Entries Tagged "credit cards"

Page 9 of 9

Wired on Identity Theft

This is a good editorial from Wired on identity theft.

Following are the fixes we think Congress should make:

Require businesses to secure data and levy fines against those who don’t. Congress has mandated tough privacy and security standards for companies that handle health and financial data. But the rules for credit agencies are woefully inadequate. And they don’t cover other businesses and organizations that handle sensitive personal information, such as employers, academic institutions and data brokers. Congress should mandate strict privacy and security standards for anyone who handles sensitive information, and apply tough financial penalties against companies that fail to comply.

Require companies to encrypt all sensitive customer data. Any standard created to protect data should include technical requirements to scramble the data—both in storage and during transit when data is transferred from one place to another. Recent incidents involving unencrypted Bank of America and CitiFinancial data tapes that went missing while being transferred to backup centers make it clear that companies think encryption is necessary only in certain circumstances.

Keep the plan simple and provide authority and funds to the FTC to ensure legislation is enforced. Efforts to secure sensitive data in the health and financial industries led to laws so complicated and confusing that few have been able to follow them faithfully. And efforts to monitor compliance have been inadequate. Congress should develop simpler rules tailored to each specific industry segment, and give the FTC the necessary funding to enforce them.

Keep Social Security numbers for Social Security. Social Security numbers appear on medical and voter-registration forms as well as on public records that are available through a simple internet search. This makes it all too easy for a thief to obtain the single identifying number that can lead to financial ruin for victims. Americans need a different unique identifying number specifically for credit records, with guarantees that it will never be used for authentication purposes.

Force credit agencies to scrutinize credit-card applications and verify the identity of credit-card applicants. Giving Americans easy access to credit has superseded all other considerations in the cutthroat credit-card business, helping thieves open accounts in victims’ names. Congress needs to bring sane safeguards back into the process of approving credit—even if it means adding costs and inconveniencing powerful banking and financial interests.

Extend fraud alerts beyond 90 days. The Fair Credit Reporting Act allows anyone who suspects that their personal information has been stolen to place a fraud alert on their credit record. This currently requires a creditor to take “reasonable” steps to verify the identity of anyone who applies for credit in the individual’s name. It also requires the creditor to contact the individual who placed the fraud alert on the account if they’ve provided their phone number. Both conditions apply for 90 days. Of course, nothing prevents identity thieves from waiting until the short-lived alert period expires before taking advantage of stolen information. Congress should extend the default window for credit alerts to a minimum of one year.

Allow individuals to freeze their credit records so that no one can access the records without the individuals’ approval. The current credit system opens credit reports to almost anyone who requests them. Individuals should be able to “freeze” their records and have them opened to others only when the individual contacts a credit agency and requests that it release a report to a specific entity.

Require opt-in rather than opt-out permission before companies can share or sell data. Many businesses currently allow people to decline inclusion in marketing lists, but only if customers actively request it. This system, known as opt-out, inherently favors companies by making it more difficult for consumers to escape abusive data-sharing practices. In many cases, consumers need to wade through confusing instructions, and send a mail-in form in order to be removed from pre-established marketing lists. The United States should follow an opt-in model, where companies would be forced to collect permission from individuals before they can traffic in personal data.

Require companies to notify consumers of any privacy breaches, without preventing states from enacting even tougher local laws. Some 37 states have enacted or are considering legislation requiring businesses to notify consumers of data breaches that affect them. A similar federal measure has also been introduced in the Senate. These are steps in the right direction. But the federal bill has a major flaw: It gives companies an easy out in the case of massive data breaches, where the number of people affected exceeds 500,000, or the cost of notification would exceeds $250,000. In those cases, companies would not be required to notify individuals, but could comply simply by posting a notice on their websites. Congress should close these loopholes. In addition, any federal law should be written to ensure that it does not pre-empt state notification laws that take a tougher stance.

As I’ve written previously, this won’t solve identity theft. But it will make it harder and protect the privacy of everyone. These are good recommendations.

Posted on June 29, 2005 at 7:18 AMView Comments

Indian Call Center Sells Personal Information

There was yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India.

I predict a spate of essays warning us of the security risks of offshore outsourcing. That’s stupid; this has almost nothing to do with offshoring. It’s no different than the Lembo case, and that happened in the safe and secure United States.

There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders, and that is mostly independent of outsourcing. Lousy wages, lack of ownership, a poor work environment, and so on can all increase the risk of malicious insiders, but that’s true regardless of who owns the call center or in what currency the salary is paid in. Yes, it’s harder to prosecute across national boundaries, but the deterrence here is more contractual than criminal.

The problem here is people, not corporate or national boundaries.

