Security fail



  • Article for reference: http://www.usatoday.com/story/news/nation/2013/12/18/secret-service-target-data-breach/4119337/

    The gist of the article is that Target, a US super store retailer, lost who knows how many credit card numbers. They have about 1800 stores in the US, and another 120+ in Canada. The losses appear to involve all of their stores from around Thanksgiving through December 15th.

    My company processes credit cards. As a matter of course we don't store any of that information. Instead we just store the transaction ID, which, quite frankly, is ALL that is necessary to deal with any type of refunds or accounting audits. There is simply zero reason to keep the card number.

    What I'm absolutely mystified about is why in the hell anyone, other than the card issuers themselves keeps the numbers at all? What could they possibly use them for? I'm sure I'm going to get a couple letters from a few banks I do business with letting me know that yet AGAIN they are cancelling my current cards and are reissuing. I also got bit by Adobe's loss of card numbers earlier this year. Actually, this will likely be the 4th time in 2013 I've had to replace a card..lovely.

    At what point will Visa/MC and the banks start suing the crap out of these companies for losing those details? The banking costs alone for reissuing thousands (potentially millions) of cards has got to be enormous.

    So, here's a question for the people here: Do systems you work with/on store credit card details? If so, why? I have yet to see anyone with a valid reason for it.


  • Winner of the 2016 Presidential Election

    Don't forget the cost of reimbursing for fraud (by identity thieves and opportunists claimimg identity theft). I had my credit card leaked by PlayStation Network and I think Steam at one point. Someone soon after started racking up hosting charges. I wasn't liable for a cent of it.



  • It kind of seems that all of their card readers were compromised. A detailed explanation of the breach would be fascinating!


  • SockDev

    @clively said:

    What I'm absolutely mystified about is why in the hell anyone, other than the card issuers themselves keeps the numbers at all? What could they possibly use them for?

    Subscription payments.

    Yes, I know about Direct Debit. No, not everyone uses them.

     



  • One reason they keep them is for refunds. Or at least, that's something they do with the stored numbers. I know I've returned things there and had the amount credited back to my card.



  • @RaceProUK said:

    Subscription payments.

    Yes, I know about Direct Debit. No, not everyone uses them.

     


    Where I work, that's exactly the case - some customers refuse to go on Direct Debit, or later decide they don't want us doing it (but are happy to give their debit card details which takes money from the same damn account!)



    Visa/MC/Banks do sue companies for breaches as all card merchants have to be PCI Compliant, which means certain standards have to be followed (I'm not saying the standards are good or infallible by any means, it's just that's the standards we have to follow), and if card details are lost, and it turns out any one of those standards isn't met, it's time to pray you've got enough money to pay the fine...



  • @clively said:

    At what point will Visa/MC and the banks start suing the crap out of these companies for losing those details?
     

    Fuck that. At what point will Visa/MC start issuing one time use credit cards-- or at least for offline transactions, credit cards that generate a one time use number when inserted?  I still don't understand why the number I use to make a payment can, in itself, be used to make purchases.  Why, in 2013, we're still basically handing over our private key each time we do a transaction.

    @clively said:

    So, here's a question for the people here: Do systems you work with/on store credit card details? If so, why? I have yet to see anyone with a valid reason for it.

    As others will point out, recurring transactions. But again, I see absolutely no reason why this is still the case. If I authorize a recurring transaction, how about Visa/MC issue a transaction number to that merchant. The only thing that number is good for is for recurring chargers. No other merchant can use that number to take money from my account. It will be tied to my account, so if the credit card itself expires or is replaced with a number CC number, the recurring transactions don't fail.

    Still, from what I understand about PCI compliance, if you were to store a CC number-- it's supposed to be encrypted. It's suppose to be kept in a database completely separate from both the customer information, and the expiry date & CVV number.  The idea is that if the CC is leaked, there's still missing information and it can't be tied to a person. That's the idea.



