

Credit Card Breach at California DMV - ssclafani
http://krebsonsecurity.com/2014/03/sources-credit-card-breach-at-california-dmv/

======
lvs
I think we're going to have to face the music soon: credit cards are a broken
transaction mechanism. They have a basic security model that's decades old,
with only a few patches over time. The truth is that a credit card has no
inherent security once you know a few essentially public things about it.

Insert cryptocurrency endorsement here -- or at least something else, because
the current tech has hit a wall.

~~~
ljd
Chip & Pin [0] as well online authentication challenges such as 3-D Secure [1]
have already solved these issues but the United States has been slow to
picking them up.

[0]
[http://en.wikipedia.org/wiki/Chip_and_PIN](http://en.wikipedia.org/wiki/Chip_and_PIN)
[1]
[http://en.wikipedia.org/wiki/3-D_Secure](http://en.wikipedia.org/wiki/3-D_Secure)

~~~
jpollock
Chip and Pin has already been attacked successfully.

[https://www.cl.cam.ac.uk/research/security/banking/relay/](https://www.cl.cam.ac.uk/research/security/banking/relay/)

~~~
kalleboo
With that attack, it's super-easy to catch the criminals (both the merchants
should know who they hired). With mag-strip hacks, you can anonymously attach
a skimmer anywhere that broadcasts the information to wherever you are at a
safe distance. Huge difference in security.

edit: for the record, I believe EMV should be upgraded to put a display and
PIN pad on the card itself

------
yukichan
I'm going to start paying cash everywhere. I already use cash at point of sale
at regular stores, and I've limited my online exposure to Amazon, Netflix,
Google and PayPal. Insecurity is sending me back into the 70's with financial
technology.

I don't even want to use checks. I went to H&R block, tried to pay with a
check to avoid giving my credit card details and they scanned the check's
routing and bank number and stored that! Losing your bank info is more severe
than credit card data because you have to close your account. Seriously
bringing like a wad of cash next time I go to H&R block.

~~~
lawnchair_larry
Why? The customer has no exposure from credit card theft. You're making your
life difficult over a non-issue.

~~~
Varcht
Somehow somebody got enough information to attempt to open a line of credit in
my name. Thankfully it was declined for some reason even though I ha e a good
credit score but I am left with a refusal on my report. Still working on
getting that cleaned up. Not sure how it was done but having a credit card in
my name could be a good step in phishing.

~~~
lawnchair_larry
I believe credit reports don't show refusals, only inquiries. If it's just a
single inquiry, it likely isn't worth your time. They have a negligible impact
on score, unless you have a lot of them. I believe they drop off after 2 years
as well.

------
kevinpet
Not surprising considering the geniuses at the CA DMV think that "Who did you
vote for in the last presidential election?" is a good security question.

I write about six checks a year. Two of them are auto registration because
their site is so horribly broken when it could be so amazingly easy. These
people are able to send me a piece of paper in the mail with an access code.
It should take 30 seconds to pay my registration online.

~~~
existencebox
Not that I have any particularly related thoughts, but my most recent
interaction with a DMV was them refusing my birth certificate as a valid form
of ID because "It's printed on paper" and "what's a notary." (It was a
formally notarized copy, which AFAIK is the only way to get a copy from
records, you can no longer get an original if you've lost it; and this was the
DMV MANAGER I was speaking to.)

The entire DMV system has been so backwards I don't even know where I would
start addressing it.

------
eliteraspberrie
This is the new model for non-petty theft. Rather than target individual
credit card holders, just target the watering holes -- which, like credit
cards themselves (in the US) have near zero security.

~~~
sigkill
To be fair, technology makes it easy to firehose-vacuum data for both the
government _and_ civilians if you know how to wield that power. The government
needs to supply a letter stating that they're 'quartering troops' in your
datacenters in an abstract manner (bureaucratic exploit) while the normal user
learns the intricacies of the system and uses that (technological exploit). It
so happens that fixing bureaucratic 0days are harder than fixing tech. 0days.

------
Varcht
I heard a commercial for Lifelock the other day. The hook was something like
"Big news in identity theft! There hasn't been a major breach in a couple
weeks..."

Something needs to be done to prevent this. I wonder if it would be feasible
for the Credit card companies to do all the storage of card data as a service
for retailers. Retailers would just store a reference token.

Until then my credit is frozen[1]

1\. [http://www.clarkhoward.com/news/clark-howard/personal-
financ...](http://www.clarkhoward.com/news/clark-howard/personal-finance-
credit/credit-freeze-and-thaw-guide/nFbL/)

~~~
Cherian_Abraham
What you are talking about is essentially the tokenization concept which
should become real in 2014. All retailers such as Amazon would become Token
requestors in this concept. Advantages would be to essentially make these
breaches irrelevant as tokens could be invalidated quickly by the card issuers
easily. Further, for merchants - the advantage would be reduced fraud and
hopefully better interchange economics.

~~~
jimktrains2
A lot of processors have offered that service for years.

Amazon, being their own processor, probably stores their own numbers, but if
Visa themselves would start tokenizing, that would be huge and awesome.

------
DocG
After I have seen how irresponsibly companys handle these situations, I wonder
is it possible to sue them if there is a damage done. Same if someone has
identity theft. Can the information "leaker" be taken accountable for such
thing? Is there a precedent on this?

~~~
ljd
I used to work on a credit card processing system for a large ecommerce
company where my code and I were audited on an annual basis.

The fear was always, if there were a breach on our several hundred thousand
credit card database it would be trivial to find out that it came from us and
it would be VISA that would start litigation against us.

I'm lucky enough to never have had a credit card system that I wrote broken
into so I couldn't tell you first hand.

If anyone wants to know how to make a secure credit card system, it's pretty
simple:

1\. Don't be creative - there are plenty of rock solid boring implementations
that will encrypt your cards.

2\. Don't get fancy with encryption or key storage and use strong encryption
and a salt and you'll be fine.

3\. Limit physical and administrative access to the servers to as few humans
as possible.

4\. Let the only code that decrypts the cards be the code that is literally
right before your call to the gateway.

5\. Tokenize your cards, even if it's for an internal project where you think
everyone can be trusted.

EDIT: As a note, just follow PCI[0] to the letter and you'll end up pretty
safe.

[0][https://www.pcisecuritystandards.org/documents/pci_dss_v2.pd...](https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf)

~~~
jimktrains2
The better option, for most places, is to use some form of tokenization where
your CC processor stores the CC numbers and hands you an opaque token to
store.

Much less to worry about on your end as the tokens have no meaning outside the
tokenization service.

Also, just to reïterate the point: When it comes to security, and you're not a
crypto or security person, don't be creative and don't be fancy. Use what
works.

------
reustle
Ever since I started using Simple, I haven't worried too much about my card
info getting stolen and used without me realizing. I instantly get a push
notification whenever my card is charged, so I am mentally confirming every
time I spend.

~~~
ketralnis
Knowing that it happened isn't the same as having a system that's resistant to
it happening

~~~
stcredzero
In some cases, it's the only viable option.

