Monday, November 20, 2006

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

Whether by hacking databases, or placing skimming devices on point-of-sale systems, debit/credit card fraud is raising it's ugly head, worldwide.

After finishing my most recent post about skimming devices placed on BP point-of-sale systems in the UK, I read an article in Computer World about what might be the latest large data breach.

Jaikumar Vijayan writes:

Several financial institutions last week canceled thousands of credit and debit cards in Michigan because of fraud concerns related to an apparent data compromise at a convenience store chain, highlighting the wide effect that retail security breaches can have.

Jaikumar's story, here.

Jaikumar's story states that Wesco, a retailer, is suspected as being the point-of-compromise. Of course, Wesco isn't admitting this and merely states that the matter is under investigation.

Office Max was the suspected point-of-compromise in another case last fall and to the best of my knowledge - they never admitted to being involved. Dollar Tree and Sam's Club have also recently been suspected as being points-of-compromise in breaches, where large amounts of credit/debit card information were compromised.

Why are hackers targeting retailers? The answer might be that large amounts of account information - including PINs (personal-identification-numbers) - are being maintained in databases, which are poorly protected and therefore easily compromised (hacked).

In his story, Jaikumar interviewed an expert from Gartner (Avivah Litan):

It also wasn’t clear how the data might have been breached. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.

Much of the exposure results from merchants connecting their POS terminals to IP-based networks, Litan said. Often, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.

The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.

The problem is that the retailers never admit to being breached, the banks give out limited information when asked about it, and it appears that there are too many companies not following the Payment Card Industry Data Security Standard.

Perhaps the problem is that Payment Card Industry Data Security Standard isn't being enforced and the consequences are lacking for those in violation of it. At a minumum, shouldn't these companies be prevented from doing electronic payments by the industry?

Even if a lot of the losses are being written-off, they are normally passed on to everyone in the form of increased fees, interest rates, or in the case of retailers - higher prices. Despite this, there are also people that are denied compensation, especially if they fail to be timely in filing a claim; or a PIN was used and they can't tie it into a known breach.

With the amount of data-breaches, it's often difficult to figure out where any particular person's information was stolen from.

If the Payment Card Industry can't clean up their own backyard, perhaps it's time for some government inquiries into why so much information is being compromised?

Even without government intervention, there is the matter of consumer confidence to be considered. Consumer confidence is what makes businesses thrive, and a lack of it can be a disaster for all of those involved.

I'm sure there are retailers protecting their information properly, and the ones who aren't give everyone a bad name.


Brian said...

How about the payment processor who profits from the crime and has the ability to prevent it?
Know the facts-visit and find out who is behind the crime.
Become better informed people, please. The only way to stop this type of crime is to become aware of who is pulling it off. It is the payment processors who don't verify their transactions who are causing the problems and yes, they profit every time a stolen card is used and nobody is doing anything about it.

Anonymous said...

Good info to be aware of.
I am beginging to question more the integrity if such systems.
Recently I took my brother out for his B-day, using my ATM card to pay for drinks. I check my bank activity on a regular basis. And I find that the establishment charged my card 38.44; my purchases along with my tip amounted to 34.50. There is some kind of discrepancy here. Did the establishment over charge me? Will it be corrected in time?
If not I will call up my bank and the establishment.
Why would there be such a difference?

On another note, ed; the SSDI phishing scam was reported in our local paper here...way after I heard about it from you!
Thanks for your info and site!

Anonymous said...

FYI - more discussion on PCI topics at pciFile.ORG. The discussion group primarily serves Visa-certified auditors but we welcome posts from anyone impacted by PCI

alien8401 said...

There has been a major catch in India of few people working in a major departmental store. These people used to work as cashiers at the counters. People who purchased the goods and paid by credit card were targeted. These cashiers used to memorise the CVV number of the card while swiping and once the customer left, used to re-print the chargeslip write down the CVV and expiry date number in their records.
This data was sold to fraudsters who used it as they liked.

Yet another innovative way of fraud