23 November 2014

Steve Liles

Steve Liles - Sheffield Computer Systems PL

7 | posts 20,321 | views 31 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

130 million stolen card details - are you kidding?

17 August 2009  |  4283 views  |  7

So I read today that a guy, a known hacker in fact, has been charged in the US with rifling 130 million card details from various agencies and stores and he is about to go to jail for a long time. Story here. This is the pits don't you think?  How long have we got to put up with business and governments telling Joe Public that it's ok, we have it covered, trust us and you won't have any problems when you make a payment via our payment services?

Well it's not alright! It's time for a new way of conducting payment transactions and it needs to involve a technical disconnect so that whoever has the card details cannot use them without a guaranteed way of authentication. 

If we can spend billions, yes billions of dollars on anti fraud systems and get this kind of return then we can spend billions replacing it so that it works...don't you think?

The vested interests in today's so called solutions should pack their bags and go home in shame.

TagsCardsSecurity

Comments: (8)

Dean Procter - Transinteract - Sydney | 19 August, 2009, 07:37

I don't suppose those numbers are on disk somewhere 'just in case' the hackers get caught and need to raise cash while in prison? Simply selling them. There is little excitement in hearing this stuff.

Are we left to wonder why [the system which makes us vulnerable to] this isn't considered a matter of national security?

I can envisage plenty of 'what-if?' scenariois.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Peter Bove - Aviso - London | 19 August, 2009, 08:31

It's a question of risk vs reward. Typically, the card issuers pick up the loss as a cost of business - and they have invested huge sums in fraud prevention tools. Why the outrage - we know cards are prone to fraud and we live with that fact. 3500 people each year are killed in road accidents in the UK annually - but I don't hear you wanting to replace the car!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 19 August, 2009, 12:15

I think it's also about consumer education and choice. There are alternatives out there but many people are unaware of them as yet.

Then consumers can make a genuine decision about how they want to shop on and offline based on variables including risk-appetite, convenience, cost and availability.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steve Liles - Sheffield Computer Systems PL - Sydney | 19 August, 2009, 22:15

Ah Peter I see you do have 'a vested interest in today's solutions' so I would expect that response.  

Thank you your analogy of the car and giving me a chance to demonstrate how appropriate it really is.

We've spent billions of dollars to reduce the accident rate with cars to reduce the injury toll to drivers, passengers and pedestrians...designs that effectively destroy the car to absorb the impact...now this took a rebuild of the car from scratch...the public determined, over many years and too many lost lives, that it was totally inadequate just to put a louder horn on the front of the car...which is what the 'vested interests' in those days were advocating.  This is my point.  What your company and other hangers on are doing is making money out of building louder air horns instead of dumping the current design and starting again.

I mention the other analogy to do with monitoring and regulation.  There are standards in place that prohibit cars not so designed from reaching the showrooms.  Morerover there are policemen who ask drivers to be of sound mind, who have passed a competency test and can breath into a bag without sending the crystals blue.  This is continued monitoring of the regime.  The current PCI payments regime is farcical to say the least...how many card details have been lost this year so far...200, 300 million or more?

I'm afraid our existing payments system is still in the year of the Model T Ford.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Mary Freeman - Simplify IT Limited - London | 20 August, 2009, 12:07

As this article "Hacker charges also an indictment on PCI" from Search Security points out, the recent problems at Hanniford show that the PCI Data security Standard is still not fit for purpose. In particular:

  • It needs to move from a "castles and moats" to "protected strongbox" design. Systems can no longer be deemed secure until proved otherwise, so the data should be protected not the system
  • Data needs to be encrypted from the card and remain encrypted until it reaches the acquirer - for this a one time password, updated for each transaction is required and Chip & PIN cards still not capable of this
  • Developers of any system which has access to a network on which card data is transmitted need to be security trained
  • Any system that holds card data should be regularly tested by different external companies, not just one

Anyone need a Senior Business Analyst with experience of PCI DSS?

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 20 August, 2009, 15:13

I would propose another analogy: Can we imagine that knowing the postal address (from yellow pages) is enough to enter a house? No, for sure! Unfortunatelly, knowing only the card's identity (ie. card number, exp date and security code engraved on the back) is enough to pay on the Internet. And to go further on on the analogy, these mega card details databases are a kind of "Bank card yellow pages"!

