Coffeehouse Thread

19 posts

Target Data Breach

Back to Forum: Coffeehouse
  • User profile image
    svelasquez1​23

    I was reading about the possible methods used in the Target data breach on arstechnica.com:

    http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/

    and was wondering why stores should even be recording credit/debit card numbers.  How is that different really to storing passwords in a database as plain text which we have all been told is just crazy?  Can we apply the methods for secure password storage to credit card storage. 

    1.  Credit Card is authorized by vendor with CC processor once which returns a vendor specific key for future purchases. 

    2.  The credit card number is never stored in the database but instead the key is used for future purchases.  Any time the key is used, because it is vendor specific, it will only allow payment to that specific vendor.

    My wife has had the bank shut down her card twice in the last month as a result of the Target fiasco.  As a developer constantly worrying about threats to the security of my own work I think that storing credit card info at the vendor level is just ridiculous and unnecessary.

  • User profile image
    bondsbw

    Not bad but I say we go further.  The "card" becomes a device that generates one-time codes similar to Google Authenticator (but much longer, since it doesn't need to be read directly by humans).  It generates a completely new code every 30 seconds and this generation is synchronized with the card company.

    That code is used like a credit card number is today.  The seller connects to the card company to verify the transaction, and it's done (assuming it is approved)... much more securely.

    Further, being a smart device, this new card could do much more.  It could store digitally-signed receipts.  If connected to the internet, it could communicate with the card vendor to provide a more firm authorization by requesting a password from the user.  That mechanism could be required for large purchases or purchases with a card that is used out-of-area or is otherwise used suspiciously.

  • User profile image
    dahat

    While I do not disagree with what either of you are saying... take a step back and consider what exists in between the current magnetic card reader tech we see in the US today and what you are proposing (all of which already exist in some limited forms from different vendors)... what is needed is a more secure standard that is widely adopted.. something like EVM... something that remains slow to come to the US, and while not perfect, would help mitigate a lot of the issues we saw from the Target breach.

  • User profile image
    TexasToast

    I have had my CC stolen before and even put 1 of the offenders who was caught into prison for 2-5 years (he would not give up names for the gang stealing numbers and making phoney cards).   I found out that the Banks and Credit card companies have many ways at their disposal to make this more secure with smart cards etc.   The choose NOT to in the USA.   They are afraid of making it too difficult to use.   Sounds dumb but they have no problem with dealing with fraud as it comes.   All you can do as a user is not to worry about it.   When it is stolen, point out the fraudulent charges, get a new card.  You are not liable.   Also, never use a debit card.   It would be nice for some other smarter card company to exist in this country where more secure measures are taken.   I know Europe is better in this regard.

  • User profile image
    DeathBy​VisualStudio

    Many years ago I worked on a credit card system for taking payments. In order to be certified by the payment processor you had to prove you were not storing the actual credit card number. The client app had to make a call to a web service exposed by the payment processor with the credit card and it would return a token that the app would use from that point forward for all holds, charges, refunds, etc. I thought the requirements of not storing the credit card number was industry standard but apparently not. Sounds like an opportunity for some government regulation...

    If we all believed in unicorns and fairies the world would be a better place.
    Last modified
  • User profile image
    TexasToast

    , DeathBy​VisualStudio wrote

     I thought the requirements of not storing the credit card number was industry standard but apparently not. Sounds like an opportunity for some government regulation...

    Are you kidding me?   Have you ever shopped at Amazon or used Paypal?    This has been always allowed but you had to meet certain standards that MC or Visa etc required.   We don't need any more govt regulations.   Never helps and never works.

  • User profile image
    ScanIAm

    My fully cooked and rat-meat-free hotdog disagrees.

  • User profile image
    davewill

    I've often wondered if the storing of the credit card information was a result of having to tamp down on the product returns to the merchant (i.e. Target).  When you return something to Target they require that the refund be applied to the same credit card that was used to purchase the product.  How do they match purchasing credit card to returning credit card?

  • User profile image
    TheJoe

    Did an intergration with a CC processor once.  We would send CC info to them via webservice and they would give us a token.  That when the CC number would never be in our db and we would have less liablity.

  • User profile image
    dahat

    , ScanIAm wrote

    My fully cooked and rat-meat-free hotdog disagrees.

    And thanks to those very same regulations, not a single instance of undercooked or contaminated food has ever reached the public... because those evil companies are too stupid & greedy to know that selling their customers rat meat will be A-OK if they ever find out.

    , davewill wrote

    How do they match purchasing credit card to returning credit card?

    You assume they ask to see your credit card for the return... last few I did (both at Target & Cabela's) they simply inform me that $X.YY has been credited back to my card after scanning my receipt... granted these are bigger retailers with more IT behind them to store that info... but then is that much different than an online retailer that stores CC info for future purchases?

    , TheJoe wrote

    Did an intergration with a CC processor once.  We would send CC info to them via webservice and they would give us a token.  That when the CC number would never be in our db and we would have less liablity.

    That comes back to a question that all takers of credit cards must ask themselves... how much liability are they willing to accept... and based on that answer it will determine which degree of industry compliance they will adhere to.

  • User profile image
    svelasquez1​23

    Not all government regulation is bad.  In this case though, I think V/MC/Amex should consider a new/updated standard for the groups using their cards beyond what is currently enforced.  They are picking up a huge chuck of the tab when unauthorized purchases are made on stolen info.

    I know it's easier said than done with large systems so dependent on legacy code, but you'd think that fractions of what are lost every year would be enough to fund some change.

