backtop


Print 19 comment(s) - last by Samus.. on Feb 8 at 12:16 AM


  (Source: South Park Studios)
Access was reportedly given to help power savings, but network wasn't properly isolated from consumer data

It's said that for every $100 USD spent at retailers via credit card, 5 cents is lost via digital fraud.  The holiday hack of Target Corp. (TGT) reminded Americans that this problem was far from solved.  And with new details leaking out from the U.S. Secret Service investigation there's cause for concern that the Target data loss could be just the tip of the iceberg in the attack.

I. Wal-Mart, et al. Revealed to be At Risk

The latest twist in the saga surrounding the massive credit card data loss should make other retail/grocery chains, including Whole Foods Market, Inc. (WFM), Trader Joe's Comp., and the nation's #3 warehouse retail chain, BJ's Wholesale Club, more than a bit nervous.

According to sources of Washington Post security researcher Brian Krebs -- the first member of the media to catch wind of the breach -- the hackers had a little help from an insecure third-party.  They reportedly struck via first compromising servers at an air conditioning business in Sharpsburg, Penn, whom Target used as a contractor.  The firm -- Fazio Mechanical Service -- has a flashy portfolio of high-profile clients which includes not only Target and all of the aforementioned retailers/grocers, but a number of other large firms that Mr. Krebs and other early reports have not mentioned.

This latest news emerged after Reuters and The Wall Street Journal quoted Target executives last week as saying that the breach occurred via a compromised third-party contractor.  Digging around on Fazio's clients page, which remains active following Mr. Krebs' post, I found that the list of high-profile clients doesn't stop with the three other companies Mr. Krebs mentioned.

Fazio clients
Fazio's clients list includes many top chains that may have been exposed.

It turns out that Fazio's blue chip client list is even bigger, including large retail locations belonging to Wal-Mart Stores, Inc. (WMT) (and its subsidiary Sam's Club), Costco Wholesale Corp. (COST), and the ALDI Group; gas stations belonging to Marathon Oil Corp. (MRO) and Exxon Mobil (XOM); and restaurant locations belonging to Denny's Corp. (DENN) and others.

It is unclear why Mr. Krebs didn't notice these other even bigger clients, but clearly that discovery illustrates his comments are even more important than they sounded based on his shorter list.

These clients helped Fazio to earn the distinction of being the largest heating, ventilation, and air conditioning (HVAC) commercial sales and repair company in the western Pennsylvania area.  Fazio had service centers in Pennsylvania, as well as outposts in nearby states, including Maryland, Ohio, Virginia, and West Virginia.

It appears increasingly likely that Mr. Krebs' sources are correct -- there was a breach at Fazio that led to a breach at its client (Target).  Fazio President Ross Fazio confirmed that he received a recent visit from the Secret Service in connection to the ongoing Target investigation. 

II. Timeline of the Attack Emerges

Fazio has otherwise refused to answer press questions as to whether its networks were penetrated by the hacker ring last November and then used as a launchpad for the alarming penetration of the nation's third largest retail chain.  But Reuters offers some verification of the report, writing:

A law enforcement source told Reuters that evidence suggests the hackers stole login credentials from Fazio and may have used the credentials to break into Target's network. The source added, however, that investigators were not sure that this was what happened, and it was possible the hackers used other ways to breach Target's network.

According to these various reports, the hack of Fazio began on Nov. 15.  Evidence points to hackers using the compromised Fazio networks, possibly via monitoring employee logins, to gather credentials to breach partners like Target.

Believed to be based in Russia and or Eastern Europe, the unknown perpetrators of the hack used these credentials to access Target's store networks almost immediately, but they were smart enough to carefully test their newfound access.  They reportedly uploaded credit-card logging malware to the cash register computers at a small number of Target stores between Nov. 15 and Nov. 28, a test run of sorts.


A test-run preceded the full-blown attack on Target store registers. [Image Source: ABC News]

Satisifed with the results, on Nov. 27 or Nov. 28 they rolled out the malware to registers at a large number of Target locations during the height of holiday retail shopping.  For nearly a month the hackers continued to lurk unnoticed, silently stealing the unencrypted credit card numbers (CCN) and credit card authorization numbers that Target was storing at its retail locations.  Target finally detected the breach on Dec. 15 and notified federal authorities.