  • Imagine if email security worked the same way as credit cards? There would be no passwords, you'd just need your address to access your account. This would mean you'd have to be extremely careful who you give your email to, despite the fact that you need to do that in order to let other people message you, which is the main point of email.

    Eventually providers like GMail would start implementing harsher (pseudo-)security measures like asking for your personal data every time you sign in, or forcing other companies to sign agreements to implement security measures to make sure the addresses they have are stored securely. In practice it would probably still work well 80% of the time, but every now and then a server would be hacked and you'd find out that all your accounts which depended on that email had been compromised, forcing you to change your email address again, which would be a pain in the ass. Maybe someone would propose some system where a code gets sent to your phone whenever you want to read your email, but due to backwards compatibility this could not be made mandatory so it would still be useless.



  • @Lorne Kates said:

    Still, from what I understand about PCI compliance, if you were to store a CC number-- it's supposed to be encrypted. It's suppose to be kept in a database completely separate from both the customer information, and the expiry date & CVV number.  The idea is that if the CC is leaked, there's still missing information and it can't be tied to a person. That's the idea.

    Actually, you're not supposed to store the CVV once payment is authorized, ever.  PCI DSS is very clear about that...



  • @RaceProUK said:

    Subscription payments.

    Yes, I know about Direct Debit. No, not everyone uses them.

     

    Design flaw.

    Vendors should be certified to do recurring or stored payments, and then on initial request, be assigned a new, unique and entirely private token for that customer. If a vendors database is ever compromised, it doesn't matter, the CC clearinghouses would simply void the tokens, which don't affect the end CC at all.



  • @anonymous234 said:

    Imagine if email security worked the same way as credit cards? There would be no passwords, you'd just need your address to access your account. This would mean you'd have to be extremely careful who you give your email to, despite the fact that you need to do that in order to let other people message you, which is the main point of email.

    Eventually providers like GMail would start implementing harsher (pseudo-)security measures like asking for your personal data every time you sign in, or forcing other companies to sign agreements to implement security measures to make sure the addresses they have are stored securely. In practice it would probably still work well 80% of the time, but every now and then a server would be hacked and you'd find out that all your accounts which depended on that email had been compromised, forcing you to change your email address again, which would be a pain in the ass. Maybe someone would propose some system where a code gets sent to your phone whenever you want to read your email, but due to backwards compatibility this could not be made mandatory so it would still be useless.



    You know, that's actually a pretty interesting solution to the problem and I wonder why nobody thought of it before. Just have the credit card company require a password to validate the transaction. The password wouldn't be saved by the vendor, so you don't have to worry about security breaches on that side, and if we have a security breach at the credit card company, stealing your password is the least of your trouble.

    It would mess with real world transactions a bit (I'm thinking restaurants here), but these days, I don't see why the credit card company couldn't issue a portable password reader for a reasonable cost.

    You'd still have an issue with man-in-the-middle attacks on the password reader, or just outright fraud and theft, but the consumer would be much less vulnerable.

     

     



  • @Snooder said:

    You know, that's actually a pretty interesting solution to the problem and I wonder why nobody thought of it before. Just have the credit card company require a password to validate the transaction. The password wouldn't be saved by the vendor, so you don't have to worry about security breaches on that side, and if we have a security breach at the credit card company, stealing your password is the least of your trouble.
    This actually is implemented, in two different ways. My previous bank gave me a calculator, and after certain on-line transactions I was redirected to bank's page, which required me to authorize the transaction (I had to insert the card into that calculator, type PIN, type the number displayed on the webpage, then enter the number the calculator returned). Meant that without the calculator, I couldn't be sure I would be able to finish a transaction. My current bank instead uses MasterCard SecureCode, which similarly redirects me to a page controlled by the bank, where I just have to enter a password. Since I never remember which password I set (there are stupid restrictions - alphanumeric only, limited number of characters, so none of my usual password algorithms work), I simply always click "Forgot password", and enter my birthdate and tax ID number to reset.



