Slashdot Mirror
How to Avoid a Target-Style Credit Card Security Breach (Video)
Wayne Rash has covered IT as a reporter and editor for over 35 years. NPR, Fox Business News, and NBC all call on him as a technology expert. A few weeks ago he had an article on eWeek titled How Target's Credit Card Security Breach Could Have Been Avoided. In this video, Wayne tells how you (or your business) can avoid being targeted by miscreants out to steal credit card data. It turns out that the security measures he advocates for businesses are common in other parts of the world but haven't hit the United States quite yet. But don't despair. There are things you can do right now, as an individual, to limit your potential losses from card number thefts. Still, the long-term fixes to the security vulnerability that bit Target need to be made by merchants and card issuers, some of whom are already transitioning to cards and card readers that use EMV chips, and some of whom aren't quite there yet -- but might speed up their efforts after seeing what happened to Target.
1 - Only accept cash.
2 - Don't collect names or other contact info.
3 - Remember how well this worded since the beginning of commerce.
I find paying cash works remarkably well.
Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.
Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.
Better known as 318230.
Why don't they just go back to having to have the physical card, take an imprint of it at the register manually, and help track the usage at the stores that way?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
I could have sworn a number of hacks against contactless credit cards have been demonstrated?
How does it protect against inadvertent charges or someone copying data off the cards in my wallet by waving a reader near my wallet?
Do not connect the payment system to the shops own computer system. These are separate things and should not be integrated.
In fact, is should be illegal.
Yeah, perfectly safe: http://www.forbes.com/sites/erikamorphy/2013/12/31/with-bitcoin-in-your-pocket-is-your-identity-finally-safe/
“Due to the anonymized/cryptographic nature of the currency, it is almost impossible to track whether an individual has experienced a theft or loss due to other reasons–malware, a corrupt “wallet” which is stored on your hard drive, etc–and it’s especially difficult to determine with any accuracy where the stolen currency might have gone once ‘stolen’”
... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.
Last place I worked, my boss had a pet website thing written in the usual way - client web code running on the web server that directly read DB tables. When he told the admin guys to put it live they told him they couldn't - there wasn't access to the DB from the webserver, so he told them to "just punch a hole in the firewall"... and they told him there was no firewall. There was no physical cabling between these servers.
That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.
Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.
This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.
Pay cash. Drive them crazy. Make them count instead of swipe.
I do not fail; I succeed at finding out what does not work.
way to much volatility in that
Could someone explain how EMV chips work, especially,
1) If every consumer and retailer in the world will be able to utilize them to process purchases, how can we stop people from using the same devices fraudulently? If the answer is that they use a PIN, then why not use the old mag-stripes with a PIN?
2) Is anything stored on them besides payment data, such as other personal data? In addition to a payment mechanism, is it also yet another way to track and collect information about people? Could other data potentially be stored on them?
3) Is wireless necessary or even a good idea? Why not require contact with the credit card machine?
In that case, use Dogecoin. They may still steal your money, but not without Shiba bite-marks on their ass.
Wow. Such money. Much volatile. Very safety.
Have gnu, will travel.
Nothing else needed, why are we even discussion this?
Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.
People still use magstripes?
Using a 4-digit pin is immensely less secure than using a handwritten signature, For the thief, it's guessing 4 digits instead of practicing for hours and hours to perfect a good-enough forgery (;-))
davecb@spamcop.net
Nothing else needed, why are we even discussion this?
Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.
Ever heard of checks?
Avoiding much of the baggage that comes with credit cards is the most effective way to ensure that you actually have the $1000 around to worry about.
A Pirate and a Puritan look the same on a balance sheet.
http://www.dogtemperament.com/wp-content/uploads/2013/01/dog-money-finance.jpg
Anybody with even a minute knowledge of cryptography/security/etc could predict all the problems the payment card industry is having. 95% of the issues are derived from using an account number as a shared secret, and then sharing it with half the planet.
