Credit card data and computer system security

probe

The transfer of the fraud risk from the bank to the retailer by the EU following the introduction of EMV (tm) credit cards has left the cardholder open to increasing fraud and denial of credit risks. The current regulations are not effective in forcing banks and retailers to keep cardholder details safe.

Banks no longer carry the can for fraudulent card use. In cardholder present EMV transactions, where the customer enters a PIN, the bank can be 99.99999% sure that it is a properly authorized transaction. In customer not present transactions where no PIN verification is available, the internet / mail / telephone order retailer is accepting the risk of credit card fraud.

Over the past six months, I have had two organizations to whom I gave my credit card details to (over a secure internet connection) e-mail me back to confirm the transaction, in clear text, sending back to me needlessly and negligently, my card details including CVV and everything else including my postcode. One of these was a large Irish hotel group who required my card number for a reservation. The other e-mailed me back my card details, asking me to sign their form and fax it back to them. A totally useless act, given that they have no copy of my signature in the first case, and will never get to see my card, in a customer not present deal. In this case, their proof is my signature given at the point of delivery of the goods - the same address as the card company authorized the transaction for.

I also notice that large chain stores (eg Marks & Spencer in Ireland) appear to be skimming people's card magnetic stripes and collecting the card details for their own database from customers presenting EMV cards - even after the 17.03.2007 deadline. One of the main requirements for cardholder security with EMV card security, is that the cardholder remains in control of their card - retail staff don't get an opportunity to skim the details - either into the retailer's system or their own little machine under the counter or wherever. The card should only be inserted into the EMV reader by the customer, and these readers should be engineered not to be able to read the magnetic stripe when such an operation takes place (as seems to have happened in the large Shell card fraud in GB). The communication between the customers card and the banking system should be encrypted end to end and the retailer storing a transaction reference with the approval to provide their audit trail - without access to card details. Instead we see chainstores keeping cardholder data on their computer systems - presumably for marketing purposes - which is not the purpose for which the customer provided their card to the store. i.e. clear breach of Irish and European data protection laws. Furthermore, many retailers seem to be holding on to the details they stole from the customers' credit card for far longer than it takes to collect the payment. Yet anoter breach.

Retailers that are building up customer transaction data warehouses involving card numbers for analysis are probably not encrypting the card numbers on all copies of the data they hold on their systems - because the card number is going to be indexed and encrypted indexes really slow things down. Companies such as TJX (45.7 million cardholders data released in the wild) and many British companies are exporting customer data outside of Ireland and the rest of the EU - where there are few if any data protection laws - to poor countries where a few thousand Euros is a fortune and can buy lots of card details from customer service centre employees. In any event, EU data protection laws seem to be treated as a joke in Ireland - particularly by the dataprivacy.ie people.

Aside from this, the British and Irish banks have decided to use non DDA (dynamic data authentication) EMV cards (50c cheaper each to produce!) - which deliver static signatures each time they are used - making them much easier to clone and use fraudulently.

Retailers don't care - if they dump a printout of cardholder details in a skip and they are used fraudulently it doesn't cost them a cent. And the banks don't care either because they aren't liable for anything anymore.

The risks are all now left with the sucker cardholder - who might be on a vacation or business trip when his card gets "switched off" because of the sudden discovery of irregular transactions due to card fraud via the internet or wherever. And the sucker cardholders who don't regularly check their card bills and bank statements for fraudulent card transactions end up paying for the banks' and retailers' negligence.

They might as well shut down dataprivacy.ie - this office has been ineffective on credit card fraud (eg they did nothing to stop TJX export Irish credit card details needlessly to their US operation), telephone data retention breaches, and virtually everything else. They did nothing to ensure the proper roll out of smart credit cards in Ireland. The same in GB. Britain as a result still has the highest credit card fraud in Europe - they have seen only a small reduction in card fraud with EMV cards. Ditto in IRL because the basic data IT security issues have been ignored. A total waste of public money.

The credit card information processing cycle is much tighter from a security perspective in France compared with anglo saxon countries (a term which I would include Ireland in from a business administration point of view) - French card fraud is miniscule as a result.

There is no point in wasting money on EMV cards if you don't do the job properly. There is no point having a data protection agency in your country if they don't do their job properly.