  •  @spamcourt said:

    It kind of seems that all of their card readers were compromised. A detailed explanation of the breach would be fascinating!

     

    Since this was apparently done at the card reader level in hundreds of locations, it has to be an inside job, either at Target or at their merchant service. It simply cannot be anything else. They will never admit that, of course.



  •  The US credit card industry is currently strongarming merchants (and rightly so) in to upgrading their equipment to handle chip cards, using the EMV system. The benefits to the consumer are minimal, since the consumer isn't responsible for most of the cost of a breach. The benifits to the merchant services is enough to make it worth their time to make concessions to merchants as a carrot.

     The carrot is that once 80% of your transactions (I think, it might be equipment) is EMV capable, you don't have to worry about being PCI compliant any more. The reason is that with the EMV system, the account information is encrypted on the credit card terminal, and the merchant never sees it at all. Break in to TJ Maxx's computers, and steal whatever you want, and you won't get a single credit card number.

     That will not, of course, prevent this kind of inside job.

     



  • @taustin said:

     @spamcourt said:

    It kind of seems that all of their card readers were compromised. A detailed explanation of the breach would be fascinating!

     

    Since this was apparently done at the card reader level in hundreds of locations, it has to be an inside job, either at Target or at their merchant service. It simply cannot be anything else. They will never admit that, of course.
    No it doesn't.

    It could have simply have been as easy as breaking into Target's network and discovering that all the card readers were connected to same network and had no security. And as a potential attack vector, have you ever noticed all those Target staff wandering around with portable bar code readers, checking stock levels etc. Those things are connected by WiFi, and it is plausible that the WiFi is susceptible to some sort of known exploit.



  • It seems to me (and I may be mistaken) that the fake CC spam levels are up on the forum today. Maybe they're trying to sell the booty before the banks get wise? About a month ago, one of my CCs was replaced due to having purchased from some vendor (they didn't tell me who) that had been breached. It was before the date reported in the story, and I'm sure that card's been used at Target, so I may have yet another card coming...



  • I noticed that about that time the stores got new card terminals (with very clunky PIN butons, by the way). I wonder if those were all compromized from the beginning.



  • @clively said:

    So, here's a question for the people here: Do systems you work with/on store credit card details? If so, why? I have yet to see anyone with a valid reason for it.

     

    i do work with paiement processing systems for several clients, one of them cashes in > 5 millions € every year.

    we never ever store credit card numbers, it's useless, and retarded.

    yes we do things like giving people their money back, or recurring paiements (you're given an unique combo of references for future uses, depending on your banking partners), you just don't need to keep the card numbers, no fucking point.

     

     

     



  • @boomzilla said:

    One reason they keep them is for refunds. Or at least, that's something they do with the stored numbers. I know I've returned things there and had the amount credited back to my card.

    You need the transaction id to do this, not the card number.

    Target, like several others, stores the card number right alongside the transaction id in their systems so they can look it up. Of course, the @#$% Receipt # is good enough to look up a trans id as well.

    After wracking my brain, the ONLY reason I can think of that these morons would store a card number is to facilitate matching multiple transactions up with a single "customer" in order to establish a profile. However, even then hashing the number (one way encryption) would be the ideal way of handling this which would mitigate any data loss.


  • Winner of the 2016 Presidential Election

    @clively said:

    @boomzilla said:
    One reason they keep them is for refunds. Or at least, that's something they do with the stored numbers. I know I've returned things there and had the amount credited back to my card.

    You need the transaction id to do this, not the card number.

    Target, like several others, stores the card number right alongside the transaction id in their systems so they can look it up. Of course, the @#$% Receipt # is good enough to look up a trans id as well.

    After wracking my brain, the ONLY reason I can think of that these morons would store a card number is to facilitate matching multiple transactions up with a single "customer" in order to establish a profile. However, even then hashing the number (one way encryption) would be the ideal way of handling this which would mitigate any data loss.