Posted on June 24, 2005 at 9:35 AMView Comments

CardSystems Exposes 40 Million Identities

The personal information of over 40 million people has been hacked. The hack occurred at CardSystems Solutions, a company that processes credit card transactions. The details are still unclear. The New York Times reports that “data from roughly 200,000 accounts from MasterCard, Visa and other card issuers are known to have been stolen in the breach,” although 40 million were vulnerable. The theft was an intentional malicious computer hacking activity: the first in all these recent personal-information breaches, I think. The rest were accidental—backup tapes gone walkabout, for example—or social engineering hacks. Someone was after this data, which implies that’s more likely to result in fraud than those peripatetic backup tapes.

CardSystems says that they found the problem, while MasterCard maintains that they did; the New York Times agrees with MasterCard. Microsoft software may be to blame. And in a weird twist, CardSystems admitted they weren’t supposed to keep the data in the first place.

The official, John M. Perry, chief executive of CardSystems Solutions…said the data was in a file being stored for “research purposes” to determine why certain transactions had registered as unauthorized or uncompleted.

Yeah, right. Research = marketing, I’ll bet.

This is exactly the sort of thing that Visa and MasterCard are trying very hard to prevent. They have imposed their own security requirements on companies—merchants, processors, whoever—that deal with credit card data. Visa has instituted a Cardholder Information Security Program (CISP). MasterCard calls its program Site Data Protection (SDP). These have been combined into a single joint security standard, PCI, which also includes Discover, American Express, JCB, and Diners Club. (More on Visa’s PCI program.)

PCI requirements encompass network security, password management, stored-data encryption, access control, monitoring, testing, policies, etc. And the credit-card companies are backing these requirements up with stiff penalties: cash fines of up to $100,000, increased transaction fees, orand termination of the account. For a retailer that does most of its business via credit cards, this is an enormous incentive to comply.

These aren’t laws, they’re contractual business requirements. They’re not imposed by government; the credit card companies are mandating them to protect their brand.

Every credit card company is terrified that people will reduce their credit card usage. They’re worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They’re worried about how their brands are perceived by the public. And they don’t want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud. (Or, at least, by giving reporters the opportunity to write headlines like “CardSystems Solutions hands over 40M credit cards to hackers.”)

So independent of any laws or government regulations, the credit card companies are forcing companies that process credit card data to increase their security. Companies have to comply with PCI or face serious consequences.

Was CardSystems in compliance? They should have been in compliance with Visa’s CISP by 30 September 2004, and certainly they were in the highest service level. (PCI compliance isn’t required until 30 June 2005—about a week from now.) The reality is more murky.

After the disclosure of the security breach at CardSystems, varying accounts were offered about the company’s compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard’s standards. “They were in violation of our rules,” she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems “a limited amount of time” to do so.

Asked about compliance with Visa’s standards, a Visa spokeswoman, Rosetta Jones, said, “This particular processor was not following Visa’s security requirements when we found out there was a potential data compromise.”

Earlier, Mr. Perry of CardSystems said his company had been audited in December 2003 by an unspecified independent assessor and had received a seal of approval from the Visa payment associations in June 2004.

All of this demonstrates some limitations of any certification system. One, companies can take advantage of interpersonal and intercompany politics to get themselves special treatment with respect to the policies. And two, all audits rely to a great extent on self-assessment and self-disclosure. If a company is willing to lie to an auditor, it’s unlikely that it will get caught.

Unless they get really caught, like this incident.

Self-reporting only works if the punishment exceeds the crime. The reason people accurately declare what they bring into the country on their customs forms, for example, is because the penalties for lying are far more expensive than paying any duty owed.

If the credit card industry wants their PCI requirements taken seriously, they need to make an example out of CardSystems. They need to revoke whatever credit card processing license CardSystems has, to the maximum extent possible by whatever contracts they have in place. Only by making CardSystems a demonstration of what happens to someone who doesn’t comply will everyone else realize that they had better comply.

(CardSystems should also face criminal prosecution, but that’s unlikely in today’s business-friendly political environment.)

I have great hopes for PCI. I like security solutions that involve contracts between companies more than I like government intervention. Often the latter is required, but the former is more effective. Here’s PCI’s chance to demonstrate their effectiveness.

Posted on June 23, 2005 at 8:55 AMView Comments

Mitigating Identity Theft

Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions—credit card companies in particular—the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.

Unfortunately, the solutions being proposed in Congress won’t help. To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. He impersonates a victim to the Post Office and gets the victim’s address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one’s identity is stolen; identity information is being misused to commit fraud.

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what’s been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don’t want made public. The posting of Paris Hilton’s phone book on the Internet is a celebrity example of this.

The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn’t take much personal information to apply for a credit card in someone else’s name. It doesn’t take much to submit fraudulent bank transactions in someone else’s name. It’s surprisingly easy to get an identification card in someone else’s name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue—making personal data harder to steal—whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can’t involve the account holders. That leaves only one reasonable answer: financial intuitions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

They can’t claim that the user must keep his password secure or his machine virus free. They can’t require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.

