Schneier on Security

I just went through the same hassle with my bank. They won't tell me (can't tell me) who authorized a transaction for $0.00.
I thought Visa/MC *only* authenticated the transaction, not the buyer. But why be so secretive about the merchant's identity ?

What's really interesting in this case is that Visa and Mastercard have been imposing some quite intense security measures on retailers ( http://en.wikipedia.org/wiki/PCI_DSS ), which Hannaford claim to comply with( http://www.hannaford.com/Contents/Common/PrivacyStatement.shtml ) but they still got hit.

Which means PCI either needs to get even tighter, or else ditched entirely.

Could this breach affect credit cards outside the US? Yesterday, I've been victim of credit card fraud after years of careful behavior, and there was no change in my habits on the last weeks.

We're a major retailer. I'm in I/T. We commonly refer to PCI as "pay cash instead".

PCI-DSS is actually one of the only sane security standards out there: 12 easy rules explained in 16 pages, all of them commonsense for anyone with a basic notion of computer security.
What exactly is "intense" about encrypting credit card numbers, applying security patches, or having a firewall between payment applications and public networks?
If anything, the problem with PCI-DSS is that companies see it as a cure-all instead of the bare minimum that it is.

This makes perfect sense.

After all who could be more thoroughly trusted to notify their customers of a security breach than the people who a) will suffer the most penalty in the form of lost sales from it, who is also b) the organization whose lax procedures caused the event in the first place.

I mean, other than the government of course.

Bruce: The PCI was tacked onto the credit card system after the system was designed and widely implemented. The spirit behind PCI is that the system will work if only those lazy merchants will finally get around to expending great efforts to protect little secrets (i.e., names, numbers and addresses), that everyone uses over and over again. Further, the spirit of PCI says merchants are bad guys and privacy infringers if they fail to protect those secrets. In reality, it is maddeningly difficult (maybe utterly impractical) for real-world merchants (having in the aggregate millions of retail points of sale) to protect those little secrets, PCI or no PCI. Too much emphasis is placed on merchants protecting data. Loss of that data is not as important as spectacular announcements like Hannaford and TJX suggest. The discussion about credit card security -- and what does and does not constitute a "breach of security" needs to shift. http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html --Ben

Me, I'm not worried about credit card. My card is likely in the list of exposed card numbers. But, thankfully, the cost of a breach is an externality to me, so I don't care. If something bad happens to my credit, I'll just sue the credit reporting agencies to fix it and Hannaford's and my credit card company for my lost time; after all, they told me I was safe, right?

Technology already exists for customers to authenticate electronic transactions without divulging personal information to the merchant. It's the cost of updating those millions of point-of-sale devices, and the additional problem that the retailers WANT to know who you are (your name is on the credit card stripe, you know) so they can do their correlation that prevent new card technologies from being issued.

I imagine a world where I have a single small PIN-protected credit card with an LCD screen. I swipe my card through once, the amount appears on the LCD screen, I swipe it through again and that transaction gets authorized by the bank without the merchant ever having my personal information in their hands other than in encrypted form (to which only the bank has the key).

Blammo, now the encryption problem falls squarely on the shoulders of the bank and the merchants are free to be as insecure as they'd like to be.

I've always wanted to know what fraction of stolen card numbers actually get used illegally.

They've reported about 2000 cases of fraud out of about 4 million stolen numbers. I'd assume that they have not discovered (yet) all cases of fraud, perhaps only half of them or less.

In this hypothetical case, using really rough numbers, 4000 fraud incidents on 4 million cards is a ratio of about one in a thousand.

Interesting.

A bank once contacted me saying my VISA card wasn't good any longer because of such a security breach. They refused to identify the merchant that was responsible. This happened at a very awkward time, as I was about to leave on holiday. With some fuss on my part, the bank did quickly roll over the card to a new one.

@Michael Janke:
> In this hypothetical case, using really rough numbers, 4000 fraud incidents on 4 million cards is a ratio of about one in a thousand.

I don't think that's the right statistic.

It would be more accurate to say that whoever stole this data, has been using card numbers at the rate of about 17 per day, and has enough to last a long time. That suggests a relatively small group is currently using the numbers and they have not been widely distributed.

Now that they know the breach has been detected, they are more likely to do mass sales of blocks of numbers to carders.

While I'm no contracts expert, it would seem that any contractual condition imposed about the identity of the source of a breach is not enforceable on the grounds of violation of public policy/public order, etc. Surely the banks are the victims of a crime as well as the individual cardholders and the retailers where the breach occurred. They should have a right to that information, should they not? I would hazard a guess that if a lawsuit was filed to recover damages as a result of the crime, Visa and Mastercard would be compelled to release this information.

