Hard News: A bigger breach?
112 Responses
First ←Older Page 1 2 3 4 5 Newer→ Last
-
God help us if the problem is someone getting into their database. I would hope it's some sort of skimming issue instead.
Daniel Ayers, who's very smart, was on the radio today saying his card was compromised, and he was pretty certain it wasn't skimming, because he watches for that kind of thing.
Computer security experts being professional paranoids and all ...
-
Isn't just assumed that John Key is personally responsible for everything even slightly crappy that has ever happened in the whole wide 'verse since just before the extinction of the dinosaurs?
You stop too soon, Craig. There's no evidence he wasn't involved with the Permian extinctions, after all, and I personally find that deeply suspicious.
-
You stop too soon, Craig. There's no evidence he wasn't involved with the Permian extinctions, after all, and I personally find that deeply suspicious.
To quote Peggy Noonan, it would be irresponsible not to speculate.
-
The beauty of using DPS is that you don't record the Credit Card number in your system/database.
You submit the transaction to them and they return you a "token", basically a unique number that is useless without their database.
And they hold the translation between the "token" and the credit card number at their end
There's a bit more to it than that, but that's it in a nutshell I think.
So to get the credit card number you'd have to skim it either physically via some device or via software on the pass thru to DPS somehow.
Or...... get access their database
-
Yeah, DPS won't certify you or let you use their system if you store card numbers. I guess it would be possible to modify your system to do so after they audited it, but my goodness, that would incur all sorts of liabilities I would think. What Glen said.
-
he was pretty certain it wasn't skimming, because he watches for that kind of thing.
Check this out and play spot the difference.
http://grab.orsm.net/update20090402/atm_skimming_devices.pdf
-
All devices connected to the EFT network must comply with PCI DSS...
And there is a very good explanation of how that works Here
</geek>
IIRC the first story about this was a spokesman for the owners, Auckland City Council, said they became aware of it when a "skimmer" (fake card reader) or 2 were found attached to machines in the Downtown car park, Auckland, they may have been there for years. They later added that it was possible that the security had been compromised somewhere outside of their area of control, thus resolving them of any responsibility.
Story here -
I can see the need for legislation that forces any device that stores credit card details to encrypt the data to prevent this kind of theft in the future.
While not legislation as such, credit card companies (kinda, see below) will not deal with you unless you are PCI-DSS compliant (Payment Card Industry - Data Security Standards). This standard covers all sorts of stuff from physical security of servers through to the management of visitor logs and surveillance camera footage. It's a big document, and caused all sorts of sucking of breath and tut-tutting when I showed it to our data centre guys.
The interesting thing is the way compliance is implemented. If a bank allows a non PCI compliant merchant to process payments, then the bank, not Visa or Mastercard, becomes liable for fraudulent transactions. Hence this becomes quite self-policing.
I have no idea what happened in this particular case, but it sounds like a shitload more than a little bit of skimming.
The way the banks are scrambling, I suspect some liability has been indicated at some level lower than the card provider.
-
Among other things I do crypto for a living - not financial transactions though - I have a real problem with how non-transparent our online financial system is - I want a system without secrets (well except maybe for large primes) that black and white hat hackers have banged their heads against for a while.
SSL is a great example - SSL man-in-the-middle attacks are becoming doable .... and of course my bank's online presence uses it .... that's useful information I probably wouldn't have if it were a secret, it tells me I should be visiting tellers
However - it's not just the online world - I was visiting my teller about a year ago and watched with horror as she picked up a cordless phone and phoned in my international transaction to head office - DECT's crypto is secret - I DO work with DECT day to day, doing completely legit work, but the crypto is on a need to know basis - you just poke bits at silicon you're expected to trust - and the crypto has been reverse engineered and is widely supposed to be compromised for many phones if not officially completely cracked yet - lots of phones don't actually do the crypto correctly anyway and end up just being in the clear without you knowing.
One can buy sniffer cards off the shelf, we use them for debug - the people who sell them are very suspicious (of us) so it's obviously an issue
Anyway if she can make that call and I can break the base station crypto (or it's just off and the bank doesn't know) I can listen in and then later make the same call using the same account number and appearing to have the same phone number etc etc to move money into my offshore account ....
-
This topic also calls for some Bruce Shneier facts, like:
One-time pads are impervious to man-in-the-middle attacks, unless that man is Bruce Schneier.
-
Just heard an Auckland City spokesman on RadioNZ saying that they need to prove to Wedtpac, Visa and Mastercard that the payment machines are appropriate, or how to "make them appropriate".
-
This topic also calls for some Bruce Shneier facts,
I don't know who that is (although can guess) but even still those are ace. Kinda like xkcd in text form for me...
-
Check this out and play spot the difference.
Those are awesome. Whoever came up with them deserves my money :-)
-
I'm a Bruce Schneier fan .... not quite as fanatic as that previous link though
-
SSL is a great example - SSL man-in-the-middle attacks are becoming doable
The holes have been there for a decade or so, the knowledge has just become public more recently. The real problem is people ignoring certificate errors, and your average non-techy person will usually pick convenience over caution. Like most security issues, the one thing you can't fix reliably is the user.
-
II have been travelling in the USA for the last three weeks. I used the BART train system in SF and the Amtrak routes in and out of SF too. To buy tickets just insert your credit card in this handy machine. No authentication required. None. I think I remember doing this in Europe too.
