40 million at risk after Target card heist

[cronus]

http://www.bbc.co.uk/news/technology-25447077

40 million at risk after Target card heist

Payment details from up to 40 million credit cards could have been stolen after they were used in the stores of US retail giant Target.

The retailer said it was investigating after discovering that thieves had gained access to its payment systems.

The data breach began around 29 November, known as Black Friday, one of the busiest shopping days of the year.

The attackers are believed to have been scooping up credit card details for almost three weeks.

"We take this matter very seriously and are working with law enforcement to bring those responsible to justice," said Target boss Gregg Steinhafel in a statement.

In addition, he said, the company was working with a data forensics firm to work out how the theft occurred.

(continued)

[piscator]

Talked my girl out of going to Target on Tuesday. Not that I'm against Target, but we were in town to pick up a friend arriving at the airport, and were up against the clock. We might have went Sunday, but it was a powder day.
She showed me this story this morning. If she knew what was best, she'd defer to my wisdom whenever I offer it.

[pcCoder]

A possible solution: Don't store credit card information at all. Instead, each time a card is used, immediately contact the issuing institution and between then corporation and credit/bank institution create a unique transaction ID that is only valid for one transaction. No card information would need to be stored, and if thieved gained access to the transaction information, they would not be able to use then to produce another transaction or access the money or credit of the person. Just a poorly thought out idea.

[Tyrannical]

A possible solution: Don't store credit card information at all. Instead, each time a card is used, immediately contact the issuing institution and between then corporation and credit/bank institution create a unique transaction ID that is only valid for one transaction. No card information would need to be stored, and if thieved gained access to the transaction information, they would not be able to use then to produce another transaction or access the money or credit of the person. Just a poorly thought out idea.

It even exists too.

http://thefinancebuff.com/one-time-cred ... urity.html

If you have the right card, you can make your credit card number more secure by using one-time card numbers.

You need a card by Citibank, Bank of America (including its subsidiary FIA Card Services), or Discover. These banks offer software that generates a one-time card number, officially known as a “controlled payment number.”

You can configure the expiration date and the maximum amount allowed for the one-time card. Once used, the card is tied to the merchant where it was used. If you gave the card number to XYZ.com online or your dentist’s office over the phone, only XYZ.com or your dentist’s office can use it. If you put the maximum at $50, they can only charge up to $50. If the card number is stolen, the thief can’t use it elsewhere. They don’t have your real card number.

[JimC]

A possible solution: Don't store credit card information at all. Instead, each time a card is used, immediately contact the issuing institution and between then corporation and credit/bank institution create a unique transaction ID that is only valid for one transaction. No card information would need to be stored, and if thieved gained access to the transaction information, they would not be able to use then to produce another transaction or access the money or credit of the person. Just a poorly thought out idea.

It even exists too.

http://thefinancebuff.com/one-time-cred ... urity.html

If you have the right card, you can make your credit card number more secure by using one-time card numbers.

You need a card by Citibank, Bank of America (including its subsidiary FIA Card Services), or Discover. These banks offer software that generates a one-time card number, officially known as a “controlled payment number.”

You can configure the expiration date and the maximum amount allowed for the one-time card. Once used, the card is tied to the merchant where it was used. If you gave the card number to XYZ.com online or your dentist’s office over the phone, only XYZ.com or your dentist’s office can use it. If you put the maximum at $50, they can only charge up to $50. If the card number is stolen, the thief can’t use it elsewhere. They don’t have your real card number.

Interesting. I imagine the downside would be what they charge for each "one-time card number".

[pcCoder]

That is very interesting. It still requires the consumer to take the steps each and every time. I already do something kinda like that. I have two separate checking accounts with my bank, only one with a card. I can then transfer funds from one to the other with the card. If anything happens, it can only happen to the funds in the account with the card, as I don't set up any kind of rollover where funds get used from savings if there are insufficient funds in checking. I also don't do the overdraft protection. (I'd rather be told "Insufficient Funds" at checkout than a $30 charge).

But my idea was to make it where even using a normal credit card, a hacked store database would not be usable to criminals. A stolen card would still be of course:

* When a transaction is first made, the user swipes their card or it gets entered by the teller or whatever.
* The store's system would immediately contact the credit institution or bank and set up some unique identifier for that transaction
* The store's system would immediately drop the card number. It would never be stored.
* As a caveat, it may be stored if a link is down and unable to contact the credit/bank institution, but as soon as the link is back online, a unique transaction number is associated and the credit card number dropped.
* The institution would have a very small window in which a company can add additions that transaction for removing money from the account. (Debit/credit?? I've heard that it is all based on point of view. That to a banks view, it is a debit because it is decrease in their liability to you, but to your view it is a credit because it is an decrease in assets.)
* In order to facilitate returns, there is no window in which that transaction number can be used to put money back into an account.

The same thing can be used with online retailers. It would inconvenience the user insomuch as they would have to enter their card number each time. I already do that. I don't like the stores keeping my card numbers if possible, and thought it probably doesn't do anything, for places where I have to "add card" in order to pay, I always "delete card" a couple days later.

So what about recurring bill payments and other systems. I'm thinking perhaps the unique number feature can still be used, with the exception that you as a user must authorize a unique number that does not have a window of time for withdrawals from your bank. Once authorized, each company uses a different unique transaction number. If any one company detects a breach, in order to prevent that transaction number from being misused they can issue a retraction to the bank, where the bank would then disable use of that number. (I doubt many companies are ethical enough to do that, it might make it harder for them to get paid when they do as all the affected users would have to set up their automatic payment again after the breach is solved). This will make it so a hacked account doesn't affect every other automatic pay account because they all would use different identifiers, never the real card number stored. No need to report the card as stolen or compromised, just deactivate that one number.

In order to increase security during automatic payment arrangements, the company could sync with the bank a time range in which the transactions are conducted. For instance, if a bill is paid monthly, the company can during the synchronization of the unique number tell the bank that a transaction is only valid between the first and third of the month. If that transaction number is used outside of that period, the bank would automatically disable that transaction number.

This doesn't protect the card number from illegitimate use. If a person gets a hold of a card, it can still be used. If someone gets your card number, it can be used at places like online stores. But what it does do is protect against all the stolen card numbers from these hacks, as the hackers would only get those unique transaction numbers, most of which have expired due to the very short window.

Some more complicated ideas:

A card can have a small computer built in with a biometric mechanism. The card can keep a record of fingerprints authorized to use the card. One should use multiple fingers so if one finger is injured another can be used. Upon use, a card can first make sure the correct user is using the card before releasing the information to the sales location. (Edit: this would work only with RFID-like cards as I don't think a card can change the information on its magnetic strip in response to the correct finger, but can probably change the signal sent back to an RFID reader. I normally would discourage RFID cards due to the way they can be "read" without a person knowing, but a feature like this would make it where it can only be read when the finger is on the card. It would also need to absorb enough power from the RFID reader to operate the circuits inside).

For online purpose, what about public key cryptography. A unique public/private key pair can be created for each card user, with the user having their private key. An API can be built into web browsers such that when a user enters credit card information online, they must digitally sign the information. Such a signature would include transaction id, amount of the purchase, time, etc. Once the company receives the signed data, it can then send it to the bank. The bank can verify that it was indeed singed by the card owner's private key, so a person just getting the card number can't do anything. They must have the private key file and the password used to encrypt the private key.

[mistermack]

As far as spending money online goes, you could have a system where you log in to your online bank account, and send an authentification email, to match the code number that you were given when you made your purchase. So the seller is only authorised to send the goods, once he has that authentication number from your bank account.
As online shopping is growing fast, that could be more and more useful as time goes by.