
Breach at Sonic Drive-In May Have Impacted Millions of Credit, Debit Cards - frgtpsswrdlame
https://krebsonsecurity.com/2017/09/breach-at-sonic-drive-in-may-have-impacted-millions-of-credit-debit-cards/
======
TheGRS
Maybe I'm a little ignorant on how/why companies store this sort of info.
Someone at work informed me that Target storing CC numbers at least made sense
when you needed to make a return. But at a Sonic Drive-In? I'm not returning
my burger+shake combo.

What is possessing Sonic to keep the number any longer than the period it
takes to receive money from the CC company? And why is this period any longer
than the 20 or so seconds it takes to process the card at a machine? Are all
of these magnetic-only or do they store CC numbers with chip cards as well?

~~~
rb808
It is a good way to track customer's buying habits. eg how many people go
weekly, or to different stores, or buy same products etc. eg HomeDepot tracks
credit card back to userid [https://consumerist.com/2013/01/16/home-depot-
sort-of-explai...](https://consumerist.com/2013/01/16/home-depot-sort-of-
explains-how-an-in-store-purchase-can-result-in-e-mails-from-its-website/)

~~~
tzs
For that it should be good enough to just store the first 6 digits and the
last 4 digits of the card number. You might occasionally get two different
customers whose first 6/last 4 are the same but it should not happen often
enough to be a significant issue.

If even that small risk of conflating two different customers is too high, you
could go with a hash of the credit card number.

If you go with the hash, then don't ALSO store first 6/last 4. A typical
credit card number is 16 digits, and one of those is a check digit. If someone
gets a hold of the hash, and first 6/last 4, then there are only 100 000
possible values for the missing 6 digits (10^5, not 10^6, because for any
guess for 5 of the digits there is only one possible 6th digit that will make
the checksum work). Unless you use a very very slow hash function, brute
forcing 100 000 possibilities will be quick.

~~~
KGIII
The first four digits are pretty generic. They tell you who issued the card.
Many people will have the same first four digits. Maybe the second set of four
and the last set of four would be better?

Usually the first four is the issuer and whatever numbers signify the specific
type of card. The next set is the bank, I think. The third set is, as I
recall, the account number, and the last numbers equate to your routing
number.

Actually, just the last eight digits should be adequate. Hash them with a salt
based on the last name and collisions are very, very unlikely. Don't store
them at all, just store the hashes.

~~~
lloydde
I can’t tell if you are playing, but by storing the most unique part of the
credit card with last name you are not reducing the desirability of the target
much.

~~~
KGIII
You don't store the name. You use the name to generate the salt and hash the
results. You only store the hashes.

~~~
lloydde
You are still doing a near lossless transformation of the unique part of the
credit card and name as one of your goals is zero (minimized) hash collisions.
The character set and length of the input plus reasonable assumptions about
the salt and hash make it very likely "reversible" using rainbow tables or
other brute force techniques.

Choose metadata that doesn't have such high financial value. Additionally,
it's been years since I've been involved in e-commerce and the details are now
foggy, but if I recall storing those addition credit card digits, even
transformed, will prevent you from achieving the industrial certifications.

------
DarkTree
So I'm pretty ignorant to the history of personal identity/credit breaches,
but for those who aren't, is this only getting to get worse? More and more
companies are holding more and more data, to the point that these breaches
seem to affect so many people. I entered the credit card game pretty recently,
and almost immediately I'm affected by the Equifax breach. As a young person,
this doesn't make the future of privacy/security seem so promising.

~~~
losteric
The news looks bad, but reality is worse. Remember that huge trove of NSA
hacking tools and exploits that dumped last year? And the numerous follow-up
dumps? There are LOTS of new weapons in the hands of everyone from everyday
script kiddies to organized crime to enemy nations.

It's possible Equifax was the only credit agency with enough information to
require public disclosure... if Transunion doesn't have the right logs or
monitors, they may never find out they've been breached, and nor will we.

At this point, I assume everything on a computer can become public.