In total, the cyberthieves made off with at least 40 million Americans' credit and debit cards and 70 million Americans' personal data (addresses, home phone numbers, etc.).  The debit card losses are particularly problematic.  While fraudulent credit card transactions can be noticed instantly via online bank portals, reported, and cancelled, banks tend to be much more resistant to refunding debit transactions.  Furthermore, where as stolen credit cards leave an identifiable purchase trail, cold cash received from withdrawals from cards with stolen PIN numbers is much harder to trace.

III. Catch Me If You Can

Thus far the hackers have indeed proven hard to catch.

Hackers reportedly shuffled the data from the compromised Target networks through Fazio and out to a number of compromised servers in the U.S. and Brazil.  This was deviously clever for a number of reasons.  First, Target apparently sends a good deal of digital traffic to Fazio (more on that later) so it wouldn't be likely to notice anything unusual, versus if its store servers were phoning directly to the hackers.

Also, by shuffling the data to the so-called "drop sites" or "drop servers", the attackers were able to further cover their tracks.  The attackers reportedly had near-complete control of these systems, versus Fazio where the privileges gained were more limited.  As a result, they could fully cleanse the drop sites of direct records of where they were offloading the data to.

While sources have said this kind of tactic is a calling card of Russia and Eastern Europe's best black hat hackers, it sounds like federal authorities at this point have no real idea where the FTP traffic from the drop sites was going to.

Drop sites including a Miami, Florida-based small business, and a business in Brazil, according to Mr. Krebs.

IV. At-Risk Retailers Could Have Avoid Breach in Multiple Ways

At this point there is no evidence that the hackers were able to obtain login credentials of other big Fazio clients, such as Marathon or Wal-Mart.  Even if they got the logins, there are a couple of reasons why those efforts could have fallen short of the epic looting of Target.

First, Target was reportedly used to sending a lot of data to Fazio.  Mr. Krebs writes that this is not uncommon, as retailers, restaurant chains often send data from local sensors to their HVAC contractors to improve energy efficiency.  This unnamed "cybersecurity expert" who was not authorized to speak on behalf of the major retailer they worked at stated:

To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software.  This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.

While the source indicates this was a widespread practice, it seems likely that at least some of Fazio's corporate clients operated differently and didn't participate in such efficiency data.  For example, it wouldn't make much sense to micromonitor gas station AC and heating, given the much lower costs.

Second, Target made a critical error in that it reportedly offered no separation between its store cash registers and its computerized heating and cooling controls.  According to Mr. Krebs, once hackers obtained access to the heating and cooling controls they basically received administrator privileges on cash registers sufficient to install malware programs silently.

V. Target Appears to Have Breached Legally-Binding Industry Standard

One would hope that at least some of the other Fazio clients practiced a bit better security.

Most major retailers, including Target, have agreed to a code of conduct when dealing with credit cards and debit cards.  Dubbed the PCI Standard [PDF], that legally-binding contract requires merchant personnel to use a two-factor authentication process for any incoming traffic and requests from third-parties -- a blanket category that includes advertising partners, repairmen, contractors, and other partners.  Many businesses are believed to skimp on this requirement, given that it's expensive to commit to such monitoring.

PCI requirements
The breach seems to indicate that Target wasn't following many of the above legal-binding measures it agreed to. [Image Source: Brian Krebs/PCI Board]

The PCI Standard requires that all outgoing credit card information be encrypted.  Had the local database programs on Target's registers been made to comply with this standard, the hackers would have received the data in encrypted form, making it harder to crack/use.  Instead, they reportedly received unencrypted data, indicating again that Target's store software was not compliant.

And the PCI Standard also requires members to actively monitor network resources across all retail sites where credit card transactions are occurring.  The standard requires the points of sale to be outfitted with modern antivirus/antimalware software.  It seems unlikely that Target had such software and it seems likely that monitoring was far too short-staffed, given the fact that for nearly three weeks Target network staff failed to notice a massive outflow of suspicious packets from retail locations.