When I visited New York in January I found the whole CC thing very uncomfortable, maybe because of how I've been conditioned. I handed over my credit card at Toys R Us in Times Square, and they were confused about what I was trying to do when I picked up the keypad thingee to start entering a PIN. I'm not sure they even knew what it was for, and I doubt it worked for authorisation, at least. They just got me to sign for approval, which I'm never very comfortable with. Then there's the whole pre-approval sequence in restaurants where you might sign off paying for the meal, but a tip gets extracted after you've left. The whole thing just feels wrong... but perhaps it's just me.
But I was also surprised just how much that whole system still relies on cash-in-hand. In NZ I've walked around for 2 months with a $20 note in my wallet that I've never touched, because EFTPOS is accepted nearly everywhere with few exceptions, and I'm just so used to seeing the amount being charged, keying in a PIN to authorise it, then insisting that I get my EFTPOS receipt back from the retailer. In New York, that idea of electronic smaller transactions seemed inconceivable and credit cards appear to be treated as a big special thing for spending larger amounts, where it's just acceptable to have a flimsy authorisation system because nobody's ever known anything better.
-
Pins for credit cards are AFAIK unknown in the US - even ubiquitous use of debit cards apart from ATMs and supermarkets is relatively recent - some places still even run cards manually (or a small hotel will just take an imprint) though they get charged more these days.
BTW if you buy petrol and ever get asked by the machine for your zipcode on your foreign card '00000' often works. When you use a credit card in a petrol pump it wont ask for a pin or signature - but may sometimes ask for a zipcode - only some places will take debit cards and will of course ask for a pin.
In some states and some times (California keeps changing the law) you may be asked for a picture ID - they expect a driver's license, some people have never seen a passport and may be confused.
The 'pre-approval' thing in restaurants is largely part of the dance involving tips - it's almost a mating ritual and embedded in the culture, it's normal and doesn't (necessarily) mean they're ripping you off.
Many Americans are confused by our abandoning of our 1/2/5c coins - but we could do it easily (or more easily than them) because we have ubiquitous EFTPOS (and because we include GST in quoted prices rather than adding sales tax in after).
-
Paul, you're giving them too much credit.
They won't even accept the metric system.
-
PINs for credit cards are a very new concept in Canada - only introduced in the last 12 months, and only for Visa as far as I know. Most retailers - including many large ones - still don't have their swipe machines set up for entering PINs, so you still sign most of the time (even when using a PIN-equipped card).
Some stores will ask for picture ID (yes, a driver licence) to go with your signature - but this is rather random, and doesn't seem to relate in any obvious way to the amount being spent. e.g., you might "get ID'd" for a $20 purchase at one store, but not for a $200 purchase at another.
The driver licence thing reminds me of going to a bar in Arizona and trying to order a beer.
"Do you have ID?" -- "Sure," shows NZ driver licence.
"Ummm, do you have local ID?" -- "No I'm a tourist".
"Are you sure you don't have local ID?" -- "Yes, if it's a problem I'll just have a coke"
"Ummmmm.......... I guess it's OK" -
But I was also surprised just how much that whole system still relies on cash-in-hand.
Worse than that, "paycheck" is often a literal, not a metaphorical staetement in the US, meaning that companies can dick people around by ensuring they get their pay too late on Friday to bank it, leaving the money in the company's accounts for an extra couple of interest-bearing days. It's almost unbelievably antiquated.
-
The driver licence thing reminds me of going to a bar in Arizona and trying to order a beer.
My partner has an exchange student friend with whom she was trying to get into a Wellington pub a few years ago, using a passport as a photo ID. The bouncer told them that if they were going to forge a passport, they should choose a country that actually exists. Apparently the Republic of Estonia doesn't.
I think she felt very insulted about that, but they went to another entrance without further problems.
-
Worse than that, "paycheck" is often a literal, not a metaphorical staetement in the US, meaning that companies can dick people around by ensuring they get their pay too late on Friday to bank it, leaving the money in the company's accounts for an extra couple of interest-bearing days. It's almost unbelievably antiquated.
The number one "guaranteed to start a flamewar" topic on many American-majority forums is tipping for waiters. "Minimum wage" laws, such as they are (or aren't as the case may be) usually have special allowances for tips received in service industries in many states, such as allowing an employer to count "predicted average tips" as part of a waitperson's wage-so if you are required by law to pay someone (say) eight USD p/h, but you claim they'll get on average 6.5 USD per hour in tips, you only have to pay them 1.5 USD an hour, and the need to work their asses off for the tips that will ensure they get paid what they should (sometimes the employer will have to make up the difference, but this process usually gets dragged out to the point where it's not reliable when you need to pay your rent.)
It's one of the main reasons tipping is such a huge emotional trigger for many in the US-it's effectively a voluntary subsidy to prop up someone's salary.
-
Paul, you're giving them too much credit. They won't even accept the metric system.
But they use the metric inch .... (exactly 2.54cm) ....
-
It's almost unbelievably antiquated.
Our best friend in the USA was paid with an actual 'check', had no bank account, and cashed his pay at the liquor store for a fee and some real greenbacks (cheque cashing places are EVERYWHERE in working-class neighbourhoods). He was admittedly an extreme case, but their whole system is just bizarre.
ID: I always had to present a passport because I didn't drive (yes, I did not drive. In Texas. Because I am nuts), and I occasionally got some odd looks and questions, but it was mostly OK.
Tipping: I always tipped 20%, because it was easy to work out and waiting tables sucks. People who broke out their calculators at the table totally freaked me out.
-
This just in from Mr A. Source:
Auckland City's PCI certification is under serious review which will compromise their ability to carry out any credit card transactions. This will also potentially impact the new Auckland Council. Basically, internal systems at Auckland City have been compromised.
Holy shit.
Post your response…
This topic is closed.