Data security breach
March 17, 2008 10:16 PM   Subscribe

Nothing so far, but that'll teach me for going home for the holidays.
posted by jeblis at 11:40 PM on March 17, 2008

There are five key players in most fraudulent credit card transactions. They are the cardholder, the credit card company, two merchants, and a thief. Here's what happens:

The cardholder uses their credit card at an incompetent merchant. A transaction fee of 1-2% is collected by the credit card company. However, the incompetent merchant allows the credit card data to fall into the hands of a thief. The thief uses the card to make a purchase at a second merchant. The credit card company gets a percentage of that transaction too.

If the cardholder doesn't notice the fraudulent charge from the second merchant, then no one's in a position to complain. The merchants and the credit card company certainly have no problem with this arrangement—they're all got paid.

But if the cardholder does notice the fraud, the credit card company will simply reverse the charges and give them their money back. The second merchant is left holding the bag, but what are they going to do, stop taking Visa? Oh, and the credit card company also hits the losing merchant with a chargeback fee of about $20.

The only entity in a position to improve credit card security is the credit card company. But they make their money either way, so why should they care? In fact, the chargeback fee is almost certainly higher than their usual 1% transaction fee. For the credit card company, fraudulent transactions are even more lucrative than honest ones. And that's why your credit card has zero security.
posted by ryanrs at 1:18 AM on March 18, 2008 [15 favorites]

ATM cards on the other hand, are very different. When a thief pulls money out of a cash machine, there's no merchant around to eat the losses. The bank has to reach into its own pocket to reimburse the cardholder. That's why ATM cards have passwords and $300 daily limits.
posted by ryanrs at 1:26 AM on March 18, 2008 [1 favorite]

That's why ATM cards have passwords and $300 daily limits.

This is also the reason it is enormously dangerous to give a company untethered access to your bank account, like, say... PayPal. Notice how they really push to get you to sign up with your banking info instead of your credit card? Because there's less of an ice cube's chance in hell that you'll ever get a bank to reverse its charges, where as with a credit card company, the process is practically automated. If you ever have a dispute with PayPal, they can (and do) hold funds and ask questions later (if ever).
posted by Civil_Disobedient at 1:32 AM on March 18, 2008 [1 favorite]

One last detail: debit cards. Ever wonder why your daily cash limit is so much lower than your daily point-of-sale limit? It's not because ATMs are less secure than cash registers card readers. The addition of a low wage, high turnover employee doesn't do wonders for security either. But bank can unclench because it knows it can stick any losses on the merchant. Merchants are like indentured insurance for card issuers.
posted by ryanrs at 2:10 AM on March 18, 2008

Yeah, once you give PayPal your checking account info (and agree to the small print), the transactions are sent through the ACH network, which is a two-way street. At that point, PayPal is the credit card company, the other guy is the card holder, and you're merchant.
posted by ryanrs at 2:26 AM on March 18, 2008 [1 favorite]

[checks credit card statement]
posted by MtDewd at 2:45 AM on March 18, 2008

I'll be interested to hear about the technical details of this. I sincerely hope it's not another TJ Maxx.
posted by Skorgu at 3:12 AM on March 18, 2008

And just to be clear, I don't really care if the merchants get shafted on fraudulent transactions. But the when the credit card companies avoid getting the shaft, that's a real problem. It removes any incentive to improve security.

And since transaction fees proportional total transaction volume, credit card companies really, really want people to use credit cards. You see it in their ad campaigns—Visa's main competitor is cash. So if some new, more secure system is even slightly less convenient, forget it. Instead they're working on contactless payment using RFID.

[Wow, I've been really sloppy wrt credit card companies (Providian, Capital One) vs. card processing networks (Visa, MC) vs. Banks vs. ATM networks. Feel free to just blame it all on Visa. They're behind for most of this stuff.]
posted by ryanrs at 3:13 AM on March 18, 2008 [1 favorite]

I'm trying to figure out how this might work. The article says "thieves accessed card numbers and expiration dates as they were being transmitted for authorization in checkout lines." Makes it sound like a breach of their internal network. Hannaford uses the small swipe-it-yourself terminals at the registers. I wonder if the data then travels unencrypted over their internal network to the credit card processor, or if it's unencrypted between the store and headquarters where it gets encrypted. Either way. that sounds pretty insecure.