Avivah Litan, a fraud analyst at Gartner Inc. (IT). suggests the culpability may lie partially with the standards organization for failing to properly ensure its members were implementing the solutions they agreed to.

VI. Suits, Scrutiny Pile Up

Target executives were recently grilled in a Senate hearing over the breach. Chief Financial Officer John Mulligan seemed to overstate the sophistication of his company's monitoring efforts.  He testified:

Despite significant investment in multiple layers of detection that we had in our systems, we did not [detect the attacks sooner].

Mr. Mulligan added that his company was "very sorry" about attacks.  He testified that retailers and financial firms need to work together to adopt so-called "chip-and-pin" solution -- credit cards which use physical validation devices somewhat similar to RFID.  The chip-bearing cards typically have a miniature ASIC (application-specific integrated circuit) chip -- a purpose-built microprocessor -- onboard that offers a second point of validation for transactions.

Target CFO
Target CFO John Mulligan (left) is sworn in during a recent Senate hearing on the breach.
[Image Source: Reuters]

While these technologies make credit cards more expensive for banks to print, they also make it harder for hackers to print fake cards with the stolen data they obtain, perhaps making it prohibitively costly in some cases.

But the issue is who will pay for that technology.  Given its apparent negligence and breach of the PCI Standard, Target will likely be forced to pay around $420M USD in damages, according to Avivah Litan, a figure that has grown as the extent of the breach became clear.

As of mid-January, Target faced over 70 lawsuits, including class action lawsuits from consumers and banks.  Such suits are often consolidated in the federal court system, but given its apparent breach of contractual obligations, Target's beleagured legal team may have to consent to expensive settlements.

VII. Target CFO "Card-and-Pin" is the Answer

In addition to the $420M USD or more in potential damages, Target IT officials also indicated the cost to implement a chip-and-bin solution would be around $100M USD.  That puts the total costs at over half a billion dollars, more than a sixth of Target's net income ($2.99B USD) from last year.

And that's not to mention the cost of the apology promotions.  Target CEO Gregg Steinhafel announced in December that shoppers on Dec. 21 and 22 would receive a one-time discount equivalent to the discount that Target gives its own employees -- 10 percent off most items.


Target offered shoppers an apology discount in December.
[Image Source: thewritersguidetopublishing.com]

Target would likely see the banks pay for that upgrade, particularly after they were so aggressive in targeting it with class action lawsuits.  But banks have been resistant to such changes, pointing that hacks like Target's could have been stopped in other ways had stores not skimped on security spending. 

They blame retailers for the breaches -- both in court and behind closed doors -- and say the retailers need to pay for the fix, whether that fix is physical security measures like card-and-pin readers or simply better site-based monitoring.

Credit Cards
Card-and-pin identification technology could help make credit card fraud prohibitively expensive.  The tactic has been used in Europe with modest success. [Image Source: France24]

Federal Trade Commission (FTC) Chairwoman Edith Ramirez alluded to this in comments during the Senate hearing stating:

It is of concern to me that our payment card systems really do need improvement.  Based on latest information available to us ... it's clear that companies need to do a lot more, that they continue to make basic mistakes.

In short don't expect this problem to get fixed anytime soon, given that no one can seem to agree who should pay for the fix.

VIII. ... But No One Want's to Pay For Card-and-Pin

It's not surprising to hear the leaks from Target and other sources regarding Fazio, given that Fazio will likely be targeted in court by partners to try to recoup costs.  But it remains to be seen how much can be recouped.  Court documents [PDF] from a 2012 case indicate Mr. Fazio had an annual income of $1M USD (as of 1998), and analyst site Find The Company estimates that Fazio Mechanical Service currently has revenues of about $12.5M USD per year. 

That's unlikely to cover the half-billion or more that Target will owe, but it wouldn't be surprising to see the embattled company try to spread the blame on the smaller firm.