An efficient way to progress is to render these data useless to pay. This can be done by requiring a dynamic password at the payment stage. Banks having deployed EMV bank card can use the chip to generate a dynamic one-time password, thanks to a personal card reader (know as Home Chip and PIN card reader in the UK). 21M users in Europe are already equipped with such a solution to secure online banking operations. Banks should soon require it to be used in e-commerce payments too.

In this case, the dynamic password generated by the card's chip after PIN validation, will act as the key you use to lock your door.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 21 August, 2009, 10:29

"An efficient way to progress is to render these data useless to pay. This can be done by requiring a dynamic password at the payment stage. Banks having deployed EMV bank card can use the chip to generate a dynamic one-time password, thanks to a personal card reader (know as Home Chip and PIN card reader in the UK). 21M users in Europe are already equipped with such a solution to secure online banking operations. Banks should soon require it to be used in e-commerce payments too."

We're all selling something, aren't we? "Banks should soon require it to be used in e-commerce payments too." I suppose "require" means "mandate", much like VBV or UCAF/SPA because the only way your company's product (combo card reader/OTP generator) would work effectively is if all the online merchants in the world change their systems to facilitate and accept these OTPs. In fact, in the Le Parisien (in french), June 1 2009, Eric Flour of Societe Generale states this weakness as well.

I agree with Paul's comment about consumer education and awareness. Indeed, there are many alternatives out there but consumers are not aware of them. These other consumer-center solutions do not have to be mandated and can work without requiring changes on the merchants side. For example (and since we are all selling something), wouldn't it be ideal to just enable a cardholder to turn off his card account when he is not using it to make an online payment and enable him to turn it on before he makes an online payment? Same can be done for ATM transactions and cross-border transactions. All these types of transactions (online, ATM and cross-border) are prone to fraud. With such a system, a cloned card or compromised card details will not work, thereby rendering this cloning, hacking, phishing quite useless.

While we are blogging about our systems and solutions, there will be more Hacker Harrys and Cloner Conners out there.

Perhaps someone should start a site, much like wikipedia, maybe 'finapedia' or 'secupedia' (whatever) in which all the different systems and solutions can be listed. This should make consumers, banks and merchants aware of what solutions are available. Consumers and technologists can also comment on their strengths and weaknesses. I'm certain that making the market aware will result into the take-up of efficient solutions.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Gerhard Schwartz - Hewlett-Packard - | 23 August, 2009, 14:51

So is one hacker stealing 130 million credit card details an alarming sign ? Sure it is, and anyone being rather relaxed about it will probably change his mind very quickly after finding a few grands missing from his own account.

Now, there is the danger of throwing out the baby with the bath. Not all payments systems are alike, not all of them are insecure ...

Especially older systems that have been around for decades have proven to be very secure, and many responsible institutions still trust and do invest in proven and secure technology that is extremely hard or almost impossible to hack. None of the 130 million credit card details have been stolen from such secure systems.

The drawback: Those secure systems have a higher price tag than commodity systems based on cheaper and more widely spread vulnerable technology.

However, using open systems for critical payments processing increases fraud risks very significantly - and it requires additional security efforts that finally do cost far more than can ever be saved by buying cheaper technology. And also, the security cost is skyrocketing once your system has been hacked and you have to deal with all the consequences. This is a lesson that still has to be learned by many ...

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Steve

IDs FOR SALE! IDs FOR SALE! Who wants to Buy One?

26 November 2009  |  4781 views  |  1  |  Recommends 1 TagsSecurityRisk & regulationGroupInformation Security

130 million stolen card details - are you kidding?

17 August 2009  |  4283 views  |  7  |  Recommends 0 TagsCardsSecurityGroupInformation Security

It's Time For Issuers To Play Their Cards Right

16 December 2008  |  2622 views  |  0  |  Recommends 0

I'd love to be able to have trust - wouldn't you?

04 December 2008  |  2080 views  |  1  |  Recommends 1

Precedents are now in the way of financial system reform

02 December 2008  |  2372 views  |  1  |  Recommends 0 GroupWhatever...
name

Steve Liles

job title

Independent Consultant

company name

Sheffield Computer Systems PL

member since

2008

location

Sydney

Summary profile See full profile »
Leads client consulting engagements in support of: - mobile services - business transformation...

Steve's expertise

What Steve reads
Steve writes about
Steve's blog archive
2009 (2)2008 (5)

Who is commenting on Steve's posts