Another database: CRACKED A recent security breach of a local online merchant prompted me to write this post. As a shopping cart software author and former security analyst at Symantec I know the nuts and bolts of security from several perspectives. Credit card fraud is a huge and growing problem. See my article about credit card security online for a detailed discussion on how credit card security works and what the vulnerabilities are. There is a solution, but it will not be implemented until pressure is brought to bear on the key players.
Convenience vs. Security: In the first place, SHAME on that merchant for storing those account numbers. Online merchants do not need to store account numbers. They collect the number, immediately forward it to their financial gateway, and receive approval to process the sale (or not.) Why do they store the numbers if it’s not necessary? Because it helps their bottom line by providing convenience for the customer. No one likes to type a 16 digit number. If the merchant recognizes a returning customer they can retrieve and prefill the number. A proven metric is the less people have to type the more likely they are to close the sale. Convenience carries a price.
Ripe for the picking: Meanwhile, your number sits in a database waiting to be cracked. Don’t kid yourself. Everyone gets cracked eventually. If numbers are not stored, the only way to steal them is to snag them on the fly–a lot less cost-effective for the cracker. Crackers, like anyone, chase the low-hanging fruit. As long as there are juicy databases full of credit card numbers, crackers will not bother cracking data streams.
The solution is out there: Security professionals know that the solution to the problem is disposable credit card numbers. A disposable card number only works ONCE, so even snagging it on the fly is useless. It resolves to the real number only at the financial institution. If disposables were widely used, merchants would have no incentive to store them. and crackers would lose interest. However, widespread implementation of this solution requires unified buy-in from credit card companies / financial networks. These guys so far have shown no interest in true security — only in PR “appearance of security.” They pass all the financial responsibility and most of the technical responsibility for security off onto merchants. PCI standards were created to help/force merchants to be more secure, but from what I can see, most merchants are totally baffled by them. Notice that it’s the merchants who have to do all the security — the banks and credit card companies sit on the inside and happily process the fraud complaints. Merchants end up paying for fraud. The cost ultimately gets passed to the consumer. Credit card companies don’t care. Money is money, whether it’s fraud or merchandise charges. They make obscene profits either way.
Centralized solution: The trick is generating the disposable numbers and making them either transparent or manifest to the consumer as the situation demands. Technology exists to do it, but it requires that the financial system invest in a centralized and standard solution — not likely unless they have to eat some of the cost of fraud.
What can you as a consumer do?
- Refuse to do business online with any merchant that prefills your credit card number. Contact them and ask them to remove it from their database. Look for a statement on their website that states that they do not capture primary account numbers.
- When making Point of Sale purchases watch your card like a hawk. A common scam is to distract the customer with pleasant chat and swipe the card through a cracked swiper under the counter, or worse yet, tap the legitimate swiper at the source. Check the visible swiping machine for an extra line leading out of it or any signs of tampering.
- Contact your credit card company and demand that they address the issue of security.
- Contact your legislators and urge them to author and pass legislation requiring that credit card companies pay for fraud.
Bottom line: nothing will change until savvy consumers demand it.