Terry,
The end customer, and the banks are never at loss, as the issuer takes the hit - so they can't sue, and can't get this information.

In effect the card issuer is insuring the merchant against loss from bad press.

A week ago today today, I did my usual grocery shopping at the local Hannaford, using my usual Discover card, and the card was refused. I went home, called Discover, and was told they had cancelled my card since there had been some suspicious activity on it. Had I done some recent purchases at a Walmart store? My answer was no, since I never use that card at Walmart. My aha moment came when the security breach at Hannaford was reported in the press several days later. In any event, I was pretty impressed by how the credit card company had handled the incident.

A week ago today today, I did my usual grocery shopping at the local Hannaford, using my usual Discover card, and the card was refused. I went home, called Discover, and was told they had cancelled my card since there had been some suspicious activity on it. Had I done some recent purchases at a Walmart store? My answer was no, since I never use that card at Walmart. My aha moment came when the security breach at Hannaford was reported in the press several days later. In any event, I was pretty impressed by how the credit card company had handled the incident.

The problem with PCI (and what got Hannaford into trouble) was the vagueness of PCI as it relates to where the data must be encrypted. Hannaford does not employ terminal to processor encryption - some of it travels in plain text through their networks.

I work in IT Security for a national quick service restaurant concept, and we made sure that all credit information was encrypted when it was swiped, stays encrypted it's entire life to the processor, and we remove any copies of the card information when we receive authorization. (Depending on your processor, you may not be able to remove the information from the systems until you send the daily batch. )

I can't believe in this day and age that anyone who accepts credit information doesn't ask themselves if they are doing everything they can to protect the data. I hope many people are terminated at Hannaford's. Especially since I -was- a customer...

@C

Why should a retailer be required to protect a bank's secrets?

Jmr

@ Jmr

Because the card holder doesn't see it as the "banks secrets", they see it as their own secret. If I don't do what I can to safeguard it, I'll loose their confidence (whether I should or not) and their business.

And for those of you who think it's the issuer, the bank, or the processor that takes the financial hit, you're wrong. The consumers pay for it indirectly through interest rates and fees. In addition, the merchant is charged fees as well, that are passed on to the consumer.

From a PR standpoint, the merchant takes the heat... that's why I make sure the data is safe, even if it's the "banks secret".

I'm surprised they haven't offered Fraud Alerts or Monitoring to their customers yet. That's rule #2 of data breaches after all: Make it appear that we're taking the initiative and hopefully prevent lawsuits by giving them something that doesn't help them at all, but appears to and that we probably get so cheap from the credit reporting companies that it's as if it cost us nothing...

Yeah, long rule I know. Rule #1 is shorter: Hide the breach if we can...

PCI like other regulations sets the minimum standard that should be met, but that is still far from being enough.

PCI compliancy standard is made to prevent against getting hacked. At this it is at best a best practises guideline about how to deal with sensitive cardholder data.

It is however never intended to prevent fraud. Fraud is something that in the end cannot truely be prevented. You can only be prepared for it and deal with it appropiatly. This latter pasrt IS part of PCI compliancy.

I think the guidelines in PCI could be a lot more precise though. Many guidelines state things like:
"Do you have virusscanning on all your machine?" If you answer with yes you are good. However the same guideline doesnt say if it actually has to scan, what you should do if it finds a lot of virusses etc, in those aspects PCI is very much a guideline set that is thought up behind a desk rather then by an IT department.

Niels

I just received a new credit card and account number from Discover in the mail. The letter that was sent with the 'new' card indicated that they were upgrading to a 'new' system and that my existing account would be closed and that my activity was transferred to the new account. I was very suspicious, because changing my account number is a pretty big deal. So I called Discover to find out that there was some security breach by 'some' merchants -- but that is all they would tell me. The letter did not mention any security breach at all. My husband and I have other 'Discover' cards and none of them were impacted. I'd like to know why Discover lied about the reason that they closed my account.

Sue

I travel around the world and am working on making my company's systems PCI compliant. It is maddening to use your CC in another country and see your number in plain text on the receipt. This is not isolated. It is the norm in Russia, Malaysia, and other countries. I wonder when processors will require merchants in other countries to at least mask the CC number?

Just received a "your account may have been compromised" letter from my credit card issuer. They will be issuing a new card and number. Fine. HOWEVER, I still wanted to know where the breach occurred so that I don't use my new card and number at the same place that caused the problem. Called my card issuer and was transferred around several times. No dice. This needs to be fixed otherwise this problem could occurr again. Why are they protecting the guilty party?