Finally, it's important to not assume that the other Fazio clients -- Wal-Mart, Whole Foods, Trader Joe's, Marathon, Costco, Denny's and Sam's Club (among others) -- have also lost credit card data.  While hackers did appear to have the first access level necessary to penetrate these other retailers, there's no evidence that such hacks have occurred.  It's possible that the hackers simply solely attacked Target out of time constraints, or after examining other retailer security systems and deciding Target was the softest target.

Likewise it's equally important to realize that the breach Target has realized may just be the tip of the iceberg. 

History would suggest that large, sophisticated intrusions seldom affect only one firm, but often victimize several firms via a common security flaw. 

IX. History Repeats

Target itself was the victim of a massive hack back in 2005 that stole over 120 million credit cards.  While Target was among the first to notice that breach, other retailers such as Barnes & Noble Inc. (BKS), 7-Eleven, Inc., and J.C. Penney, Comp. (JCP) would later discover breaches from the same attack. 

Where there's common weakness, there are often multiple victims in the digital world.  In the 2005 hack and subsequent related breaches, hacker ringleader Albert Gonzalez made off with over 160 million credit cards, with damages for just three of the dozens of victims alone totalling $300M USD. 

Mr. Gonzalez -- who was famous for living large and burning a cool million dollars in cash in his backyard -- was busted by U.S. federal agents in 2008 and sentenced to 20 years in federal prison in 2010.  But that case still has yet to wrap up as a July 2013 indictment brought charges against five of his cohorts, including three suspects that remain at large.

While everyone -- including Target, surely -- is hoping for a speedy resolution, that may not be the case.  If the Target investigation follows a similar cat-and-mouse trajectory as was seen in the 2005 Target hack, it may be at least 2016 before investigators catch even one of the suspects, and 2020 or later before they begin to bring charges against and round up the remaining fugitives.  One potentially promising arrest has been made, but such leads often turn up dead ends, as they may simply be people who received stolen card info from anonymous online marketplaces set up by the main culprits.

While the public waits for justice, we may see more retail chains discover related breaches of customer data.

Wal-Mart and others have been eerily silent on the Target hack, rather than looking to leverage the embarassment to their advantage.  The question is whether that silence is motivated simply out of common sympathy, a desire not to push expensive new solutions (like card-and-pin), or fears of breaches of their own.

In coming weeks expect that many of the nation's top retailers will be under close scrutiny, even as U.S. Secret Service agents attempt the daunting task of trying to catch the sophisticated thieves.

Sources: Fazio [clients list], Brian Krebs, Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Infrastructure & POS on Same Computers?
By DaveLessnau on 2/6/2014 1:25:37 AM , Rating: 2
I wonder how common that is (using the same computer system to handle both your infrastructure and your point-of-sale stuff)? To me, that sounds mind-numbingly dumb. But, to a corporation, maybe it's an efficient use of resources. Even so, compromising an HVAC company to infiltrate other companies (even if "only" to get access to infrastructure activities) is scary.




RE: Infrastructure & POS on Same Computers?
By amanojaku on 2/6/2014 2:36:10 AM , Rating: 5
It's a lot more common than you might think, and it's not about efficiency. It's generally the fault of a legacy network that's so overgrown no one wants to risk changing it. Companies with many locations tend to be the worst offenders, but many small businesses are built this way, as well. No one really gets the reasons behind network subnetting until a broadcast storm or a security breach...

I remember consulting for a company that was experiencing 10% packet loss internally. It didn't make sense that 400 servers with 10/100 couldn't be supported by the network - until you learned it was flat. And each machine had multiple IPs, so thousands of IPs were in one broadcast domain. About 20% of the traffic was ARP. Oh boy... They thought they had to buy new hardware. I just popped another switch onto a free port on the router, assigned a new VLAN and subnet, and wowed them with 0% packet loss, plus the ability to assign firewall rules. People don't even know how to work their own stuff sometimes...


