Target US - Credit Card Data Breach - SANS Internet Storm Center

Target US - Credit Card Data Breach
Brian Krebs has a nice write-up on the Credit Card data breach at Target US ( http://krebsonsecurity.com/ ) The interesting thing for me in this story is that it affects US locations only. The reason that this is interesting is that the data that was stolen was all mag-stripe data. This mag-stripe data is much less useful on a CHIP+PIN card, which is used in pretty much every other country on the planet. We'll continue to see credit card attacks focus on countries that make it easy - while of course you can steal / duplicate a chip+pin card, for a criminal it's so much easier to simply skim a mag stripe and take the win. =============== Rob VandenBrink Metafore	Rob VandenBrink 578 Posts ISC Handler Dec 19th 2013
Thread locked Subscribe	Dec 19th 2013 8 years ago
Rob hits the mark about the US not using chip-based credit cards. What will it take to get US card issuers to change over? And the other useful change would be for US restaurants to issue portable card scanners to their servers. Then we would not have our cards whisked away to be swiped out of our sight. Again, the rest of the world is way ahead of us here.	Steve Campbell 7 Posts
Quote	Dec 19th 2013 8 years ago
Quoting Steve Campbell:Rob hits the mark about the US not using chip-based credit cards. What will it take to get US card issuers to change over? And the other useful change would be for US restaurants to issue portable card scanners to their servers. Then we would not have our cards whisked away to be swiped out of our sight. Again, the rest of the world is way ahead of us here. Actually unless the chip is RFID and imbedded there are issues with static, mechanical abrasion and with ISO 7816 programmer it becomes fun. Working with and around WMS for 13 years, programming ect. A easy secure way is 3D bar-code scanning fits nicely into their infrastructure since most use Motorola/Symbol. The card can handle a lot of abuse and even get wet and still work, most important cost is minimal. You will also notice most newer ID's have them. I still think there were people on the inside and out in various areas of the US, using camouflage code to be assembled. Guess we will have to wait to see if I am correct or not.	ICI2I 63 Posts
Quote	Dec 24th 2013 8 years ago
Actually, the change is coming. In the US, Visa will be shifting liability for counterfeit transactions to the merchants if they fail to support "Chip and PIN" terminals by October 15, 2015. This was announced by Visa in August of 2011. See for example: http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf One of the best write-ups on this is from Chase PaymenTech: http://www.chasepaymentech.com/documents/emv_chip_technology.pdf MasterCard shares their EMV roadmap in the current issue of "Security Matters" (pp.13-14) http://www.mastercard.com/us/wce/PDF/PSI_Magazine_SecurityMatters_US_2013.pdf Both Visa and MasterCard have the October 15, 2015 "liability forgiveness" for vendors that are fully "chip and pin" and "contactless" (tap to pay). By 2017, similar programs are in place for fuel pumps.	GarWarner 5 Posts
Quote	Dec 27th 2013 8 years ago

Brian Krebs has a nice write-up on the Credit Card data breach at Target US ( http://krebsonsecurity.com/ )

The interesting thing for me in this story is that it affects US locations only. The reason that this is interesting is that the data that was stolen was all mag-stripe data. This mag-stripe data is much less useful on a CHIP+PIN card, which is used in pretty much every other country on the planet. We'll continue to see credit card attacks focus on countries that make it easy - while of course you can steal / duplicate a chip+pin card, for a criminal it's so much easier to simply skim a mag stripe and take the win.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

578 Posts
ISC Handler

Dec 19th 2013

Rob hits the mark about the US not using chip-based credit cards. What will it take to get US card issuers to change over?

And the other useful change would be for US restaurants to issue portable card scanners to their servers. Then we would not have our cards whisked away to be swiped out of our sight. Again, the rest of the world is way ahead of us here.

Steve Campbell

7 Posts

Quoting Steve Campbell:Rob hits the mark about the US not using chip-based credit cards. What will it take to get US card issuers to change over?

And the other useful change would be for US restaurants to issue portable card scanners to their servers. Then we would not have our cards whisked away to be swiped out of our sight. Again, the rest of the world is way ahead of us here.

Actually unless the chip is RFID and imbedded there are issues with static, mechanical abrasion and with ISO 7816 programmer it becomes fun.

Working with and around WMS for 13 years, programming ect. A easy secure way is 3D bar-code scanning fits nicely into their infrastructure since most use Motorola/Symbol. The card can handle a lot of abuse and even get wet and still work, most important cost is minimal.

You will also notice most newer ID's have them. I still think there were people on the inside and out in various areas of the US, using camouflage code to be assembled. Guess we will have to wait to see if I am correct or not.

ICI2I

63 Posts

Actually, the change is coming. In the US, Visa will be shifting liability for counterfeit transactions to the merchants if they fail to support "Chip and PIN" terminals by October 15, 2015. This was announced by Visa in August of 2011. See for example:

http://usa.visa.com/download/merchants/bulletin-us-participation-liability-shift-080911.pdf

One of the best write-ups on this is from Chase PaymenTech:

http://www.chasepaymentech.com/documents/emv_chip_technology.pdf

MasterCard shares their EMV roadmap in the current issue of "Security Matters" (pp.13-14)

http://www.mastercard.com/us/wce/PDF/PSI_Magazine_SecurityMatters_US_2013.pdf

Both Visa and MasterCard have the October 15, 2015 "liability forgiveness" for vendors that are fully "chip and pin" and "contactless" (tap to pay).

By 2017, similar programs are in place for fuel pumps.

GarWarner

5 Posts