Another database: CRACKED A recent security breach of a local online merchant prompted me to write this post. As a shopping cart software author and former security analyst at Symantec I know the nuts and bolts of security from several perspectives. Credit card fraud is a huge and growing problem. See my article about credit card security online for a detailed discussion on how credit card security works and what the vulnerabilities are. There is a solution, but it will not be implemented until pressure is brought to bear on the key players.
Convenience vs. Security: In the first place, SHAME on that merchant for storing those account numbers. Online merchants do not need to store account numbers. They collect the number, immediately forward it to their financial gateway, and receive approval to process the sale (or not.) Why do they store the numbers if it’s not necessary? Because it helps their bottom line by providing convenience for the customer. No one likes to type a 16 digit number. If the merchant recognizes a returning customer they can retrieve and prefill the number. A proven metric is the less people have to type the more likely they are to close the sale. Convenience carries a price.
Ripe for the picking: Meanwhile, your number sits in a database waiting to be cracked. Don’t kid yourself. Everyone gets cracked eventually. If numbers are not stored, the only way to steal them is to snag them on the fly–a lot less cost-effective for the cracker. Crackers, like anyone, chase the low-hanging fruit. As long as there are juicy databases full of credit card numbers, crackers will not bother cracking data streams.
The solution is out there: Security professionals know that the solution to the problem is disposable credit card numbers. A disposable card number only works ONCE, so even snagging it on the fly is useless. It resolves to the real number only at the financial institution. If disposables were widely used, merchants would have no incentive to store them. and crackers would lose interest. However, widespread implementation of this solution requires unified buy-in from credit card companies / financial networks. These guys so far have shown no interest in true security — only in PR “appearance of security.” They pass all the financial responsibility and most of the technical responsibility for security off onto merchants. PCI standards were created to help/force merchants to be more secure, but from what I can see, most merchants are totally baffled by them. Notice that it’s the merchants who have to do all the security — the banks and credit card companies sit on the inside and happily process the fraud complaints. Merchants end up paying for fraud. The cost ultimately gets passed to the consumer. Credit card companies don’t care. Money is money, whether it’s fraud or merchandise charges. They make obscene profits either way.
Centralized solution: The trick is generating the disposable numbers and making them either transparent or manifest to the consumer as the situation demands. Technology exists to do it, but it requires that the financial system invest in a centralized and standard solution — not likely unless they have to eat some of the cost of fraud.
What can you as a consumer do?
- Refuse to do business online with any merchant that prefills your credit card number. Contact them and ask them to remove it from their database. Look for a statement on their website that states that they do not capture primary account numbers.
- When making Point of Sale purchases watch your card like a hawk. A common scam is to distract the customer with pleasant chat and swipe the card through a cracked swiper under the counter, or worse yet, tap the legitimate swiper at the source. Check the visible swiping machine for an extra line leading out of it or any signs of tampering.
- Contact your credit card company and demand that they address the issue of security.
- Contact your legislators and urge them to author and pass legislation requiring that credit card companies pay for fraud.
Bottom line: nothing will change until savvy consumers demand it.
Listen to this post ![[Post to Twitter]](http://dorkage.net/wp-content/plugins/tweet-this/tweet-this-small.png)
Tweet This
[...] The Big Picture wrote an interesting post today onHere’s a quick excerptAnother database: CRACKED A recent security breach of a local online merchant prompted me to write this post. I am a shopping cart software author and former security analyst at Symantec. Credit card fraud is a huge and growing problem. See my article about credit card security online for a detailed […] [...]
Just who can one trust these days? Even though we all know these things happen we somehow think it will never happen to us personally, thanks for the reminder.
Just as a matter of interest, over the last few months in South Africa there have been a number of scams involving Internet banking. In all the cases the banks compensated the people who had been ripped off. I do not know if this is because the law enforced this or if it was just ‘nice’ bankers.
One has to have eyes in the back of your head these days.
sailors last blog post..Self-induced inaccessibility
Maybe South Africa is different than USA. And also I think it depends on the bank. I had a recent financial mess (not involving fraud) and my bank was infinitely nice. When my identity was stolen (physically) in 2004 the bank refused to honor the stolen checks and undid the fraudulent charges on my cards, yet clearly the perps had walked away from Walgreens with a nice haul of pseudofed or whatever. The cost for it was ultimately borne by Walgreens, who just had to eat it, and pay for not checking photo id.
credit card is a big thing that is going on right now. Another way people can prevent credit card fraud is to pay attention to what you are doing. If you are shopping online make sure you do some research on the company you are buying from. Also make sure they are secured.
CreditCardBalanceTransfers last blog post..Do your Best to have a High Credit Score
[...] Take Action to prevent Credit Card Theft [...]