RE: Infrastructure & POS on Same Computers?
By Solandri on 2/6/2014 3:54:21 AM , Rating: 1
Another possibility is that the POS and company computers were on separate networks. But most companies only have one Internet connection (if they have another, it's usually a fallback connection as a backup in case the main connection goes down). A router would then split it into a POS subnet and company subnet. But if your network gets pwned, it's easy enough for a hacker reconfigure or traverse that barrier to access the POS subnet from the company subnet.

The only way to absolutely prevent this would be not only physically separate networks, but physically separate Internet connections.


By Labotomizer on 2/6/2014 9:13:00 AM , Rating: 2
Incorrect. You can separate everything via VLAN and firewall rules on a single internet connection with very little effort. Combination of ACL rules on your routers/switches and properly configured firewall is arguably better than physical separation. Physical separation isn't as good as you might think.

If they compromised routers, firewalls and switches then you've got bigger problems.

IPsec should have been implemented for communication from the POS systems in this case and there shouldn't be any reason for POS systems to talk directly to the internet. Additionally there shouldn't be any reason, ever, that an HVAC system would be able to communicate with the POS network or vice versa. I could build out a PoC for a properly configured network in less than 8 hours with brand new gear. This really isn't that difficult. It can be expensive though, especially when spanning the number of stores Target has.


RE: Infrastructure & POS on Same Computers?
By SAN-Man on 2/6/2014 7:03:52 AM , Rating: 2
Companies are CHEAP. They do this ALL the time. :)


By SAN-Man on 2/6/2014 7:06:42 AM , Rating: 4
I've seen companies that run their card reader system off someone's PC, finance databases are run off someone's PC, web servers, all sitting under people's desks. Even HR. One company I interacted with kept their customer database on their HR manager's laptop and she would burn it to CD once a week.

Companies are cheap cheap cheap and generally incompetent when it comes to technology because this cheapness keeps them from hiring people who know what they are doing (they cost a lot, not all IT people are made alike - most suck and are completely terrible).


By Samus on 2/8/2014 12:05:42 AM , Rating: 2
Typical corporate-America IT infrastructure is often scary. Sometimes I pickup new clients that are in such a disastrous situation (either because they're cheap or the previous IT admin didn't know jack, or both) that I don't even know where to begin.

I'm talking law offices running DSL internet on residential-class modems/firewall with open-relay exchange servers, medical offices with unpatched Windows 2003 servers, real estate brokers with no mobile device PIN's and password policies that allow your password to be your NAME. Don't even ask about backups, because if they exist, they're often unencrypted and sent home daily on a portable hard disk with the secretary. Anybody who steals her purse would effectively have the whole organization and its' customers by the balls.

People simply don't understand technology. Until they do, there will be security threats like this. Often times nobody even understands the gravity of the situation they are/could be in. They're easy pickings.


By CZroe on 2/7/2014 10:54:10 AM , Rating: 2
I think you mean that they were on the same network. Even then, it's possible that sophisticated malware could even break through a physical separation of different networks with methods like those used in Stuxnet, especially if they were targeted specifically (as it sounds like they were).

The author also makes the assumption that the card database wasn't encrypted when it may not have even existed. Other than online sales, I don't see why Target would be storing card numbers. The malware probably intercepted and stored them in real time, possibly grabbing them right out of system RAM. Actually, I'm sure I read something here saying that's exactly what happened.


By Belegost on 2/6/2014 12:07:47 PM , Rating: 2
First, based on what I've read the attack used RAM scraping to locate the magstrip read information, this information was being stored in RAM on the terminal unencrypted. I'm fairly sure the system would encrypt it before transfer. But that's too late.

It's honestly a completely worthless, sh!t design that would ever have the data from the reader in any software accessible location. As a systems engineer who designs mobile hardware every day, I would be embarrassed to have built such a piss poor design.

A proper design here:

-When a card is swiped the data is stored in a HW register that has no software accessible address.

-A HW encryption engine takes the data from the register, encrypts it and dumps the encrypted data to a memory location, and sends an interrupt to SW.

-SW then picks up only encrypted information. At no time is the strip data available to anything but the encryption engine.