Oh yeah, and since we shop there we now have to worry about the sanctity of our cc data, which, if other stores have the same types of weaknesses is null anyway.
posted by SteveInMaine at 3:16 AM on March 18, 2008

By the way, this won't work for in-store purchases, but some credit card issuers provide a service where you can generate one-time use credit card numbers for internet purchases. I use this regularly, though was surprised to find out that AMEX discontinued this service a few years back.
posted by SteveInMaine at 3:19 AM on March 18, 2008

In case anyone was wondering, the current security scheme is to have every store, restaurant, and website figure it out for themselves. Visa assists by verifying zip codes and handing out stickers.
posted by ryanrs at 3:35 AM on March 18, 2008

"thieves accessed card numbers and expiration dates as they were being transmitted for authorization in checkout lines."

I should explain my link: TJ Maxx used trivially-broken WEP encryption to (basically) do this authorization step. Evil hax0rz in a van across the street with a pringles can managed to snoop the traffic and keep pulling cards. That vague a description makes me worry that it'll be the same thing all over again.
posted by Skorgu at 3:59 AM on March 18, 2008

How much do customers really want security though? When I was a cashier, many customers would get frustrated if I checked their signature (which in itself isn't very effective). A PIN would be the most reasonable requirement, but too many people won't be able to remember theirs.
posted by drezdn at 6:40 AM on March 18, 2008

When I was a cashier, many customers would get frustrated if I checked their signature (which in itself isn't very effective).

That's exactly why I get frustrated by it: it's a bit of a sham security action, so I see it as a waste of time. I often use a business card signed by our finance director (not me). I scribble a vague initial on the receipts, and even when clerks check, they are utterly unbothered by the complete mismatch between the signatures. I'm not sure they feel interested, empowered, or sure enough to do anything about it even if they noticed it.
posted by Miko at 7:04 AM on March 18, 2008

I'm not sure they feel interested, empowered, or sure enough to do anything about it even if they noticed it.

At $7/hr, in a part-time job, and under management pressure to move as many customers/hr through the checkout as possible...all of the above.
posted by Thorzdad at 7:25 AM on March 18, 2008

Hannaford claims that only card numbers and expiration dates were stolen, and that names and addresses were not. That's very mildly reassuring.

My card company says they're watching this closely, and even though they notice I have no credit protection plan on my account, I'm probably OK if I pay attention to the statements. Also, I can get email alerts to any changes or suspicious activity on my account for only $7.95 a month. I think ryanrs has their number.
posted by Kirth Gerson at 7:45 AM on March 18, 2008 [1 favorite]

I'm confused, ryanrs. If the credit card companies are the only ones who can do anything about security, how does that make the merchant incompetent? It sounds from the TJ Maxx thing, at least, like merchants have some power over security.
posted by adamdschneider at 8:11 AM on March 18, 2008

The merchants have both power and responsibility over security. The payment card industry publishes a data security standard, which they creatively title PCI DSS. It specifies a number of requirements and holds merchants to them at different levels based on their size.

While PCI DSS compliance isn't that big a deal for merchants because few customers will be able to demand it, it's a bigger deal as you go up the chain; some companies will require their vendors to be complaint, and many companies will require that their payment gateways and processors comply (and some payment gateways and processors will require that their customers comply!).

PCI DSS compliance has even built its own little industry of auditors and consultants, much like the ISO and ITIL standards have.
posted by mendel at 9:18 AM on March 18, 2008

For the credit card company, fraudulent transactions are even more lucrative than honest ones.

Agreed. I am a small merchant and several years ago I had what was clearly someone trying to buy goods on a stolen card. I tried to alert Visa and the bank (Wells Fargo), but neither were interested in my concerns nor would contact the real cardholder. That was an epiphany for me and highlighted the message that banks really do not care about security beyond exploiting it to sell more services.
posted by mr. creosote at 9:20 AM on March 18, 2008 [2 favorites]

If the credit card companies are the only ones who can do anything about security, how does that make the merchant incompetent?

TJ Maxx is incompetent because they used WEP encryption for their network, which is trivially broken. Visa is incompetent because they built a global financial network that is fundamentally reliant on TJ Maxx's IT security.


