How to Avoid a Target-Style Credit Card Security Breach

Wayne Rash has covered IT as a reporter and editor for over 35 years. NPR, Fox Business News, and NBC all call on him as a technology expert. A few weeks ago he had an article on eWeek titled How Target's Credit Card Security Breach Could Have Been Avoided. In this video, Wayne tells how you (or your business) can avoid being targeted by miscreants out to steal credit card data. It turns out that the security measures he advocates for businesses are common in other parts of the world but haven't hit the United States quite yet. But don't despair. There are things you can do right now, as an individual, to limit your potential losses from card number thefts. Still, the long-term fixes to the security vulnerability that bit Target need to be made by merchants and card issuers, some of whom are already transitioning to cards and card readers that use EMV chips, and some of whom aren't quite there yet -- but might speed up their efforts after seeing what happened to Target.

What do I care?

[cayenne8]

It isn't like I'm going to lose any money if I get a CC stolen. I just call it in (in this case Target did it for me)...and they and the banks take the hit, doesn't affect me.

Why don't they just go back to having to have the physical card, take an imprint of it at the register manually, and help track the usage at the stores that way?

Re:What do I care?

[hawguy]

in this case Target did it for me

Did they? I was part of an organization who had a CC breach due to our own utter stupidity, we called both the FBI, Visa, and Mastercard and asked them if they wanted the card numbers that were breached ... they didn't give a flying fuck, didn't want to know anything about it. The FBI eventually cared enough to go to the guys house ... after WE tracked him down for them.

It wasn't a real breach, the guy just stumbled across an utterly stupid web app storing a massive list of CC #s in a log file that he happen to stumble on by playing with the URL path and going up a few directories ... turned out the guy really was just trying to get his damn purchase to go through.

So the FBI investigated, found the guy, who claimed that he didn't have fraudulent intent, and the banks decided not to spend thousands of dollars to replace cards that apparently didn't need to be replaced? It's possible that they treat a 40 million card breach differently since that opens them up to much more exposure from fraudulent purchases (in theory, Visa and Mastercard issuing banks don't pay for fraudulent purchases, they charge it back to the merchants, but it's still more work for their customer service reps and they may not be able to recover from all merchants)

Point to the story however is, Visa and MasterCard both told us to destroy the list of numbers and they wanted nothing to do with it. We of course moved the list off the server and saved it for the FBI, who of course DID want the evidence.

You're lucky you didn't get a PCI audit and a fine for non-compliance.

If you CC get stolen ... you will have to FIGHT to get charges removed unless you live in peter pan land where the fairy can fix it for you.

I've had 2 credit card numbers stolen -- one was a Visa card and the bank called me about a suspicious $500 charge attempt thousands of miles away. I told them that I didn't attempt that purchase (which they had declined), and they canceled my card and fedex'ed me a new one.

The other was an Amex card - this one had a series of small $20 - $50 charges. I called Amex to report the fraud, they canceled and reissued my card, I marked the fradulent charges online and they credited the charges back to me, then they sent me a letter that I had to sign and return to certify that I did not make those charges.

It could hardly have been any easier.

website security

[gbjbaanb]

... is all about DB security, simply do not allow any access to the DB from the webserver at all. Assume your webserver is already compromised and build from there, is not difficult to do.

Last place I worked, my boss had a pet website thing written in the usual way - client web code running on the web server that directly read DB tables. When he told the admin guys to put it live they told him they couldn't - there wasn't access to the DB from the webserver, so he told them to "just punch a hole in the firewall"... and they told him there was no firewall. There was no physical cabling between these servers.

That's the way to do it. you always go through a middle box, and you create an API on that middle tier that your web code can access, and that is tightly locked down. Then you also expose your DB as an API (via stored procedures) that only the middle tier can access.

Then, if (ha! when) someone hacks your web server, all they can do is call the API methods on the middle tier, and even if they manage to hack the middle tier too, all they can do is call the DB API methods. None of those methods will have a routine that returns more than 1 CC data, at best.

This stuff isn't hard, but requires a little more discipline than web devs are used to. It also requires that the only code you run on the web server is presentation stuff, no slapping it all on there like most code and frameworks guide you into doing.

Re:For consumers

[hawguy]

Here's what consumers can do. Simply use cards you preload money on. Walmart has them for $3 for Visa or Mastercard. Costs $3 each time you load funds onto the card (thus it's the same cost to reuse an existing card, or get a completely new one). Only load a couple hundred on the card each month, and if any issues come up, don't reload it and grab a new one next time. It's totally disconnected from your actual accounts in every way, and you mitigate any potential financial loss by only placing relatively small amounts of funds on the card.

Plus, it's not a "credit" card, so you don't have to worry about going into debt or interest rates.

Why use your cash to give the credit card company a free loan (and pay them for the privilege)?

Just use a regular credit card, by law your liability is only $50 for fraud (and I haven't heard of any bank enforcing the $50 limit for fraud reported in a timely manner). Unless you're willing to walk away from your $100 prepaid card without reporting the fraud and requesting a refund, you're not saving yourself any effort by using a prepaid card.

Never ever let your bank issue you a debit/ATM card that can be used as a credit card - request a PIN-only ATM card instead, and use it as little as possible, using the Bank's own ATM's where possible. Why risk letting a thief empty your bank account if they steal your card number? The bank may tell you that they will reimburse you upon reporting fraud, but if you started bouncing checks before you discovered the fraud, will they reimburse you for merchant returned check fees?

Re:For consumers

[PvtVoid]

Fees:

One-time Walmart fee: $3
Montly fee: $2
ATM withdrawal: $2 plus ATM fees
International ATM withdrawal: $2 plus ATM fees
ATM balance inquiry: $1
Replacement card: $3
Second card: $3
Foreign purchases: Two percent of total purchase amount in U.S. dollars

On top of all that, if the card is stolen or hacked, I lose whatever is spent off the card. If my credit card number is stolen, I am not responsible for charges.

Debit cards are for suckers.

Re:Use cash

[hawguy]

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Re:For consumers

[garumph]

Also, always use a backup card when traveling to higher fraud areas. We vacation in Mexico regularly, for a while every time I went I would get hit with fraudulent charges after getting home. I switched to using one of our backup credit cards while on the trip, then calling the bank when I got home. I would tell them that I was traveling and suspect that my number might have been compromised. They have been more than happy to cancel my old number and reissue me a new one. A few days later I had a new card and was ready to travel again. No issues with fraud since we started doing that.

Re:Could someone explain EMV chips?

[Enderxeno]

The reason EMV is better is because the chip allows you to sign the transaction datagram before it is sent to the bank. The chip stores the specific cards signing cert and it can't be accessed, every time there is a transaction, the pin pad sends the transaction info to the card which encodes and signs it then it is sent to the processor. NFC and other tap transactions are just as safe because even if you intercept the info you can capture the signing cert and can't duplicate the transaction.

Re:Use cash

[hawguy]

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Ever heard of checks?

Checks are even worse than credit cards - anyone with your account number (which is printed right there on the check, no "secret" CVV code or anything else needed) can use an electronic check (or print his own) to debit direct from your checking account.

Re:Could someone explain EMV chips?

[ADRA]

1. The card readers still have to make it to a compatible merchant services provider, so not usable everywhere. In Canada, its pretty rare for any small to large service providers not providing readers for chip cards. Only really little merch's that accept square or paypal haven't made the switch, or some big box american stores who's unified infrastructure apparently makes this too hard for the effort.

2. The chip is a digest encryptor to my knowledge. I don't know if anything besides the merch and most likely an account number are on the card unencrypted (or should be anyways), but yes, any and everything usable to track people's unique info can and will be used to track you. That is a 'freedom' long lost.

3. Wireless can be an issue (my Android phone's NFC pings when its laying on the wallet) but realistically, all companies supporting wireless transactions support VERY LOW payment methods, like $50 and most likely rejecting duplicate purchases. I bought movie tickets yesterday with pay wave and I then went to the popcorn stand and waved again. The second time, it required chip usage, so there's probably logic to cap the potential losses of fraudulent wireless payment charges.

Re:Use cash

[zifn4b]

Nothing else needed, why are we even discussion this?

Not everyone wants to walk around with $1000+ in cash in their pocket so they can make a big purchase. And when you lose cash, it's really lost to you - if someone steals the cash from your pocket, there's little hope of recovery unless they happen to catch the thief, at least if they steal your credit card, you can report the fraud and get your money back.

Um you didn't even point out the obviously flaw in today's day and age of using cash especially among slashdotters. So, I should stuff $2,000 in an envelope with purchase order and mail it to NewEgg to purchase the parts for my next gaming rig? NOT! "I'm sorry sir, but there was no cash in the envelope you sent us. Can you try re-sending it?" It really drives me nuts when snarky people are like just use cash! Oh yeah let's just drop the e-commerce market that's been built up around the internet and been an economic boon and go back to the dark ages. How about let's make electronic purchases better? Or better yet how about companies hire better people and/or train the people to follow best security practices?