With the system designed like this the best the attackers could have gotten was encrypted card data. And if good encryption procedures were used the attackers would either need to expend significant computing resources on cracking each transaction, or also break into the servers for each card issuing institution and steal the keys for that institutions cards. (And while I'm not a cryptography expert, it may be possible that even with that information the system could be designed so that side information about the transaction such as time, location, etc. would be needed.)

So why aren't the card reader/POS makers on the grill? Why are they not being taken to task for making a pathetically bad system to begin with? Target definitely f'ed up on their network security, but that would not have been an issue if the POS devices had been properly designed.




By JRC-BLD on 2/6/2014 1:05:39 PM , Rating: 2
I think you are correct about the method used to extract the card account numbers or card tracks. The article implies that the clear text card tracks were stored on the terminal hard drive, and extracted by the hackers from some file. I have had PCI audit done of my POS software, and the auditor runs tests transactions and then scans the entire hard drive for card account numbers or card tracks. If found, the software is not compliant and would not have been certified. So, I don't think the Target POS was storing and card holder data in clear text, if at all.

The main problem for POS software vendors is that they are tied to the outdated mag-stripe card format and card readers. My coding would be much easier if I only received an encrypted data block to send to the credit host. Unfortunately, most if not all card readers used by U.S. retailers send the card tracks to the POS software in clear text. For debit cards, I do received a block of encrypted data for PIN numbers, but I still receive the card's track 2 in clear text. Even if I only hold it for milliseconds before sending it to the credit host over a secure connection, that is enough time for a RAM scraper to get the card tracks.

The secure reader you describe is an effective method to reduce the exposure of card data. However, it would require a change of all card readers, all POS systems, and all host systems. This is an expense that nobody seems to want to accept.

The real culprit here is the format of the credit/debit cards. Until this changes, there is not much manufacturers of card readers or POS software can do. And again, there seems to be resistance by the payment processing industry to bear the costs of such a change.


By Belegost on 2/6/2014 1:36:26 PM , Rating: 2
Interesting to hear from someone in the industry. What I find particularly sad here is that I recall reading that Target had over the past couple years done a replacement of most/all of their POS systems.

It seems like low security readers like that should not be available - I could see 10/20 year old systems being bad, but modern systems should do better. This would at least slowly improve security as old readers/systems are upgraded. But continuing to put out insecure systems just continues propagating it.

quote:
The real culprit here is the format of the credit/debit cards. Until this changes, there is not much manufacturers of card readers or POS software can do. And again, there seems to be resistance by the payment processing industry to bear the costs of such a change.


I agree, if we are going to overhaul the whole system we may as well go to the extra effort of putting in place a more secure protocol at all levels. However, I actually think the industry needs to look at moving past even chip+pin systems as those could definitely be improved on as well.

And I think that some of the blame needs to be placed on the banking industry - they push the burdens of the fraud onto as many other shoulders as possible while taking as much of the benefits as they can, and refusing to pay their share of the costs to upgrade security. It's an overall mess.


By JRC-BLD on 2/6/2014 2:23:06 PM , Rating: 2
The problem for the POS software vendor is that the credit host dictates the format for cardholder data. The ISO 8583 specification has data elements for card tracks, account numbers, and expiration date. These are specified as clear text strings. The credit hosts have used this specification for a long time, and it worked fine when the card terminal was simple mag-stripe reader with a modem that dialed up the credit host - not much place for the hacker to get into. However, as things progressed, we can now submit our authorization requests from a standard computer that can be exposed to hackers.

So, making a more secure reader would make a lot of sense. As a software vendor, I would have much less coding to do. But, getting a block of encrypted data from a secure reader does me no good, as I have no way to get that to the credit host in a manner that they would understand. They are stuck with the ISO 8583 specification. The only way a secure reader would be usable is if the credit hosts adopted that format for card data and then modified the spec to define how that secure data is to be packaged for transmission.

In summary, the change needs to start at the top - with the credit hosts. Once they mandate a secure format for the data, then the manufacturers of cards readers and the POS systems that use them can make the appropriate changes. And this can be phased in. Implement a secure format, and allow a phase-in period of [??] years for merchants to replace existing readers and upgrade POS software.


