Target Breach Spells End For Magnetic Stripe Cards Next Year

The rest of the advanced technology countries have had this new system in place for several years, we are just catching up to the rest of the world. So right on!!!

In advance of our European vacation a little more than a year ago a major US bank replaced our original card by one with a chip. Perhaps many (all?) US banks already have the ability to issue such cards if they are requested.

Perce

They do. They haven't wanted to, because it costs money. Now that the Target data breach is costing them piles of money and making them look incompetent or stupid as well (by choosing not to implement more secure cards), they're willing to make the transition to the new cards.

The reason I posted this is because of last week's thread on RFID chips in credit cards, with the paranoid saying they were gonna refuse those cards. Well, it looks like by 2016 your choice will be a chipped card, or no card at all.

Which has absolutely nothing to do with the Target breach as the liability shift deadline was established long before the Target incident. Furthermore, EMV (Chip & Pin) would have NOT prevented the Target breach as it was caused by penetrating the card readers and installing unauthorzed software. Nothing to do with the mag stripe.

You need to confirm that your card is Chip & Pin and not Chip & Signature. Europe uses Chip & Pin, although mag stripe cards will work at most registers but not kiosks or petrol pumps.

Chip & Signature was a half-arsed implementation done by a few card issuers in the US and doesn't work at very many locations.

The card readers are just another keyboard. Most if them load your information in clear text into known locations in memory. The bad guys used a simple memory scrubber to access it.

I love to show my customer just how easy it is. I open a text editor (Notepad will do), then swipe my AAA club card through their card reader. What shows up in the text editor will amaze and astound. Scared the hell out of them. It is that easy.

Target had non point of sale computers on the same network leg as their point of sale computers (their HVAC [temperature] monitoring computers got infected and it spread to their point of sale computes.) Big mistake. Never ever, never ever put anything unrelated on the point of sale leg.

They also used the cheaper clear text card swipers, instead of encrypted card swipers.

No matter how you store the information on the card, if it does not get loaded into the computer in an encrypted format before it enters the computer, the bad guys can scrub it from memory and/or copy it with a keystroke logger.

Think of it this way: data at rest needs to be encrypted; data in motion also needs to be encrypted. The target breach was data in motion.

As long as someone else has to pay the bill, the state of credit card security will remain very, very lax. Be interesting to see what happens if Target has to pick up the bill. Maybe then they will get serious.

Chips are a problem. They can be scanned. Strips cannot be externally scanned. The card is not the problem with the target episode.

Greg

Per gregz:

Is that to say that somebody's card in their wallet in a pocket could be scanned surreptitiously as they walk past a hidden device - like some corporate ID cards are to keep track of who goes where?

I've been confused about that very issue. My financial institution issued a Pin and Chip credit card to me early this year that I've used in 5 different countries on 2 continents. I've experienced 3 different scenarios using the card. (1) I put the card into the reader, verified the transaction and amount on the reader's screen, the merchant did his thing on his keyboard, and the transaction was completed without a request for a PIN OR a signature; (2) as above, except a receipt was printed out which required my signature without any inquiry from the merchant about a PIN or a signature; or (3) the merchant or the card reader requested a PIN but gave the alternative to allow me to complete the purchase by signing the receipt rather than entering the PIN. My financial institution said that in general, I should not need to enter the PIN unless I'm using the card at an ATM (which I would never do on account of the punitive interest rates and fees that type of transaction incurs.) Any insights why I've encountered these 3 different scenarios?

We have had chipped cards in Europe for the past ten years. Problem for USAians when they come here.

Not foolproof though. The crooks have found ways round them. Mostly involving micro-cameras and fake fronts to cash machines. But a lot more difficult for them.

Using our "chipped" card in France, I think we almost always had to sign, but neither of us remembers whether we ever had to enter the PIN as well.

Perce

I'd guess you were issued a Chip and Signature card, not a Chip & Pin card.

Sounds like a low value transaction. Same thing happens in the US with mag stripe cards.

Classic Chip & Signature operation.

Not seen that, but I don't have a Chip & Signature card.

Do you use this card as a Debit or ATM card in the US? Maybe it's some strange hybrid card. I'd call your bank and ask if you have a true Chip & Pin card.

The data at a Target POS is read and immediately encrypted before sent. The malware read the data at the POS terminals as it came off the cards.

(The second breach was data stored on Target computers.)

After Oct 1, 2015 any merchant that uses mag-strip swipe will be responsible for cost of credit card fraud.

Target installed some of the card readers used in the European system and hoped other merchants would also install them. Other merchants didn't, and the transaction presumably takes longer, which was a disadvantage to Target.

That is my point. That is why you want to use an encrypted card swiper. That way the data is already encrypted before it hits the computer. Not after plain text hits the computer, get read by a POS program, and then gets encrypted. It is very easy to intercept or scrub from memory before that point. But encrypted card readers cost more.

To get merchants attention, I like to open a test editor (Notepad will do fine), then swipe my AAA card through it. What shows up will amaze and astound. And it is that easy.

What idiot(s) uses Windows on their POS systems anyway: okay Target did. And a lot of others too. They just don't take security seriously.

I wonder ...

Merchants better be careful, with this new PCI stuff, they are going to be held responsible regardless. PCI is about shifting liability back to the merchant. You pencil whip it and you are dead meat. I only have one customer that actually takes it seriously. The rest, one look at the questionnaire, and "Hand me that, whip, whip, whip. Problem solved."

Telling them PCI is about shifting liability back to them is the only way I can get their attention. They don't care about some lofty principle about security for something they think will never happen to them, but when I tell them they are in the cross hairs (liable), then suddenly they pay attention.

I am surprised 10 times as many merchants are not breached. And, I really, really hate turning my credit card over to anyone these days. Occasionally, I ask if they are PCI compliant and I get a blank stare, then a halting "yes". Liars.

TRANSLATION: Instead of the credit card company passing on the cost to the consumer, the merchant will.

Ultimately, that is who always pays for it anyway. Same with taxes placed on business.

Per Todd:

That begs a question that I have never heard addressed - even by the lunatic fringe: Why should there be any taxes at all on businesses beyond those necessary to support local infrastructure?

Since the taxes get passed on down the chain to the consumer anyhow, it's almost a wash between increasing income tax and not taxing businesses and what we have now.

"Almost" because the diff is that some of those tax dollars get passed on to offshore consumers and essentially we receiving foreign aid.

But the flip side of that is that our products are more expensive offshore and the competitive position of our manufacturers is diminished to the extent of that "aid".

Seems logical. So why isn't anybody raising it as an issue? What's the flaw?

The constituency that likes government support and the politicos that represent them likem like indirect taxes because it hides the fact that peoples pockets are being picked.

It also plays to the people who like to use taxes to punish behaviors or businesses they don't like instead of rasing funds to support the necessary functions of government.

I would far rather see one federal government bill presented to citizens once a year and get rid of withholding taxes, fuel taxes, social secirity taxes, etc. You see an amazing rush to reduce the size of government. Like that will ever happen.