A secure system would not be that difficult to design or operate. Have the POS terminal generate a CSR containing the vendor name, date, amount of transaction, and a unique transaction ID. That gets transmitted to the customer's payment terminal, which they carry with them. The terminal decodes the CSR and displays the amount, etc on the screen in a standard presentation for the customer's approval. They hit approve and enter their PIN, which is typed onto the terminal itself. The device then generates a certificate including the users's account number, timestamp, and another unique ID. The terminal transmits this to the POS terminal, which then transmits it to the bank. The bank verifies the certificate and performs the transaction, and issues a certificate against the whole thing back to the vendor.
Such a system could only be spoofed if the terminal and PIN are stolen and used prior to a report of theft, or if the private key embedded in the terminal were extracted. The latter would be extremely difficult - modern TPMs are very difficult to break into. The PIN and key never leave the device, and the user only interacts with a device whose integrity they have control over. The POS can't display one transaction on the screen and apply the user's signature to another, the POS can't store keys/PINs/etc, and so on. The system is also immune to replay attacks - if you authorize one transaction you'll never be billed for two. The protocol could of course be extended to allow for recurring payments. The payment terminal could have a USB port for easy use with online purchases, and could have a modem for phone purchases (just hold the thing up to the earpiece and then microphone - no need for a 2-way handshake for either transmission).
Sure, that little terminal would cost more than a plastic card, but a single terminal could store credentials for many accounts, and probably would cost less than $100. It doesn't need a fancy color touchscreen - a 1990s LCD display and a 12-key keypad would be plenty.
Nothing else needed, why are we even discussion this?
Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.
Ever heard of checks?
Checks are even worse than credit cards - anyone with your account number (which is printed right there on the check, no "secret" CVV code or anything else needed) can use an electronic check (or print his own) to debit direct from your checking account.
Avoiding much of the baggage that comes with credit cards is the most effective way to ensure that you actually have the $1000 around to worry about.
I thought it was good financial sense that helped make sure you have $1000 in your bank account, not whether or not you use a credit card.
I have 3 credit cards, I haven't paid any interest charges in years. 2 are 'free', but I still carry an Amex card since I've found their international services to be helpful, though perhaps less useful today than it used to be. I still remember losing my card overseas and walking into a local Amex office and walking out with $1000 in travelers checks to tide me over while waiting for a replacement card to be delivered after the holiday weekend.
Any cash that a person carries can be seized by law enforcement - whether they charge you with a crime or not.
How about protection for online purchases (which doesn't involve a credit card terminal hooked up to my computer) since I don't want to deal with drivers or other setup to make it work.
Maybe something as simple as a time-based rotating 4 or 5 digit code (similar to an RSA token) that I type in when I make a transaction (whether online or at a merchant). Lock the card after the wrong code is entered 5 times in a row to prevent brute forcing.
The commenters on the eweek article point out that EMV would not have prevented the problem Target had. (I didn't see any video though.)
The relevant comments:
GWsaid on January 2, 2014 12:43 pm
...The security breach happened most likely because the data was unencrypted as it crossed from the terminal to the register. What is needed is encryption that happens at the terminal.
Shawn Ackersaid on December 25, 2013 10:16 pm
Your article makes a number of good points regarding EMV. However, EMV chipped cards don't force the data to be encrypted as it leaves the PIN Pad. In fact much of the data including the PAN(Card #), Expiration date, etc. is by default sent unencrypted and may be captured during transmission over the merchants network. But, it would be next to impossible to reproduce an EMV card unlike magstripe. This would prevent the in person fraud occurring as a result of the Target breach.
Nothing else needed, why are we even discussion this?
Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.
Um you didn't even point out the obviously flaw in today's day and age of using cash especially among slashdotters. So, I should stuff $2,000 in an envelope with purchase order and mail it to NewEgg to purchase the parts for my next gaming rig? NOT! "I'm sorry sir, but there was no cash in the envelope you sent us. Can you try re-sending it?" It really drives me nuts when snarky people are like just use cash! Oh yeah let's just drop the e-commerce market that's been built up around the internet and been an economic boon and go back to the dark ages. How about let's make electronic purchases better? Or better yet how about companies hire better people and/or train the people to follow best security practices?
We'll make great pets
Why do you have a picture of Jamie from Mythbusters?
I read the internet for the articles.