    Maybe:

    Rep: Welcome to Target®, how may I help you? Customer: I'd like a refund for these 42 purple dildos. Rep: Do you have your receipt? Customer: I lost it in an erm, incident with this defective merchandise. Rep: I'm sorry, due to the nature of this product we cannot accept used returns. Customer: Oh they haven't been used per se. Rep: Oh! Well, in that case, we can look it up by your address. Customer: The uh. Purchase may have been made by my, ahem, business associate Carlos Danger. I'm not sure of his address. Rep: Hm. Well, do you have the credit or debit card used to make the purchase? Customer: As a matter of fact, I do! Rep: Well, then I can look up your transaction with your card number, credit you for the full of amount of your purchase, and restock these personal massagers immediately! Customer: Thank you so much. Rep: Have a wonderful day.
    Everybody wins!


  • Hashing still works for that.

    Or storing only part of the number.



  • @clively said:

    So, here's a question for the people here: Do systems you work with/on store credit card details? If so, why? I have yet to see anyone with a valid reason for it.

     

     I don't even get the card number.  I simply package up the transaction details, forward the user to my gateway with an encrypted message containing the necessary details, then I get back the first 4 numbers and the last 2 of the card number (enough to assist with looking up the transaction with the customer's assistance and indicate to them what card they used to pay me) and a pass or fail response.  If it's a recurring payment, I also get back a token that I can submit to charge the card for future transactions in place of the card number, and the gateway provider stores the card number instead.  As a clearinghouse, I expect they have top notch security.

    @Snooder said:


    You know, that's actually a pretty
    interesting solution to the problem and I wonder why nobody thought of
    it before. Just have the credit card company require a password to
    validate the transaction. The password wouldn't be saved by the vendor,
    so you don't have to worry about security breaches on that side, and if
    we have a security breach at the credit card company, stealing your
    password is the least of your trouble.

    It would mess with real
    world transactions a bit (I'm thinking restaurants here), but these
    days, I don't see why the credit card company couldn't issue a portable
    password reader for a reasonable cost.

    You'd still have an issue
    with man-in-the-middle attacks on the password reader, or just outright
    fraud and theft, but the consumer would be much less vulnerable.

     

     You realise you just described 3DSecure (Mastercard SecureCode
    and Verified by Visa) right?  That's exactly how it works - though the
    password is stored and presented by the card issuer (bank), not the card netwok (Visa/Mastercard).

     

     



  • @OzPeter said:

    it is plausible that the WiFi is susceptible to some sort of known exploit
    The old WPA2 password = "pa55w0rd" trick!



  • @Snooder said:

    You know, that's actually a pretty interesting solution to the problem and I wonder why nobody thought of it before. Just have the credit card company require a password to validate the transaction.

    Like a PIN? That's how all cards work here at Brazil, my cards require a PIN even when I'm using them at the US (well, ok, not on all transactions, obviously, as I can still use them online). There are plenty of portable readers with keyboards too - that also solves the problem of restaurant people clonning the card, they never take the card away, just bring the machine to your table.

    Anyway, just using a PIN is still too weak. There is no reason for not putting the PIN-reader (with an LCD pannel for showing price, store, etc) on the card itself, and issuing an authenticated transaction with it, the reader machine only gets the transaction. Incredibly secure for the consumer POV, and you don't trust the store anymore - so any computer can receive cards, and you can even use the protocol through the internet, reading the card with your computer. For an added bonus, make it work through bluetooth.



  • @clively said:

    from around Thanksgiving through December 15th

    Canadian thanksgiving is celebrated a month earlier than the US thanksgiving, which one is it? Using holidays as a reference point on the internet can lead to a lot of confusion.