  • User profile image
    dahat

    , svelasquez1​23 wrote

    Not all government regulation is bad.

    I don't think anyone here said that.

    In this case though, I think V/MC/Amex should consider a new/updated standard for the groups using their cards beyond what is currently enforced.  They are picking up a huge chuck of the tab when unauthorized purchases are made on stolen info.

    I know it's easier said than done with large systems so dependent on legacy code, but you'd think that fractions of what are lost every year would be enough to fund some change.

    That is already in the works... see my link above to EVM... the big three have already laid out plans for the rollout of it in the US... including a future liability shift where they push the liability for fraud onto retailers who do not support the new scheme.

    Of course, that's just on the payment & processing side, when the banks who actually send out your credit card adds the smartcard contacts is anyone's guess though... and I was kind of surprised when I had a couple of cards re-issued late last year that they were still of the 'old' style.

  • User profile image
    TheJoe

    That comes back to a question that all takers of credit cards must ask themselves... how much liability are they willing to accept... and based on that answer it will determine which degree of industry compliance they will adhere to.

    My understanding is that this is already regulated by the FDIC and they license the processors.  I not sure what legal hoops are in place for this though.

  • User profile image
    figuerres

    what I do not get is that the cc processing guidelines and rules are that the merchant *should not store* card holder data in the first place.  so why are large companies storing the data at all?

    http://www.pcicomplianceguide.org/pcifaqs.php

    http://www.pcicomplianceguide.org/pcifaqs.php#myth16

    Myth: PCI makes us store cardholder data.
    Fact: Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. There is no need, nor is it allowed, to store data from the magnetic stripe on the back of a payment card. If merchants or processors have a business reason to store front-card information, such as name and account number, PCI DSS requires this data to be encrypted or made otherwise unreadable.

    so two problems: one what part of the data are they holding, two why are they not properly securing what they have ?

    and the account number should only be holding part of the number so that you can back track for one customer - example first 4 or 6 digits plus the last 4.

    and then only for a case where one sale needs to be checked for one customer.

     

  • User profile image
    dahat

    , TheJoe wrote

    *snip*

    My understanding is that this is already regulated by the FDIC and they license the processors.  I not sure what legal hoops are in place for this though.

    I cannot speak to the FDIC regulation side of things, but the CC industry (via processors) generally have tiers that a merchant can choose, each with it's own degree of required validation at transaction time & associated liability.

    Don't mind an increased level of fraud and a higher liability? Choose the 'don't bother checking the CCV value or address, all you need is a CC # and a date well into the future' tier (see Obama campaign in 2008 & 2012).

    Don't mind verifying the CCV, billing address & IP address of submitter? A lower liability risk for you!

    , figuerres wrote

    what I do not get is that the cc processing guidelines and rules are that the merchant *should not store* card holder data in the first place.  so why are large companies storing the data at all?

    Do you like pulling out your wallet & typing in a credit card number every time you purchase a book from Amazon or a song off of iTunes?

    No? There's your answer.

    Especially in the e-retailer arena, I assume the retailers have found that those who already have a credit card on file are more likely to complete a purchase than those who do not.

    For brick & mortar retailers, aside from making returns easy (ie you don't need your wife's credit card to return something on her behalf), after putting the CC# into a more secure DB, a hash of that # or other associated value can quickly become a foreign key for your purchase table, allowing you to data-mine... the value of which I'm sure makes up for the costs in securing the data.

    so two problems: one what part of the data are they holding, two why are they not properly securing what they have ?

    I'm still waiting to hear not just how they secured it, but the details of the attack. For all we know they did secure what they had... however were faced with a bad guy who was better.

    As the Snowden espionage & the Manning leaks demonstrated... even secured information can be compromised.

    Granted... I'd wager your average big bank is even more diligent about network & systems security than your average governmental agency... which would reduce the likelihood of a rouge employee disclosing this level of information.

  • User profile image
    figuerres

    , dahat wrote

    *snip*

    I'm still waiting to hear not just how they secured it, but the details of the attack. For all we know they did secure what they had... however were faced with a bad guy who was better.

    As the Snowden espionage & the Manning leaks demonstrated... even secured information can be compromised.

    Granted... I'd wager your average big bank is even more diligent about network & systems security than your average governmental agency... which would reduce the likelihood of a rouge employee disclosing this level of information.

    I just know that it's way to common to find systems that store a password as plain text or secure access to a database but not use crypto on the actual data ... and a dozen other simple dumb things....

    as for what happened here I would not expect to hear much detail; mostly just that they plugged a hole in the system.

     

  • User profile image
    DeathBy​VisualStudio

    , TexasToast wrote

    *snip*

    We don't need any more govt regulations.   Never helps and never works.

    Well business self-regulation has proven time and time again to fail as in this case. I don't know about you but I'm glad there is at least some safety nets in our system. I can't imagine what the food we eat, the homes we live in, and the working conditions we have would be like if we didn't have government regulations. "Never" is a pretty strong word...

    If we all believed in unicorns and fairies the world would be a better place.
    Last modified
  • User profile image
    ScanIAm

    , dahat wrote

    *snip*

    And thanks to those very same regulations, not a single instance of undercooked or contaminated food has ever reached the public... because those evil companies are too stupid & greedy to know that selling their customers rat meat will be A-OK if they ever find out.

    If you choose to live in a world where you find out about tainted food products during the autopsy, that's your prerogative.  The rest of us choose otherwise. 

    Further, without laws and regulation, the bad actors simply move on to another company and repeat the process...they weren't doing anything illegal, right?

     

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.