Over the weekend my local metropolitan newspaper had an article that caught my eye. Out-of-state criminals bring cloned credit card schemes to Twin Cities. The article’s main focus is around how criminals are getting people’s data and making credit cards in their names and using them so easily. The primary source of the identity data is from major breaches such as Home Depot where the data was made available on-line and for $20 or so someone can buy your info to make a credit card, use it, then toss it and move on with you stuck with the problems. Same story, same problems, but no solutions presented. Unfortunately everyone is at the mercy of retailers and businesses ability or willingness to protect your data properly.
One part of the article caught my eye and touched on what I feel is the primary problem and main contributor on the success rate of stolen or cloned credit cards being used in the first place. The retailers and the minimum wage teenagers with no proper training on how to be a transaction specialist. Here’s the section of the article that I am referring to –
Lakeville Police Lt. Jason Polinski said a suspect recently told Lakeville investigators that Minnesota is a target because many stores don’t check IDs.
“It starts with the retailers,” Polinski said. “That’s where it occurs.”
Bruce Nustad, president of the Minnesota Retailers Association, believes an ongoing transition to embedding credit cards with microchips and requiring PIN numbers will be more effective.
Anyone can use any credit card they want because the retailers don’t bother to do any type of ‘multi-factor’ verification of the card holder to ensure they are who they claim they are. This is also a major flaw in the credit card industry’s design of credit cards themselves that allows them to be so simplistic. You credit card has the three pieces of information you need to make a transaction, the account number, expiration date and the security code on the back. Why bother when everything you need is on the card? It’s so stupid. When you drop your card anyone can hop online and make a purchase with it and there is nothing you can do to stop it.
All you need to get a new credit card is your name, birthdate, and social security number. The credit card companies are more than happy to issue you out more credit, they print and ship the card as fast as they can. Then the theft gets the new card, runs over to the big box stores, takes a full cart load of merchandise and uses the new credit card to ‘buy’ everything with nothing more than a smile. The retailers swipe, the colorful point of sale computer tells them it’s authorized, they ask for a signature and you walk you with a ‘Have a nice day.’ It is a joke and the criminals know this.
The system is broken and no one is taking steps to fix it.
Chip and PIN cards or EMV (Europay, MasterCard, Visa) have been used around the world since the early 2000s. Not in the U.S. though. in October of 2015 that will begin to change as new regulations are finally forcing retailers to adopt the new technology. But Chip and PIN cards won’t stop anything, they make it a little harder for the thieves but it’s not a solution. One major flaw with Chip and PIN is that it addresses physical, in person transactions but online purchases are not impacted by this technology and does nothing to prevent theft or breaches. You will still lose your identity and financial info if a Chip and PIN card info is breaches. Same account number, same security code and expiration printed right on the cards.
Here’s what needs to happen with credit cards if the industry and government policy makers are truly serious about tackling this problem:
- Integrate smartphones with the purchase. Embrace multi factor authorization, when you swipe your credit card you will be prompted for a PIN. That PIN can only be retrieved from a smartphone registered with the credit card company and the app is installed with a certificate from the credit card company. You generate a one time use PIN that is asked at the point of sale system to let the transition go through. The application cannot be used by any other phone and cannot be used by anyone unless you know the account login to get into the app and have the phone, the app password and the card to make the transaction.
- Photos on the credit cards. Tap into the DMV and whenever a new credit card is issued the DMV photo is the same as on the credit card. Government source of the photo that will match the ID. It forces the retailers to check the ID, drivers license or ID and your picture is on the card.
- ApplePay and Google Wallet type transactions. Make the method of payment be a key and not the actual account. Don’t store account information at the retailers but transaction data. If there are breaches your account information is safe because all the retailer has is record of the transaction but not your name or account information.
- Penalize retailers that take stolen credit cards. If they cannot be responsible and train properly, put 100% of the blame on the retailer for not being more diligent in their transactions. The PCI regulations are strict on the storage and transmission of credit card data once they get it, but doesn’t really address the initial ingestion and validating the data before they take it.
There is no one solution and the retailers are the key to making it work. Everything that will fix this problem properly costs money to buy new POS systems, train new employees, re-issue cards, etc, etc. I think once you start putting the accountability on the retailers for being lazy and incompetent for allowing stolen cards to be used, the dollars to upgrade will make more sense. $5 million fine or $2 million to upgrade. Now it doesn’t seem that expensive when put into perspective with an alternative.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.