  • @ender said:

    @Snooder said:
    You know, that's actually a pretty interesting solution to the problem and I wonder why nobody thought of it before. Just have the credit card company require a password to validate the transaction. The password wouldn't be saved by the vendor, so you don't have to worry about security breaches on that side, and if we have a security breach at the credit card company, stealing your password is the least of your trouble.
    This actually is implemented, in two different ways. My previous bank gave me a calculator, and after certain on-line transactions I was redirected to bank's page, which required me to authorize the transaction (I had to insert the card into that calculator, type PIN, type the number displayed on the webpage, then enter the number the calculator returned). Meant that without the calculator, I couldn't be sure I would be able to finish a transaction. My current bank instead uses MasterCard SecureCode, which similarly redirects me to a page controlled by the bank, where I just have to enter a password. Since I never remember which password I set (there are stupid restrictions - alphanumeric only, limited number of characters, so none of my usual password algorithms work), I simply always click "Forgot password", and enter my birthdate and tax ID number to reset.

    Actually, this is implemented in three different ways, since that's also basically what the CVV2 is.

     

    (Nobody expects the Spanish Inquisition.  Our two main weapons are two-factor authentication tokens, MasterCard SecureCode, and CVV2 numbers.  Our three different weapons are ...) 

     



  • @DaveK said:

    Actually, this is implemented in three different ways, since that's also basically what the CVV2 is.
    CVV2 is just another number you give to the retailer - the passwords I described are never sent to them, but are instead checked by my bank, which just tells the retailer whether the authorization was successful or not.



  • @OzPeter said:

    No it doesn't.

    It could have simply have been as easy as breaking into Target's network and discovering that all the card readers were connected to same network and had no security. And as a potential attack vector, have you ever noticed all those Target staff wandering around with portable bar code readers, checking stock levels etc. Those things are connected by WiFi, and it is plausible that the WiFi is susceptible to some sort of known exploit.

     

    You are apparently unfamiliar with the secruity measures built in to the pads. Reprogramming the pads in any way at all, other than updating the images, requires encryption keys. If you open the pad up, you brick it, and require special equipment (and encryption keys)  to unbrick it. This is non-trivial security. In theory, it could be done as you describe, but in reality, it'd be easier to coerce one of their IT security people in to doing it for them.

    Most likely yet, it wasn't actually the pads that were compromised, but some piece of software they connected to, and the article is just wrong.

     



  •  



  • @joe.edwards said:

    Maybe:

    Rep: Welcome to Target®, how may I help you? Customer: I'd like a refund for these 42 purple dildos. Rep: Do you have your receipt? Customer: I lost it in an erm, incident with this defective merchandise. Rep: I'm sorry, due to the nature of this product we cannot accept used returns. Customer: Oh they haven't been used per se. Rep: Oh! Well, in that case, we can look it up by your address. Customer: The uh. Purchase may have been made by my, ahem, business associate Carlos Danger. I'm not sure of his address. Rep: Hm. Well, do you have the credit or debit card used to make the purchase? Customer: As a matter of fact, I do! Rep: Well, then I can look up your transaction with your card number, credit you for the full of amount of your purchase, and restock these personal massagers immediately! Customer: Thank you so much. Rep: Have a wonderful day.

    Everybody wins!

     

     At a big chain store like Target, even store managers do not have access to credit card numbers. This is a PCI compliance issue. The requirements to allow an employeee access to mag strip data are . . . onerous.

    (Not to say this scenario doesn't happen. Just that the business who allows cashiers, or even customer service desk people, access to credit card numbers is 100% fully responsible for all costs related to a breach, investigative and remediation, both, becaue they are not PCI compliant. That would put Target out of business.)

     



  • @taustin said:

    You are apparently unfamiliar with the secruity measures built in to the pads. Reprogramming the pads in any way at all, other than updating the images, requires encryption keys.
    I was talking about the WiFi AP's as being the attack vector, not the hand held devices.



  • @OzPeter said:

    I was talking about the WiFi AP's as being the attack vector, not the hand held devices.
     

