Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Target Breach: Why Smartcards Wont Stop Hackers
Oldest First  |  Newest First  |  Threaded View
Page 1 / 3   >   >>
David F. Carr
50%
50%
David F. Carr,
User Rank: Strategist
1/24/2014 | 10:40:33 AM
Exempted from PCI Compliance?
I was thrown by the reference to some rule that allows merchants not to have to demonstrate PCI Compliance if they do enough transactions with PIN and chip cards. Why does that make sense?
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
1/24/2014 | 11:19:01 AM
Transactions without the card?
These chipped cards do nothing for online or phone purchases either, right?

In terms of PCI, seems like the carrot part of the carrot/stick duo. PCI audits are costly and of questionable value. So, let retailers spend that money to upgrade their devices.
mdelince
50%
50%
mdelince,
User Rank: Apprentice
1/24/2014 | 12:36:00 PM
When can we expect better online use of chipped cards?
There are many banks in Europe (all the one I deal with) who provide a device which can be used to login to the online banking web site and also to confirm any online transaction on these sites.

So it seems to me that if "the world" adopted such simple technology we could get way better security around online financial transaction (and possibly even for non-financial ones).

The main problem is that there does not seem to be an agreed upon standard for such device and my experience with the banks I refer to above is that each has got its own device and apparently they are not fully compatible.

Another problem is price: someone will have to pay for the device and even if they are not very expensive (I pay a fee of about 50$ to obtain such device and they last 5 years) this cost may be difficult to justify for infrequent use. If "the world" was adopting a standard for such a device, I am sure 3rd party would be building and selling such devices and pricce would drop to a more acceptable 2-5$.
rvanderhoof085
50%
50%
rvanderhoof085,
User Rank: Apprentice
1/24/2014 | 1:08:40 PM
Smart cards won't stop hackers - but they remove the incentive
Stopping the hackers is not the purpose of EMV chip cards.  PCI security compliance is supposed to do that, and everyone knows that applying network security only against hackers is an arms race that merchants can't win.  EMV chip card data behind the firewalls erected by merchants to prevent hackers from getting in makes those merchants less of a target.  Remove the magnetic stripe data and replace it with chip data, which can't be counterfeited and lacks all the elements neccesary for online fraud, and you eliminate the incentive to break in.  EMV chip cards is the best defense merchants have to avoid being the next target.
psengupta411
50%
50%
psengupta411,
User Rank: Apprentice
1/24/2014 | 6:21:52 PM
Target Breach: Smartcards
If the perpetratrors had hacked the Target servers, then of course, EMV cards could not have saved the situation. However, a PCI compliant POS terminal with an EPP, would have helped to avoid PIN compromise for EMV cards even if the card numbers were illegally captured. It seems that the obduracy of the US retailers has been the prime cause for the perpetratrors to succeed in this massive onslaught. No wonder, we keep reading about the impending 'death' of retail
pabbott782
50%
50%
pabbott782,
User Rank: Apprentice
1/24/2014 | 7:45:35 PM
The cynical perspective
This is America, and as I understand it, everything is driven by money. This technology reduces fraud/theft, and thereby saves money. Sounds to me like this could justify reduced charges to retailers which should be all it takes to convince them to get on board. Of course I'm ignoring one detail, the bannks will consider the better security to be a benefit and therefore charges will be increased since, as banks have demonstrated on many occasions, the only thing that interests them is more profits. No wonder it's not been adopted yet.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
1/25/2014 | 8:16:46 AM
It all comes down to money
As soon as a breach of the Target scale will be generating so many damage claims and fines that it would even put a big retailer out of business the EMV systems are in place within months. Both the card industry and retailers consider it cheaper to pay the damages and some petty fines in these cases, but otherwise not care if it ruined the lives of thousands of families.

The discussion is a bit misguided if the EMV systems are not as secure as they seem. The card industry and retailers should seek cases like Target as the opportunity for a positiive campaign and design and implement the most secure payment system ever. But I guess Target will be flip flopping on that as well, Target just sucks.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
1/25/2014 | 8:24:11 AM
Re: Smart cards won't stop hackers - but they remove the incentive
Actually, the chip data can be counterfeited, but at a tremendously larger effort than coding a 1 cent mag stripe card. That might just be sufficient to make it not worth while the effort at least for in person purchases. Online fraud would be the preferred option as the numbers clearly show. The alternative approval process as some advertise now would be one option, but even that could be compromised as long as hackers accummulate enough intel on a person. And it puts the burden on the consumer who not only has to do more without getting any more protection (with or without the consumer is only liable for 50$ of a fraudulent transaction) and it requires expensive smartphones with as expensive data plans.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
1/25/2014 | 8:34:07 AM
Re: When can we expect better online use of chipped cards?
As with many things, it is a matter of price but even more so the US typical "not invented here" syndrome. Something that works great in Europe and Asia can by no chance work in the US. For that reason we still endure Never The Same Color TV broadcasts, wall outlets that by design are an electrocution hazard, expensive consumer satellite TV service (no extra charge for Europe on the Astra and Eutelsat systems), slow broadband at twice the price, frequent power outages, new roads that need fixing one year later....the list is long and for every issue there is already an established and proven solution that may cost a bit more upfront, but saves everyone tons of money in the long run. But since it is not invented here or no longer hip with the conservative crowd (e.g. high speed rail and favroing rail freight over trucks) it will never get introduced in the US unless there are constantly high price failures. Another example? Sure, rail cars for oil transport! Since decades much safer rail cars are available and proven to be effective protection in derailments. But I guess for the US it is cheaper to have the few dozen people die and half a town get burned down than spend the money on safety. And in regards to payment security, just look how great TJX is doing. They survived the biggest credit card data breach in history and it was nothing more than a footnote in an annual report. It seems as if one is looking for common sense they need to move away from the US.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
1/25/2014 | 8:38:14 AM
Re: Exempted from PCI Compliance?
It doesn't, but that was the outcome of a court case with a settlement approved by a judge. Judges are experts in law, but understandably lack the knowledge of many areas they have to decide on. My guess it was the same in this case. Just look at the many tech patent cases, the verdicts often lack any common sense and typically do not take long term impact into account. It is difficult for a court to find the fine line between acting upon law versus making new laws and political policy decisions.
Page 1 / 3   >   >>


Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2228
PUBLISHED: 2020-02-19
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
CVE-2014-2727
PUBLISHED: 2020-02-19
The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.
CVE-2015-2104
PUBLISHED: 2020-02-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2014-3622
PUBLISHED: 2020-02-19
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
CVE-2016-10000
PUBLISHED: 2020-02-19
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).