Will online retailers be the next major breach target?

In the past year we have seen several high-profile breaches of brick and mortar retailers. Estimates range in the tens of millions of credit cards stolen in each case. For the most part, these retailers have weathered the storm with virtually no ill effects. In fact, it seems the same increase in stock price that TJ Maxx saw after their breach still rings true today. A sad fact indeed.

Regardless, the recent slew of breaches has finally prompted the credit card industry to act. They have declared that 2015 will be the year that chip and pin becomes the standard for all card-present transactions. And while chip and pin isn’t a silver bullet, and attackers will eventually find new and innovative ways to circumvent it, it has proven to be quite effective in Europe where it has been the standard for years.

Chip and pin changes how the credit card information is transmitted to the processor. Instead of the credit card number being read, in plain text, off of the magnetic strip, the card reader initiates an encrypted communication between the chip on the card and the card reader. The card details are encrypted and sent, along with the user’s PIN, to the card processor for verification. It is this encrypted communication between the card and, ultimately, the card processor that results in increased security. In short, the attack vectors used in recent breaches is difficult, if not impossible to pull off with these new readers. Since the information is not decrypted until it hits the card processor, attackers can’t simply skim the information at the card reader. There are, of course, other attacks, though these have not yet proven widespread.

At it’s heart, though, chip and pin only “fixes” one type of credit card transaction, card-present transactions. That is, transactions in which the card holder physically scans their card via a card reader. The other type of transaction, card-not-present transactions, are unaffected by chip and pin. In fact, the move to chip and pin may result in putting online transactions at greater risk. With brick and mortar attacks gone, attackers will move to online retailers. Despite the standard SSL encryption used between shoppers and online retailers, there are plenty of ways to steal credit card data. In fact, one might argue that a single attack could net more card numbers in a shorter time since online retailers often store credit card data as a convenience for the user.

It seems that online fraud, though expected, is being largely ignored for the moment. After all, how are we going to protect that data without supplying card readers to every online shopper? Online solutions such as PayPal, Amazon Payments, and others mitigate this problem slightly, but we still have to rely on the security they’ve put in place to protect cardholder data. Other solutions such as Apple Pay and Google Wallet seemingly combine on and offline protections, but the central data warehouse remains. The problem seems to be the security of the card number itself. And losing this data can be a huge burden for many users as they have to systematically update payment information as the result of a possible breach. This can often lead to late payments, penalties, and more.

One possible alternative is to reduce the impact a single breach can cause. What if the data that retailers stored was of little or no value to an attacker while still allowing the retailer a way to simplify payments for the shopper? What if a breach at a retailer only affected that retailer and resulted in virtually no impact on the user? A solution like this may be just what we need.

Instead of providing a retailer your credit card number and CVV, the retailer is provided a simple token. That token, coupled with a private retailer-specific token should be all that is needed to verify a transaction. Tokens can and should be different for each retailer. If a retailer is compromised, new tokens can be generated, reducing the impact on the user significantly. Attackers who successfully breach a retailer can only submit transactions if they can obtain both the private retailer token as well as the user token. And if processors put simple access-control lists in place, it increases the difficulty an attacker encounters when trying to push through a fraudulent transaction.

Obtaining tokens can be handled by redirecting a user to a payment gateway for their initial transaction. The payment gateway verifies the user and their credit card data, and then passes the generated token back to the retailer. This is similar to how retailers using existing online payment processors such as Paypal and Amazon Payments already handle payments. The credit card data never passes through the retailer network. The number of locations credit card data is stored reduces significantly as well. This, in turn, means that attackers have fewer targets and while this increases the risk a payment processor network incurs, one can argue that these networks should already have significant defenses in place.

This is only one possible solution for online payments. There are many other solutions out there being presented by both security and non-security folks. But there seems to be no significant movement on an online solution. Will it take several high-profile online breaches to convince credit card companies that a solution is needed? Or will credit card companies move to protect retailers and card holders ahead of attackers redirecting their efforts? If history is any indication, get used to having your card re-issued several times a year for the foreseeable future.

Slaves to Technology?

Over the past few years I have slowly moved from carrying cash to using my debit card for purchases. It’s pretty convenient for me, and reduces, somewhat, any loss I suffer from a lost wallet or something similar. I’m sure I’m not the only one doing this. However, this means I rely on technology a bit more. And when that technology fails, life becomes difficult. This bit me again this week.

I received a new debit card a few months ago and found that after just a few months, the magnetic strip on the back of the card started to rub off. I guess they’re using something different to fabricate these newer cards as my previous card lasted several years, and was still good, when it expired and I needed a new one. So, I went about ordering a new one and life went on.

Now, a mere month or so later, the strip has yet again rubbed off. Again, I’ve ordered one and I’m expecting it any day now. In the meantime, I had to run to the market the other day. I run around, gather the stuff I need, and proceed to checkout. I normally use the self-checkout, if only to avoid the usually long lines elsewhere. I go through the ritual of scanning everything, placing them into bags, etc. When I ran my card through, it failed, pretty much as I expected. I tried running it through a few times, and even tried the “bag” trick which also failed.

So what do you do in this situation? I thought there was a pretty simple solution to this, so I asked the girl at the counter to run it through by hand. This, apparently, was a big mistake. What resulted was a 20 minute ordeal as they ran to get a manual card machine, screwed it up three times and had to keep running to get new carbon sheets. Once they finally figured out how to use the manual machine, they had to enter the data into the computer. Of course, they screwed this up innumerable times. All said and done, they were finally able to get the transaction to go through.

Seriously? Come on… I do this on the Internet all the time! Enter the card number, name, expiration, and CVV. Done! I even mentioned this and was told that it was “far more complicated than that.” …. Ummm…. ok … ?

So in the end, they have a physical copy of the card (albeit a fairly crappy one… they had to hold on to my card to read the numbers because it didn’t copy well), and they have the computer transaction receipt as well. The computer receipt has the exact same information on it that a normal transaction has… So what was the problem again?

And it’s not just this particular store, I’ve had problems elsewhere. Burger King has no alternate plan if their credit card processing fails. At most, I was offered the option of running to get cash to pay with or wait for their computer to reboot… In hindsight, I should have gone to get cash.. Apparently they’re running the slowest computers on earth.

Lowes? The girl at the counter got frantic when the card wouldn’t read. She called for help, and the help got frantic too. Luckily it scanned after the umpteenth time, otherwise I may have been witness to a nervous breakdown.

Dunkin Donuts! Well, apparently they’re fairly competent there. My card failed to scan so the girl at the counter asked for it back, typed in the numbers, and ran it through manually. Took an extra few seconds. Done.

So let this be a lesson. Technology is great when it works, but you may be in trouble when it fails… At the very least, it can be incredibly inconvenient. And to think… Only a few years ago, credit cards had to be manually handled, with the carbon paper and all. And it only took a few minutes back then… How times change…