    One of the few intelligent [url="http://yro.slashdot.org/comments.pl?sid=4574335&cid=45733709"]Slashdot regulars[/url] with some inside knowledge agrees with you. It's a fairly in-depth reveal. A bit of it:

    @girlintraining said:

    Now, all that said -- here's the more likely scenario, which is based
    on my short employment with this corporation: They hacked their wifi.
    Unfortunately, Target has repeatedly opted to silence, or even fire,
    people who object to their security policy, so I do not feel bad about
    making this public. Target is run by morons -- big surprise, it's a
    large corporation. Anyone who's worked in IT will have similar
    experiences -- it's hardly just Target. In this case, they allow full
    access to any server within their corporate network at each retail
    location, isolated only by primitive subnet routing to delineate what is
    and isn't allowed through the choke router. And that's it. Once you're
    logged into the network anywhere, it's a flat network topology and you
    can easily make contact with any other node on the network. Every store
    has multiple wifi routers, and while they do change the keys on an
    regular basis, it's not all the keys, and not on all the routers --
    specifically, they use an inventory-management system within the stores
    (Those bulky "guns" you see the red shirts carrying) which depends on
    wifi.

    There have been breaches to the network in the past through
    its wireless access points. These are not generally known to the public,
    but they have happened, and it has resulted in a number of security
    problems. Besides the customer's credit card data being stored on POS
    systems which are booted off DHCP to embedded windows, there's also the
    IP-based cameras. There are an average of 20 or so at each store, and
    they use an embedded webserver in each of them, which stream to a
    central source. The password for the approximately 42,000 devices is the
    same on each, and is not changed often, if ever, because the firmware
    lacks the ability to change the password programmically; there's no
    admin console. Besides the fact that many of these cameras have zoom and
    rotate features, and some have been known to be installed in positions
    where rotating the view can show the customers in the changing rooms...
    they're of sufficiently high quality that you can see the PINs people
    enter at the POS systems. The cash room, where the money is counted down
    at the end of every shift, is secured, but also has a camera in it.
    It's not hard to imagine someone with access to the cameras spying on
    the managers to acquire their passwords.




  • @OzPeter said:

    @taustin said:
    You are apparently unfamiliar with the secruity measures built in to the pads. Reprogramming the pads in any way at all, other than updating the images, requires encryption keys.
    I was talking about the WiFi AP's as being the attack vector, not the hand held devices.
     

     The report was that the pads themselves had been compromised. I have doubts about that accuracy of that detail, but if it's true, it doesn't matter where what the attack vector is, the attack target is the pad, which has non-trivial security against such attacks, including some kind of encrypted hashing to check file integrity.

    If it were one store, or a few stores in the same region, it'd be plausible that somebody broke in and replaced the pads with fake ones. But this apparently involved all Target stores, nearly 2000. There's no way in hell that could be done without it being an inside job of some kind. Either their vendor for the pads sent out replacements that had been compromised, the IT department at Target did so, or someone very high up engineered a malware attack against the pads. There's no other possibility.

     If the compromise was the pads themsleves, which I have incerasing doubts about. (The news stories say the thieves got security codes, too. Which would be a real accmoplishment, since that isn't on the mag strip, nor used in a brick & mortar settings. There's a good deal of bullshit in the news coverage.)



  • @Lorne Kates said:

    One of the few intelligent Slashdot regulars with some inside knowledge agrees with you. It's a fairly in-depth reveal. A bit of it:

     

    He seems to be under the impression that PCI compliance is government regulation. That's such a basic error in understanding that I am, shal we say, a bit skeptical as to just how knowledgable this individual is about the IT end of things. (Plus, the wireless setup doesn't erally sound all that PCI compliant to me, though it's possible it is, technically.)

     



  • @clively said:

    At what point will Visa/MC and the banks start suing the crap out of these companies for losing those details? The banking costs alone for reissuing thousands (potentially millions) of cards has got to be enormous.

