Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Target Breach: Why Smartcards Won’t Stop Hackers
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Mathew
Mathew,
 User Rank: Apprentice
1/31/2014 | 4:44:47 AM
Re: Smartcards are unnecessary. This is the Solution

Mark, that sounds like a very innovative approach. In fact, a version of that system is in use in Europe for online purchases. For every given card, the cardholder registers a password. As part of the payment process, they're then asked to provide the 1st, 3rd, and 6th (or some other combo randomly chosen by the card provider's system) letters of their password, to verify the purchase.

But can you imagine if this was introduced at POS terminals? I'd expect to see waiting times multiply. It also wouldn't work for anyone with vision problems. Related customer-service calls to card issuers would skyrocket. Unfortunately, I don't see the approach you outline being simple enough to succeed.

Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/30/2014 | 11:48:25 PM
Re: Smartcards are unnecessary. This is the Solution
This is why I try to pay with cash whenever possible.  So much easier, so much more secure.  (Indeed, the one time I went shopping at a Target during the affected period, I paid with cash; I'm now VERY glad that I did.)
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
1/30/2014 | 11:45:56 PM
EMV
Another problem with the security of EMV chips is that banks/credit card companies are so delusionally convinced that EMV is imperviously secure that when theft and fraud have occurred, they have given customers who have suffered from ID theft very difficult times, refusing to accept that the fraud occurred without exceptional evidence.
Lorna Garey
Lorna Garey,
 User Rank: Ninja
1/28/2014 | 12:04:20 PM
Re: Smartcards are unnecessary. This is the Solution
One problem is that the share of purchases made in person with the card in hand is shrinking, or at least coming even with ecommerce. Maybe one answer will incorporate smartphones -- a two-factor method, something you have (the chipped card) and something you know (a one-time-use code sent to your phone to verify the purchase).

However, let's remember that the card issuers really, really want to end fraud because they're the ones on the hook. Meanwhile, as a customer, what's the worst that happens if someone in Russia buys an Olympic tee shirt with my card? I call the issuer to have it removed. So, customers won't tolerate inconvenience; there's no percentage in it.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/28/2014 | 11:36:56 AM
Re: Smartcards are unnecessary. This is the Solution
Not prepared to conceded that smart cards are unncessary. In fact I was gratified to read in a Dallas business news story that Wal-Mart and Kroger already have checkout systems that work with smart cards that are widely used internationally. Too bad Target customers didn't have that option. I don't suspect too many Wal-Mart or Kroger shoppers do either. 
MarkS229
MarkS229,
 User Rank: Apprentice
1/27/2014 | 9:21:36 PM
Smartcards are unnecessary. This is the Solution
Since this is the only solution guaranteed to solve the credit card/retailer problem, without causing major system redesigns and disruptions, I'll explain it in detail.

First, the credit card companies give everyone a UserID, which gets put on the credit card, instead of the number.

Next, everyone chooses a keyword, like 'NeimanMarcus' or 'Target' (too soon?).

The POS system connects to the credit card company, as usual but, instead of prompting for a password, it displays a matrix of upper/lowercase alphabets, with a random pattern of 1's and 0's underneath.

The user types the 1's and 0's corresponding to his keyword, which goes to the credit card company for approval. After limit checks, expiry checks etc, the user is approved.

The next time the user makes a purchase, the pattern of 1's and 0's is completely different, so the previously typed code is useless to an attacker. Doesn't matter whether it's malware, network snoopers, or spy cameras, the information is always useless.

For obvious reasons, anything in the retailer's logs is also totally useless.

Now, isn't that easier than redesigning the whole system, adding encryption and buying EMV cards?
jagibbons
jagibbons,
 User Rank: Strategist
1/27/2014 | 9:10:05 PM
Re: Smart cards won't stop hackers - but they remove the incentive
The disposable card numbers are really only for online use. You are correct, though, that the retail industry needs better POS security and protection.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/27/2014 | 3:50:26 PM
Re: Smart cards won't stop hackers - but they remove the incentive
Thanks, @jagibbons. Sounds like a reasonable option, though I think a better solution would be for the retail industry needs to be pushed to make more of an investment in smart cards and smart POS terminals.
jagibbons
jagibbons,
 User Rank: Strategist
1/27/2014 | 10:33:33 AM
Re: Smart cards won't stop hackers - but they remove the incentive
Our bank, Huntington, provides them. They are actually debit cards connected to a checking account. We can use it once or multiple times. It is possible to get new ones. Some of card brands also offer this service.

It's not a big issue if the card number is invalidated after the transaction when it is skimmed.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/27/2014 | 10:24:17 AM
Re: Smart cards won't stop hackers - but they remove the incentive
@jagibbons. I don't think I'm familiar with the one-time use credit cards you refer to. How prevalent are they and who issues them? Banks, retailers or both. 
Page 1 / 3   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-25012
PUBLISHED: 2023-02-02
The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove in drivers/hid/hid-bigbenff.c via a crafted USB device because the LED controllers remain registered for too long.
CVE-2022-37034
PUBLISHED: 2023-02-01
In dotCMS 5.x-22.06, it is possible to call the TempResource multiple times, each time requesting the dotCMS server to download a large file. If done repeatedly, this will result in Tomcat request-thread exhaustion and ultimately a denial of any other requests.
CVE-2023-0599
PUBLISHED: 2023-02-01
Rapid7 Metasploit Pro versions 4.21.2 and lower suffer from a stored cross site scripting vulnerability, due to a lack of JavaScript request string sanitization. Using this vulnerability, an authenticated attacker can execute arbitrary HTML and script code in the target browser against another Metas...
CVE-2023-23750
PUBLISHED: 2023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.6. A missing token check causes a CSRF vulnerability in the handling of post-installation messages.
CVE-2023-23751
PUBLISHED: 2023-02-01
An issue was discovered in Joomla! 4.0.0 through 4.2.4. A missing ACL check allows non super-admin users to access com_actionlogs.