nine months, and have had a fair amount of exposure to merchant transaction security. Australia has been using chip readers for quite a while now, and for transactions under $100, you just tap the card to a glass covered reader -- faster than cash especially with the readers where all such transactions are instantly approved; above that, the chip goes into the reader to accept a pin and the balance is verified over a high-speed network. In Singapore, for web transactions, 3ds-auth is very popular; in addition to your card details, you redirect to a page on a 3ds provider, and enter additional details that no merchant would ever have access to before you redirect to confirm your purchase. Now, MasterCard and many major Australian banks are hosting a very nice implementation of a credit card vault, which you redirect to, answer 2-3 layers of security questions, and the merchant never stores your card details nor ever sees your CVV so there's nothing on the site to steal. (PCI audits ensure the merchant doesn't do something really stupid like store card details in exception logs, etc.). Additionally, CyberSource performs a layer of fraud protection.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...