    At which point will Visa / MC stop accepting transaction who do not require the physical presence of Credit card. In Europe, it have become nearly impossible to issue a Visa transaction without a hold of the card. In store you need pin and the physical presence of card in reader (which i "suppose" act as a smartcard). On internet, it needs me to plug my card in a small independant device to sign the transaction, device which is not connected to the PC in any way.

    Actually, the only way to fraud with my european card is .... By something in a US online store :/ ....



  • @tchize said:

    On internet, it needs me to plug my card in a small independant device to sign the transaction, device which is not connected to the PC in any way.

    Actually, the only way to fraud with my european card is .... By something in a US online store :/ ....

     

    European here, can confirm that I have never ever seen such a device (except in Ender's photo a few posts up).



  • @tchize said:

    On internet, it needs me to plug my card in a small independant device to sign the transaction, device which is not connected to the PC in any way.
    This depends entirely on who your bank works with - as I said, my previous bank required such calculator (with a Visa card), but I know for certain that other local banks that issue Visa cards do not require that. Also, it doesn't matter whether the online store is US or European - it just depends on which payment processor they use - some support this additional security, others don't. But don't for a moment delude yourself that using this calculator is of any benefit to you - it's actually there to make it much harder for you to dispute any charges against your card, and the implementation is known to contain flaws, and there are ways around the authenticator.



  • @ender said:

    and the implementation is known to contain flaws, and there are ways around the authenticator.

    Actually, the malware you refer too are using camming techniques, not stealing information. It still needs user interaction for each fraudulent transfert. With a stolen card number, it doesn't require user interaction. If users are too stupid to check the amount of what they pay before encoding it. That "thing" on the chair is still a problem. But at least, if my card gets stolen, it useless with this system. I can still put a gun on somebody and ask him for his card + pin, you don't blame the bank for that :)



  • @anonymous234 said:

    European here, can confirm that I have never ever seen such a device (except in Ender's photo a few posts up).

    European here, can confirm that I have seen such a device — I've known about them for several years.



  •  There's an indie coffee shop I go to that, if it wasn't for the fact the employees were generally good and honest, could make a killing in debit and credit theft.

    They have a chip-and-pin machine, like most places do. The customer check out process includes a "give a tip?" screen, like most places do. But most places flow like this:

    1) "You will be charged $x.xx. Y/N?" [Y]
    2) "Add a tip? Y/N?" [Y]
    3) "How much? $" [x.xx]
    4) "Final amount is: [amt + tip].  Y/N?" [Y]
    5) "Enter your pin:" [xxxx]
    6) "Done!"

    This coffee shop eliminated #2.  If you aren't paying 100% attentions (such as, say, when you're caffeine deprived), you would hit YES to the initial transaction amount, then you would see a text input and assume it's time to enter your PIN. You enter it, and push OK.  And then the conversation goes like this:

    Customer: Huh?  I thought the coffee was $2, but it says "Final amount is"  $14.34
    Barrista: Oh, you put your PIN into the tip field. Here, I'll set up the transaction again.

    14.34 - 2.00 = 1234, the customer's PIN.  Combine it with a skimmer on the card reader-- or for that matter just a well placed camera by the cash to record the credit card's digits as it comes out of the wallet-- or even a good pickpocket-- and bam, stolen card + PIN.

    It's an interested unintended side-effect of fucking around with expected UX/UI.  I haven't seen anyone else's setup that eliminates the "Tip Y/N" step. I don't know if that's a merchant option or a bank option.





  • Discourse touched me in a no-no place

    @RaceProUK said:

    @clively said:

    What I'm absolutely mystified about is why in the hell anyone, other than the card issuers themselves keeps the numbers at all? What could they possibly use them for?

    Subscription payments.

    Yes, I know about Direct Debit. No, not everyone uses them.

     

    Continuous payment authority is the nearest equivalent that's used on credit cards.


  • Discourse touched me in a no-no place

    @ender said:

    MasterCard SecureCode
    That's a fail in, and of, itself. I have a second cardholder on one of my (MC) credit cards. Guess how many passwords can be used on the credit card account when SecureCode gets involved and there is more than one card-holder on it? If your answer involves a number greater than one, it's wrong.



  • @Lorne Kates said:

    The customer check out process includes a "give a tip?" screen, like most places do.

    American here. I was recently in Canada, and I can confirm that most places have this sort of thing. I thought it was interesting and kinda convenient (though really weird to get handed this stuff instead of a receipt to sign as is our custom) until I noticed that if you use the handy percent buttons (e.g., 10%, 15%...) to calculate the tip amount, it included the tax, which was pretty fucking high. So I started tipping a smaller percentage. I didn't bother to work out if the server was still getting about what I'd normally tip or less (for dinner, typically 20-25%).



  • @PJH said:

    That's a fail in, and of, itself.
    I know - like I said, I don't even bother remembering the password I set, and instead just reset it every time (why the hell doesn't it simply ask for my birthdate and tax ID I will never know).



  • The Target thieves went for low value, high volume. The Neiman Marcus thieves went the other way.



  • @clively said:

    Article for reference: http://www.usatoday.com/story/news/nation/2013/12/18/secret-service-target-data-breach/4119337/

    The gist of the article is that Target, a US super store retailer, lost who knows how many credit card numbers. They have about 1800 stores in the US, and another 120+ in Canada. The losses appear to involve all of their stores from around Thanksgiving through December 15th.

    This just in:

    According to Target Chairman and CEO Gregg Steinhafel, point-of-sale (POS) malware was used in the recent attack that compromised millions of credit and debit card account numbers of customers across the country.  Steinfhafel told CNBC in an interview that malware was used in attacks that compromised the company’s point of sale registers.

    Smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target," Reuters reported, citing sources familiar with the attacks. "Those breaches have yet to come to light. Also, similar breaches may have occurred earlier last year..

    According sources who spoke to Reuters, attackers used RAM scraper or Memory parser malware to steal sensitive data from Target and other retail victims.

    After gaining access to a merchant’s network, attackers can install memory-parsing malware on register systems or backend processing servers to extract magnetic-stripe data as it moves through the through the payment process.  Memory parser malware targets payment card data being processed “in the clear” (unencrypted) in a system’s RAM.

    “The malware is configured to hook into a payment application binary responsible for processing payment transactions and extracts the systems memory for full track data,” Visa explained in a security advisory.

    “These binaries are responsible for processing authorization data, which includes full magnetic-stripe data. When authorization data is processed, the payment application decrypts the transaction on the cash register system or BOH server and stores the authorization data in RAM. The data must be decrypted for the authorization to be completed, so hackers are accessing full track data when it is stored in RAM and using malware such as memory-parsers to steal it.”

    Why is it whenever i see "POS" I always think of something other than "Point of Sale".

     

     



  • @El_Heffe said:

    Why is it whenever i see "POS" I always think of something other than "Point of Sale".

    Most POS software is a POS. A few jobs back I had to work with HIS and hoo boy was that turd a stinker.



  • @boomzilla said:

    The Target thieves went for low value, high volume. The Neiman Marcus thieves went the other way.


    Thanks for that link btw. My stepmom apparently had 4 credit cards compromised in the past few weeks and when I told her about the Neiman Marcus break, she's pretty sure that was the vector.



  • @Snooder said:

    @boomzilla said:

    The Target thieves went for low value, high volume. The Neiman Marcus thieves went the other way.


    Thanks for that link btw. My stepmom apparently had 4 credit cards compromised in the past few weeks and when I told her about the Neiman Marcus break, she's pretty sure that was the vector.

    I think you forgot the humblebrag tag here.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.