.probe


http://scmagazine.com/us/news/article/647277/457-million-victim-tjx-companies-breach-lead-federal-notification-law/
http://www.cardtechnology.com/article.html?id=2006070569TSQ1WX

H3LLg0d

Just thought i would add a new law fro the UK

Report card fraud to the banks, not police

Hundreds of thousands of people who fall victim to card, cheque or online-banking fraud every year will now have to go straight to their bank rather than the police, writes Philip Scott.

New procedures which come into effect today in England, Wales and Northern Ireland, mean that the majority of such fraud cases will no longer be a police matter. It will be up to the bank, not the account holder, whether to pass details of the relevant crime on to the police.

The move, approved by the Home Office, has been branded by security experts as “good news for plastic cheats” because it will make it easier for them to escape detection. It has also raised fears that it will become easier for banks to wriggle out of covering claims.

Andrew Goodwill, a card-fraud expert at the security firm Early Warning UK, said: “This is good news for plastic cheats. This new reporting procedure is just a way of pushing what is for the Home Office and the banks an embarrassing problem under the carpet. The banking industry is likely to become the judge and jury of card fraud. The banks could easily take advantage of this situation and refuse to pay out.”

Apacs, the trade body for the card operations of banks, building societies and credit-card firms, argues that the new system will reduce the level of bureaucracy in fraud recording.

It said: “One of the advantages for consumers unfortunate enough to be a victim of these types of fraud is that, from April 1 onwards, they will only have to report the details to their bank or the financial organisation involved. Previously they would have reported the matter first to their bank, then to the police, and then back to their bank to pass on relevant details given to them by the police.”

Apacs statistics show there were more than 700,000 cases of card fraud in 2006, with the average loss amounting to £608. nBanks confirmed last week that shoppers caught up in the TK Maxx card fraud would not be left out of pocket. Last week the discount-clothing chain warned that anyone who had paid with credit or debit cards at any of its stores between January 2003 and June 2004 could be at risk of fraud after hackers stole the details of more than 45m cards.

Thomas_S_Hunterson

H3LLg0d wrote:

Just thought i would add a new law fro the UK

Report card fraud to the banks, not police

That's an interesting take on criminal law coming from the UK, are companies the new keepers of the peace?

Chilling stuff.

Martyr

That's an interesting take on criminal law coming from the UK, are companies the new keepers of the peace?

Chilling stuff.

the law are under resourced to deal with all crime reported to them..thats probably why it takes a response of 6-8 months for the GBFI to investigate a fraudulent crime reported to them...

banks have a reputation, if they want any customers, IMO they would investigate a fraudulent crime immediately.

crashedmind

For Card Present transactions in UK, Plaintext-pin is used i.e. when you enter your pin on the terminal keypad it is sent in plaintext to your EMV card for validation.
The information on your card magnetic stripe e.g. your card number (PAN), is also available in plaintext from your EMV card.
No further comment.


PCI DSS is a standard setup by the Payment Card Industry (Visa, Mastercard, and other card issuers) to protect cardholder information.
It mandates financial and other penalties for retailers and transaction processors in general. However, as it stands it lacks teeth.

So while retailers may not care so much about disclosing customer card details they are certainly concerned about accepting fraudulent transactions from cardholders because this has an immediate financial impact on them i.e. they get charged a penalty fee (chargeback) for accepting a fraudulent transaction.

One of the purported reasons why SET failed (apart from its complexity) was that retailers didn't like it because they could not keep track of customers (via their card details) whereas they can with SSL.



Overall, cardholders are at the bottom of the foodchain.
The card issuers are at the top and exist to make profit. Therefore, their goal is the promotion of their brand. In general, if something like cost or security gets in the way of the promotion of their brand, then it will be avoided. And sure why not? Fraud can be considered an externality by the card issuers if they don't have to pay for it and it is at a low enough level that people are not put off using their cards.
And sure why not externalise it a bit more by removing those bothersome police from the loop?

If however, people stopped using their cards then you would see the card issuers do something to secure the underlying payment system as a whole...

So for now you end up with cheaper but less secure EMV cards and systems that must still accept magnetic stripe cards for international/backward compatibility reasons and woefully unsecure Card Not Present (e.g. internet) transactions.


www.chipandspin.co.uk is worth a look for more on EMV security issues.