Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Target US - Credit Card Data Breach - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Target US - Credit Card Data Breach

Brian Krebs has a nice write-up on the Credit Card data breach at Target US ( http://krebsonsecurity.com/ )

The interesting thing for me in this story is that it affects US locations only.  The reason that this is interesting is that the data that was stolen was all mag-stripe data.  This mag-stripe data is much less useful on a  CHIP+PIN card, which is used in pretty much every other country on the planet.  We'll continue to see credit card attacks focus on countries that make it easy - while of course you can steal / duplicate a chip+pin card, for a criminal it's so much easier to simply skim a mag stripe and take the win.

===============
Rob VandenBrink
Metafore

 

Rob VandenBrink

458 Posts
ISC Handler
Rob hits the mark about the US not using chip-based credit cards. What will it take to get US card issuers to change over?

And the other useful change would be for US restaurants to issue portable card scanners to their servers. Then we would not have our cards whisked away to be swiped out of our sight. Again, the rest of the world is way ahead of us here.
Anonymous

Posts
Quoting Anonymous:Rob hits the mark about the US not using chip-based credit cards. What will it take to get US card issuers to change over?

And the other useful change would be for US restaurants to issue portable card scanners to their servers. Then we would not have our cards whisked away to be swiped out of our sight. Again, the rest of the world is way ahead of us here.


Actually unless the chip is RFID and imbedded there are issues with static, mechanical abrasion and with ISO 7816 programmer it becomes fun.

Working with and around WMS for 13 years, programming ect. A easy secure way is 3D bar-code scanning fits nicely into their infrastructure since most use Motorola/Symbol. The card can handle a lot of abuse and even get wet and still work, most important cost is minimal.

You will also notice most newer ID's have them. I still think there were people on the inside and out in various areas of the US, using camouflage code to be assembled. Guess we will have to wait to see if I am correct or not.
ICI2I

62 Posts Posts
Actually, the change is coming. In the US, Visa will be shifting liability for counterfeit transactions to the merchants if they fail to support "Chip and PIN" terminals by October 15, 2015. This was announced by Visa in August of 2011. See for example:

http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf

One of the best write-ups on this is from Chase PaymenTech:

http://www.chasepaymentech.com/documents/emv_chip_technology.pdf

MasterCard shares their EMV roadmap in the current issue of "Security Matters" (pp.13-14)

http://www.mastercard.com/us/wce/PDF/PSI_Magazine_SecurityMatters_US_2013.pdf

Both Visa and MasterCard have the October 15, 2015 "liability forgiveness" for vendors that are fully "chip and pin" and "contactless" (tap to pay).

By 2017, similar programs are in place for fuel pumps.
GarWarner

5 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!