Misunderstanding of two factor authentication, here
By nafhan on 2/6/2014 10:48:29 AM , Rating: 2
How would two factor authentication have helped in this case?

The connection wasn't made to Target using the contractors credentials. It was made via the contractors already established and authenticated connection - what sounds like a permanent B2B connection between Target and the HVAC vendor.

The problem (as others have noted) seems to be that Target put a third party and their PoS terminals on the same network. That's BAD. It would still be bad regardless of authentication practices (which again, appear to be irrelevant here).




By NovoRei on 2/6/2014 12:44:37 PM , Rating: 1
The following is my assumption based on experience, may not be true.

The chip in the card encrypts data and also generate temporary partial keys. Then you have the PIN too.

To clone this card you need to clone the chip. You cannot clone it with just the transaction due to the temporary partial key nature. You need to "program" the chip to spit out the necessary information which standard POS should not have this ability.

The other way to clone this card is by online transactions where you put the card information. Example: Ebay/Paypal, through insiders or malware, extracting card data either from database (yes), infected website, etc.

---------------------

I find it crazy US citizens using debit card everywhere. There are so many thing that can go wrong.

And even more crazy are VISA/Mastercard not being held responsible for the fraudulent charges, along with the POS manufacturer to some extent. They are the ones who validate/accept charges. The banks and Target have nothing to do with it.


By nafhan on 2/6/2014 1:48:21 PM , Rating: 2
Absolutely true. Two factor would have made the data harder to use. I was looking at it more from a systems security standpoint (i.e. it would not have prevented the intrusion). The way I read the article, it seemed to be implying that it would have, somehow.


By Samus on 2/8/2014 12:16:38 AM , Rating: 2
There are three-step authentication systems (not Multifactor which generally implies biometrics) in testing by banks in Japan that use the magstrip, an ASIC, and a tiny bit of flash memory to store a rotating key that changes every time you use the card. The key is refreshed and updated by the bank. It requires two swipes, one to begin the transaction, and one to authorize/finalize the transaction. It would require three swipes in some cases (such as when paying a tip on an open/suspended transaction) so it can be pretty inconvenient, especially for those who don't know how to use it or with incompatible systems that often just decline the card.

But a rotating code is extremely secure. Hackers would have to penetrate the POS system AND the bank.


Two factor authentication!!!
By tayb on 2/6/2014 9:38:23 AM , Rating: 2
I use two factor authentication on any site that offers it and require it on any project I develop that displays PHI.

Why isn't this a requirement or option with credit cards? Stealing the physical card or the number would be worthless without the authentication codes which change every 15-30 seconds. The chip and pin seems like a good idea but a pain in the ass for online purchases.

Another option I think would be good would be the chip and pin for physical purchases and one-time numbers for online purchases. For an online purchase you log into your bank account, select or type in the site, enter the amount, and generate a one time use number. Fraud would be instantly detected and rejected and the one time number would be absolutely meaningless if stolen.

There are lots of options but one way or another we need to move to a 21st century solution. Magnetic cards are comically outdated. Anyone who has been the victim of fraud would not likely oppose a few bucks a year to reduce the risk of fraud. And honestly if we could reduce fraud even 1% annually it would save so much money that the costs would be completely offset.




RE: Two factor authentication!!!
By Murloc on 2/6/2014 10:17:31 AM , Rating: 2
in europe there are no credit cards without chips. They have had chips for many years. Vendors with old machines who want your signature are almost extinct.

The system you wrote about is widely available.
Shopping online is not a problem at all, I don't know what you're on. You just have to write in some numbers written on the card or use a user name and password to log in.

Liability shift and the upgrade is happening in the US too, it's just 10-20 years late because businesses are cheap.


By wookie1 on 2/6/2014 11:16:50 AM , Rating: 3
Some discount warehouse stores don't accept credit, only debit or cash. Now I have to brink a big wad of cash to buy things there or endure the lesser protections of a debit card?




"So if you want to save the planet, feel free to drive your Hummer. Just avoid the drive thru line at McDonalds." -- Michael Asher














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki