Slashdot Mirror
How to Avoid a Target-Style Credit Card Security Breach (Video)
Wayne Rash has covered IT as a reporter and editor for over 35 years. NPR, Fox Business News, and NBC all call on him as a technology expert. A few weeks ago he had an article on eWeek titled How Target's Credit Card Security Breach Could Have Been Avoided. In this video, Wayne tells how you (or your business) can avoid being targeted by miscreants out to steal credit card data. It turns out that the security measures he advocates for businesses are common in other parts of the world but haven't hit the United States quite yet. But don't despair. There are things you can do right now, as an individual, to limit your potential losses from card number thefts. Still, the long-term fixes to the security vulnerability that bit Target need to be made by merchants and card issuers, some of whom are already transitioning to cards and card readers that use EMV chips, and some of whom aren't quite there yet -- but might speed up their efforts after seeing what happened to Target.
The reason EMV is better is because the chip allows you to sign the transaction datagram before it is sent to the bank. The chip stores the specific cards signing cert and it can't be accessed, every time there is a transaction, the pin pad sends the transaction info to the card which encodes and signs it then it is sent to the processor. NFC and other tap transactions are just as safe because even if you intercept the info you can capture the signing cert and can't duplicate the transaction.
in this case Target did it for me
Did they? I was part of an organization who had a CC breach due to our own utter stupidity, we called both the FBI, Visa, and Mastercard and asked them if they wanted the card numbers that were breached ... they didn't give a flying fuck, didn't want to know anything about it. The FBI eventually cared enough to go to the guys house ... after WE tracked him down for them.
It wasn't a real breach, the guy just stumbled across an utterly stupid web app storing a massive list of CC #s in a log file that he happen to stumble on by playing with the URL path and going up a few directories ... turned out the guy really was just trying to get his damn purchase to go through.
So the FBI investigated, found the guy, who claimed that he didn't have fraudulent intent, and the banks decided not to spend thousands of dollars to replace cards that apparently didn't need to be replaced? It's possible that they treat a 40 million card breach differently since that opens them up to much more exposure from fraudulent purchases (in theory, Visa and Mastercard issuing banks don't pay for fraudulent purchases, they charge it back to the merchants, but it's still more work for their customer service reps and they may not be able to recover from all merchants)
Point to the story however is, Visa and MasterCard both told us to destroy the list of numbers and they wanted nothing to do with it. We of course moved the list off the server and saved it for the FBI, who of course DID want the evidence.
You're lucky you didn't get a PCI audit and a fine for non-compliance.
If you CC get stolen ... you will have to FIGHT to get charges removed unless you live in peter pan land where the fairy can fix it for you.
I've had 2 credit card numbers stolen -- one was a Visa card and the bank called me about a suspicious $500 charge attempt thousands of miles away. I told them that I didn't attempt that purchase (which they had declined), and they canceled my card and fedex'ed me a new one.
The other was an Amex card - this one had a series of small $20 - $50 charges. I called Amex to report the fraud, they canceled and reissued my card, I marked the fradulent charges online and they credited the charges back to me, then they sent me a letter that I had to sign and return to certify that I did not make those charges.
It could hardly have been any easier.