A number of hacks against non-contactless chip-and-pin cards have been demonstrated, and I would be suspicious of any claim that the contactless ones are more secure. Search for 'chip and pin is broken' for details of the exploits, and also a number of self-serving non-sequiturs supposedly justifying the issuers' inaction over the issue (for example, 'the protocol is sound', as if consumers can choose to use a sound implementation, and 'the exploit is too difficult in practice' despite good evidence that it has been used in the wild.)
Mr. Rash's article gives no indication that he is aware of these issues, and the way he describes how he found out about these cards suggests he doesn't have his finger on the pulse of security matters.
A simpler and cheaper way is to require credit card holder to create their 6 digit secret code
buyer would have to enter their secret code during check out
Yet another simplistic "smart cards would have prevented..." article. Do we really believe these glib summaries from MSM "Experts"? Will we simply accept the premise?
Time for a reality check. In an earlier thread after the breach, there was an entry from a @girlintraining that was at minimum though-provoking, and arguably much more credible than a lot of the puff pieces on offer. Take a moment and read it:
http://yro.slashdot.org/comments.pl?sid=4574335&cid=45733709
A conspiracy theory, for sure. But more sophisticated than any other Target analysis I have seen.
You are assuming that people actually check signatures.
When I bought a laptop several years ago, despite it being a purchase of over $2,000, the person behind the counter did not even watch me sign, or check the signature against the back of the card. That's when I changed my card signature to 'REQUIRE PHOTO ID'.
Signatures are an anachronism - much like the idea of carrying a wax seal around.
. . . are you serious?? checks? safer? o.O
He is talking about technology that is not commonly being used yet by most consumers to be used as protection against Target's exploit. You won't be in business long if you only take that type of technology card now, since not enough people use it AND you can exploit it as well.
I love how commentators come out of the woodwork after a breach to say how they would have stopped that particular event...after the event has happened, and especially after the full details have come out. The problem, of course, is that the actual defenders don't know how the attack will come, where it will come from, or when it will happen. I think it's particularly noteworthy that even after the fact, it took this guy weeks to come out with his suggestion, as single-minded as it is. Weak.
The premise that any form of payment will be inured against breach is ridiculous. This has never happened...of course, it's supposed to be a feature of each new system, but it never quite works out that way. I see no reason to think that this will change anytime soon.
For your security, this post has been encrypted with ROT-13, twice.
I was relocating and I needed a fast short term loan. I walked out of an Amex office with several thousand dollars in travelers checks. I didn't use all of it so I made my first monthly payment. Then I was reimbursed by my employer and paid off the loan in two months.
putting the 'B' in LGBTQ+
I've been working on a very large commercial web account for the past nine months, and have had a fair amount of exposure to merchant transaction security. Australia has been using chip readers for quite a while now, and for transactions under $100, you just tap the card to a glass covered reader -- faster than cash especially with the readers where all such transactions are instantly approved; above that, the chip goes into the reader to accept a pin and the balance is verified over a high-speed network. In Singapore, for web transactions, 3ds-auth is very popular; in addition to your card details, you redirect to a page on a 3ds provider, and enter additional details that no merchant would ever have access to before you redirect to confirm your purchase. Now, MasterCard and many major Australian banks are hosting a very nice implementation of a credit card vault, which you redirect to, answer 2-3 layers of security questions, and the merchant never stores your card details nor ever sees your CVV so there's nothing on the site to steal. (PCI audits ensure the merchant doesn't do something really stupid like store card details in exception logs, etc.). Additionally, CyberSource performs a layer of fraud protection.
Target broke several cardinal rules. Not only was the DB accessible, they were storing PIN numbers in addition to card data.
The whole point of PCI is to control what and who can access the Database, Encrypt the Database, and separate data into different databases so that if you get a single DB server hacked a hacker does not have everything needed to commit fraud. Target admitted to storing PIN numbers (wholly fuck you have to be kidding me) in addition to having no separation to the DB as well as direct exposure. They broke every PCI rule you can think of, and quite frankly I will never ever shop there again (even with cash).
