Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top Five Causes of Data Compromise

Posted by ryuzaki0 on from the it's-the-data-stripe-stupid dept.

Steve writes, "In a key step to help businesses better understand and protect themselves against the risks of fraud, Visa USA and the U.S. Chamber of Commerce announced the five leading causes of data breaches and offered specific prevention strategies. The report states that the most common cause of data compromise is a merchant's or a service provider's encoding of sensitive information on the card's magnetic stripe in violation of the PCI Data Security Standard. The other four are related to IT security, which can be improved simply by following common-sense guidelines." Here is the report on the U.S. Chamber of Commerce site (PDF).

10 of 106 comments (clear)

  1. Wow by 1310nm · · Score: 2, Insightful

    "Use of Vendor Supplied Default Settings and Passwords - In many cases, merchants receive POS hardware or software from outside vendors who install them using default settings and passwords that are often widely known to hackers and easy to guess." Incredible.

    1. Re:Wow by Detritus · · Score: 2, Insightful

      It doesn't surprise me. The vendor sold them a packaged system. They probably kept all of the manufacturer-supplied documentation for the system's components and provided the customer with a user manual that was written for idiots. Part of locking-in the customer for after-sale parts and services is to keep them ignorant.

      --
      Mea navis aericumbens anguillis abundat
  2. Re:top 5 by Anonymous Coward · · Score: 3, Insightful

    Honestly, could my post be any more useful?
    Yes, but a more interesting question is could your karma whoring be any more obvious?

  3. Didn't the waiter do it?! by __aaclcg7560 · · Score: 4, Insightful

    Whatever happened to the old saying that your credit card would more likely be ripped off by a waiter than someone off of the internet? Or are waiters taking hacking jobs these days?

    1. Re:Didn't the waiter do it?! by MrNougat · · Score: 2, Insightful

      Credit cards are most likely to be ripped off where they are used most often. People use credit cards online a lot now, more than they did when that saying was originally said. Also, because the unwashed masses have this idea that The Internets are made of magic fairy dust distilled directly from truth and love, they're prepared to believe whatever The Internets tells them.

      Thieves steal what's easiest to steal and get away with.

      --
      Web 2.0 == Giant Blogspam Circle Jerk
    2. Re:Didn't the waiter do it?! by mennucc1 · · Score: 4, Insightful
      You did not RTFA: waiters are number one in the list. Here it is, in the original form: 1. Storage of Magnetic Stripe Data - The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card's magnetic stripe in violation of the PCI Data Security Standard. This can occur because a number of point-of-sale systems improperly store this data, and the merchant may not be aware of it. Then translate from market-speak:
      • service provider -> waiter (indeed, it does serve)
      • merchant -> owner of the restaurant
      • "point-of-sale systems" -> gadget that you stripe your card in
      • to store sensitive info -> pwn
      After proper translation, it reads: 1. Storage of Magnetic Stripe Data - The most common cause of data breaches occurs when a waiter pwns your card's magnetic stripe in violation of law. This can occur because a number of gadgets are available around that will store this data; and the restaurant owner may not be aware of it. See?
  4. Re:Chip & PIN by smoker2 · · Score: 2, Insightful
    Yeah, or they could stand behind you at the ATM and then lift your wallet, or, maybe just beat you over the head right there and get some quick cash. How is a 2 stage authentication worse than a single stage ?

    In Oz and New Zealand, people buy beer in the pub and pay like that (EFTPOS IIRC) and I don't think they are having a huge problem. They started a good while before us too.

    Also, having your PIN doesn't give them your account. They would be limited to whatever your bank has set for the cash limit for the day. Unless they went shopping, and then they would be on all the CCTV cameras in the shops. Lesson 1a: Don't keep all your eggs in one basket.

  5. Re:Chip & PIN by John+Hasler · · Score: 3, Insightful

    > If they had thought to require a photo for the front of the card then it
    > would be a 3 stage process, and pretty hard to circumvent in a store
    > situation.

    Clerks rarely check pictures[1].

    > Even ATMs have CCTV these days, so they could use some image recognition
    > software to match your image against the registered image before giving you
    > cash.

    And the software would screw up about 10% of the time, keeping your card and your money.

    [1] I knew a guy who spent part of his stint in the Navy sneaking on board warships with an ID card bearing the likeness of a gorilla.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  6. Re:Chip & PIN by Monkier · · Score: 2, Insightful

    "skimming" has already happened in the UK, USA and Australia.. where an additional magstripe reader is attached to an ATM, or POS card reader - and some other means is used to capture your PIN (hidden camera or alike). the magstripe data can be used to easily clone a magstripe only card.

    the chip & pin approach in the UK introduces a smartcard chip into the mix. the chip makes the card difficult to clone. the chip is a mini computer that will only give up the account identifier when given the PIN signed with a cert that's only in authorised hardware..

  7. Re:Chip & PIN by oPless · · Score: 2, Insightful

    > the chip & pin approach in the UK introduces a smartcard chip into the mix. the chip makes the card difficult to clone.

    Sorry, that's bollocks - there has already been a student that has been able to 'crack' the encryption (I can't cite any references, and it was a month or two ago) But I did find this http://www.hebdos.net/lsc/edition352006/articles.a sp?article_id=140973

    Despite this, that there is a simple bit flag on the mag stripe that determines "this card is chip and pin" which can be turned off with skimming

    A friend of mine came over from the middle east without a chip and pin card, and all the restaurant did was swipe it, and ask for him to sign ... and often I've been able to say "umm, I can't remember my pin, can I sign?" to cashiers in local supermarkets - to which they've been more than happy to do, not even asking for additional ID.

    Fraud is as easy as ever, now as a consumer I really don't like having to punch my pin in equipment I don't trust, and isn't securely fastened and hardened against abuse. I'm very sure at some point someone will build a device that looks like a normal remote chip+pin terminal, and scam people.

    Liability shifting is a bad thing, and chip and pin is no more secure than the old method of signing. It's all blatent smoke and mirrors.