That’s an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it’s two-factor authentication, ID cards, biometrics, or whatever, there’s a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn’t the way to proceed.

Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don’t demand that cardholders secure their wallets in any particular way. Credit card companies simply don’t worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.

This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don’t know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there’ll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we’ll never know until the financial institutions have the financial incentive to put them in place.

Right now, the economic incentives result in financial institutions that are so eager to allow transactions—new credit cards, cash transfers, whatever—that they’re not paying enough attention to fraudulent transactions. They’ve pushed the costs for fraud onto the merchants. But if they’re liable for losses and damages to legitimate users, they’ll pay more attention. And they’ll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.

Doing anything less simply won’t work.

Posted on April 15, 2005 at 9:17 AMView Comments

More on Two-Factor Authentication

Recently I published an essay arguing that two-factor authentication is an ineffective defense against identity theft. For example, issuing tokens to online banking customers won’t reduce fraud, because new attack techniques simply ignore the countermeasure. Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not true. It’s simply a matter of understanding the threats and the attacks.

Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can’t be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.

Credit cards are a perfect example. Notice how little attention is paid to cardholder authentication. Clerks barely check signatures. People use their cards over the phone and on the Internet, where the card’s existence isn’t even verified. The credit card companies spend their security dollar authenticating the transaction, not the cardholder.

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they’ll stop advocating stronger authentication measures and the sooner security will actually improve.

This essay previously appeared in Network World as a “Face Off.” Joe Uniejewski of RSA Security wrote an opposing position. Another article on the subject was published at SearchSecurity.com.

One way to think about this—a phrasing I didn’t think about until after writing the above essay—is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn’t help.

Posted on April 12, 2005 at 11:02 AMView Comments

Easy-to-Remember PINs

The UK is switching to a “chip and pin” system for credit card transactions. It’s been happening slowly, but by January (I’m not sure if it is the beginning of January or the end), every UK credit card will be a smart card.

This kind of system already exists in France and elsewhere. The cards have embedded chips. When you want to make a purchase, you stick your card in a slot and type your four-digit PIN on a keypad. (Presumably they will never turn off the magnetic stripe and signature system required for U.S. cards.)

One consumer fear over this process is about what happens if you forget your PIN. To allay fears, credit card companies have been placing newspaper advertisements suggesting that people change their PINs to an easy-to-remember number:

Keep forgetting your PIN?
It’s easy to change with chip and PIN.
To something more memorable like a birthday or your lucky numbers.

Don’t the credit card companies have anyone working on security?

The ad also goes on to say that you can change your PIN by phone, which has its own set of problems.

(I know that the cite I give doesn’t quote a primary source, but I also received the information from at least two readers, and one of them said that the advertisement was printed in the London Times.)

Posted on January 3, 2005 at 10:36 AMView Comments

Phishing by Cell Phone

From an alert reader:

I don’t know whether to tell you, or RISKS, or the cops, but I just received an automated call on my cellphone that asked for the last four digits of my Social Security number. The script went:

Hello! This is not a solicitation! We have an important message for J-O-H-N DOE (my first name was spelled out, but the last name was pronounced). If this is J-O-H-N Doe, Press 1 now!

(after pressing 1:)

For your security, please enter the last four digits of your Social Security Number!

I have no idea who it was, because I’ll be—damned—if I’d give out ANY digits of my SSN to an unidentified party. My cell’s display is broken so I’m not sure whether there was any caller ID information on it, but I also know that can be forged. What company expects its customers to give up critical data like that during an unidentified, unsolicited call?

Sadly, there probably are well-meaning people writing automatic telephone scripts that ask this sort of question. But this could very well be a phishing scheme: someone trying to trick the listener into divulging personal information.

In general, my advice is to not divulge this sort of information when you are called. There’s simply no way to verify who the caller is. Far safer is for you to make the call.

For example, I regularly receive calls from the anti-fraud division of my credit card company checking up on particular charges. I always hang up on them and call them back, using the phone number on the back of my card. That gives me more confidence that I’m speaking to a legitimate representative of my credit card company.

Posted on December 7, 2004 at 1:58 PMView Comments

New Security Vulnerability: Clueless Users

I can’t make heads or tails of this story:

A security loophole at a bank allowed easy access to sensitive credit card information, the BBC has found.

The Morgan Stanley website allowed users to access account details after entering just the first digit of a credit card number.

The shortcut would only work if the account holder had set up the computer to automatically save passwords.

It seems to me that if you set up your computer to automatically save passwords and autofill them onto webpages, you shouldn’t be surprised when your computer does exactly that.

Posted on November 22, 2004 at 10:24 AMView Comments

1 7 8 9

Sidebar photo of Bruce Schneier by Joe MacInnis.