It sounds from the TJ Maxx thing, at least, like merchants have some power over security.

Yeah, and that's a problem. I mean, you wouldn't really expect a clothing retailer to be at the forefront of fraud detection and information security, would you?
posted by ryanrs at 1:58 PM on March 18, 2008

Clarification: the card processing network (i.e. Visa) is the only one who can fix the systemic brokenness of the current system. But under the current system, the merchants are responsible for day-to-day operational security.
posted by ryanrs at 2:07 PM on March 18, 2008

Gotcha. Man, I think I'm paying cash everywhere from now on. Seriously.
posted by adamdschneider at 2:40 PM on March 18, 2008

The payment card industry publishes a data security standard, which they creatively title PCI DSS.

Well, I think the payment card industry needs to do more than write standards and train consultants.

American Express has its own processing network, so they've been able to try out some more innovative techniques. They experimented with stuff like smart cards and one-time-use card numbers. But at the end of the day, they just don't have the market share to force merchants to buy new equipment. Visa does, but they'd rather make commercials.

If we moved to two-factor authentication based on smart cards for point-of-sale and SecurID tokens online, credit card fraud would basically disappear. Yes, it will cost money. Yes, it will be less convenient. But rampant fraud and consumer distrust ain't exactly cheap or convenient either.
posted by ryanrs at 2:51 PM on March 18, 2008

Credit Card companies will change the merchants a higher processing percentage per transaction if the merchant cannot prove they are compliant with the PCI standards. Those standards are focused on network security.
posted by gminks at 4:08 PM on March 18, 2008

I don't doubt it. I imagine there are huge binders full of procedures, processes, and rules. They probably have security workshops, consultancy services, audits, reviews, awards, and sanctions. But so what? Obviously none of that stuff is working.

The entire credit card processing system is based on the premise that merchant systems are perfectly secure. That's just stupid.

Here's how a less stupid system might work:

When you open an account, your bank issues you a smart card, a security token, a PIN, and an alternate PIN for recurring transactions.

For in-store transactions, you swipe you smart card and enter your PIN. The PIN might be optional for small transactions. Skip the signature, it's completely useless.

For a thief to make a fraudulent transaction, they would need to get both your smart card and your PIN. Hacking into the merchant's computer system doesn't do them much good because the codes read from the card are only good for a single transaction (the card has a chip to generate a new code for every transaction). The PIN is to protect you if you lose your card.

For online transactions, you have to use a security token since you probably don't have a smart card reader. The token generates a new code every 60 seconds and displays it on a little LCD screen. To make a purchase, you enter your account number, your PIN, and the code currently displayed on the token. Like an in-store transaction, this process requires (1) something you know (your PIN), and (2) something you hold (the token). This is known as two-factor authentication.

Recurring transactions would work the same way, but use you'd use your alternate PIN instead. When your bank authorizes the transaction, it notes the use of the alternate PIN and adds a special recurring-authorization record to your account. This record stores the merchant's name and account number, plus the security codes from the initial transaction. A list of currently authorized merchants would be included on your statement.

Next month, when the merchant wants to charge your card again, they resend the security codes from the initial transaction. The stale codes will fail verification, but they'll match the recurring-authorization record, so the bank will accept the transaction.

Note that this scheme doesn't actually need a PIN to verify subsequent transactions, so there's no need for the merchant to resend it. In fact, merchants should be prohibited from storing the PIN at all.

Using this scheme, recurring payments are not as secure as normal one-time transactions. That's probably unavoidable since the whole point is to allow automated transactions. But since your bank recorded the merchant's own account number at the time of the initial transaction, subsequent transactions can be limited to the same destination account. So if a thief hacks the server at Joe's Gym and gets ahold of your security codes, all they can do is move money from your account to Joe's. If they try to send money to a different destination account, your bank can refuse the transaction.

Anyway, I just made that up off the top of my head. Of course, building a highly secure system is very, very hard. So I'd want to sleep on it before vouching for its security. :)
posted by ryanrs at 8:15 PM on March 18, 2008 [2 favorites]

Credit Card companies will change the merchants a higher processing percentage per transaction if the merchant cannot prove they are compliant with the PCI standards.

In other words, a merchant can pay a little extra and say fuck the rulescardholders.
posted by ryanrs at 8:28 PM on March 18, 2008