The Target spin of "It happens to other companies all the time" and that the breech is "unlawful access to customer data" is pathetic. source
Storing whole card data beyond the point where the company receives funds from the bank is asinine. What they are supposed to store is unique identification data. And they are never ever supposed to store a PIN.
I will say that you are close to how I have seen and worked with PCI data. iptables rules locks DB connections to 1 host, which acts as a middle man. Internet -> Load Balancer -> WebApp -> Load Balancer -> DB (HA). Rules lock every connection except for the load balancer accepting internet connections. It takes discipline and money, and those things are supposed to be so much better in massive companies.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
EMV solves some issues but is vulnerable to a MITM attack, documentation etc has been online for about 2 years if I'm not mistaking and no fix or whatever in sight. It's all about the money, if the amount of fraud (covered by insurance) and costs is lower then an EMV rollout (or fix for EMV), banks won't move. It's 'included' in the business model. Same story for retailers, most POS systems are a joke when it comes to security, flat text transactions, old hardware (XP or below) with disabled updates, no antivirus, no password complexity, no effort whatsover to protect whatever. Just disable everything for the sake of a stable POS system. They simply don't care, they only will when there are legal repercussions and there aren't.
Nothing else needed, why are we even discussion this?
Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.
Ever heard of checks?
Checks are far worse than credit cards. They give thieves your name, address, bank, and bank account number.. And of course, they're all scanned and processed electronically now, too.
My CC gets compromised, I get issued a new card, and life goes on. A check gets compromised, and I have to open a new account.
Checks are even worse than credit cards - anyone with your account number (which is printed right there on the check, no "secret" CVV code or anything else needed) can use an electronic check (or print his own) to debit direct from your checking account.
I paid my daughter's creepy landlord with a check. When she moved out (three days after moving in!), he promised to return the money. I didn't believe him and the check hadn't cleared yet, so I cancelled it. He got pissed off and created four electronic checks drawn on my account and cashed them. I did manage to get my money back after sending an affidavit to my bank saying that the check was unauthorized.
I called the police and he's probably going to be arrested for multiple felonies, but it was a huge PITA. Checks suck. If at all possible, stick with credit cards, your risk is limited by law to $50 and in practice it's normally $0.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
"When thieves broke into the point-of-sale (POS) system at Target, they stole the data from the magnetic stripe on the back of credit and debit cards."
At the time. there were chipped solutions but the banks chose to go with magnetic stripes as it was the cheaper solution, this made it easy to steal the data and to replicate the cards.
The "Target Job" was performed by NSA as a proof-of-concept.
Amazon is the "big fish" in NSA sights!
Why? Most of the Target accounts and debit pins indicate that Target customers and drowning in debt of up to 400%.
Getting any cash from Target accounts and debit cards is busted ... broke before even charging $100 per account per account and debit pin.
Amazon is something else!
Amazon's users typically have 1K to 100K in disposable cash! Cracking Amazon will be the "Gold Standard" for NSA to get free cash to fund its efforts to enslave citizens of the USA, its most hated enemy because the citizens of the USA are Obama's most hated enemy.
Ever heard of checks?
Are you referring to those bits of paper that I stopped using around the turn of the century?
Il n'y a pas de Planet B.
The 3 digit security code, expiration date and the account holder name is not on the magstripe. Since those got stolen too, we know it's a database that got ripped from a computer system. A database that should not have existed, since it's illegal for anyone processing card data to store the 3 digit security code. Assuming this is because of a magstripe skimming device in *every* Target store card reading device at the same time is just not logical at all.
I was promised a flying car. Where is my flying car?
Argh. So much bad information here. If you're a merchant and looking to implement a card payment system, you are REQUIRED to follow the PCI-DSS guidelines. If you're even considering holding card details (mag stripe OR EMV), you're probably doing it wrong. Outsource that to a pre-certified PCI-DSS Payment Service Provider.
Business owners should educate themselves on level 2 and level 3 data. They'd greatly increase the security of their business to business transactions and remove a large layer of fees as a result. Double whammy! More explained: http://www.processingb2b.com/blog/targets-data-breach-indicates-level-2-and-level-3-credit-card-processing-can-be-critical-to-your-business