~~~
adjkant
This talk seems to always be relevant:

[https://vimeo.com/135347162](https://vimeo.com/135347162)

Abstract: In this bleak, relentlessly morbid talk, James Mickens will describe
why making computers secure is an intrinsically impossible task. He will
explain why no programming language makes it easy to write secure code. He
will then discuss why cloud computing is a black hole for privacy, and only
useful for people who want to fill your machine with ads, viruses, or viruses
that masquerade as ads. At this point in the talk, an audience member may
suggest that Bitcoins can make things better. Mickens will laugh at this
audience member and then explain why trusting the Bitcoin infrastructure is
like asking Dracula to become a vegan. Mickens will conclude by describing why
true love is a joke and why we are all destined to die alone and tormented.
The first ten attendees will get balloon animals, and/or an unconvincing
explanation about why Mickens intended to (but did not) bring balloon animals.
Mickens will then flee on horseback while shouting “The Prince of Lies escapes
again!”

~~~
randycupertino
That is the most hilarious abstract I have ever read in my life.

~~~
adjkant
The talk itself is just as funny too, please do watch it fully. It's not chock
full of evidence, but it has some good points and some great entertainment.

------
abalone
I'm surprised Krebs end up plugging chip-and-PIN instead of the current
leapfrog technology exemplified by Apple Pay. I feel there is not enough
awareness of just how much more secure this is.

A huge advantage of Apply Pay is that you get the security of a PIN without
the hassle of entering a PIN -- or the risk of it being stolen during PIN
entry. You just authenticate with your fingerprint or, soon, your face.
(Please no comments speculating that this is less secure than a fingerprint.
It's premature to say and unless you know something Apple doesn't, you're
probably wrong.)

Another less understood advantage is that Apple Pay takes the strongest
approach to tokenization, which makes it effectively immune to merchant
hardware compromises. Even chip cards rely on the card readers at points of
sale to handle tokenization, so a hacked reader could in theory leak PANs. On
top of that, lots of merchants/processors don't even bother with tokenization,
so it's a crap shoot with every merchant.

Apple Pay tokenizes when you enroll your card, so the PAN (primary account
number) never passes through any merchant systems anywhere ever. This means
the tokenized numbers that hackers could steal from merchants are useless
outside of two-factor-secured Apple Pay.

~~~
knz
> A huge advantage of Apply Pay is ... without the hassle of entering a PIN

You are forgetting that tools like Apple Pay are not hassle free for most
people, especially those outside of IT circles. Millions of people struggle to
use anything beyond basic technology (American banks have even decided that
PIN's are too confusing! A four digit number that has been common in the rest
of the world for decades!). Combine that with other factors like fears of
being caught with a flat battery or businesses that are reluctant to spend
money on new POS devices - it's unlikely that plastic cards are going away
anytime soon.

Also, I'm not sure entering a PIN is really any more hassle than using a phone
as a payment device (I use Android Pay whenever I can due to the added
security features but the POS readers are often incredibly slow).

~~~
abalone
Not sure what you're talking about. Apple Pay is so much easier and more
pleasant to use than chip-and-PIN. It is designed to be easier for the average
consumer.

And in terms of speed, are we living on the same planet? Chip-and-PIN is
_notoriously_ slow in the U.S. Apple Pay takes a second.

Also I'm not saying plastic will go away anytime soon. There will be legacy
terminals. I'm saying Apply Pay and its ilk are superior to chip-and-PIN, a
two decade old technology.

~~~
knz
> are we living on the same planet?

Are we? I assume you have never experienced the requests for support from tech
illiterate relatives since childhood for assistance with VCR's, PC's, basic
cell phones, printers, anything USB related in the 90's, scanners, cable
boxes, modems, endless websites/web applications, and of course, smartphones.
Demographic changes are shifting the definition of "average consumer" but
boomers still dominate and many of them struggle with technology.

Chip and PIN is indeed slow in the US (I grew up elsewhere and travel
regularly so it drives me insane) but the experience with Android Pay isn't
necessarily faster or more convenient. Like I said, I use Android Pay whenever
I can but I don't recall ever seeing another person using their smartphone to
pay in a store.

A quick search seems to suggest this is more than just anecdotal:

[http://fortune.com/2017/08/04/apple-pay-samsung-mobile-
payme...](http://fortune.com/2017/08/04/apple-pay-samsung-mobile-payments/)

"Despite much publicity upon launch, Apple Pay, Samsung Pay, and Android Pay
have struggled to gain traction," the analysts concluded. "Mobile wallet
adoption has been underwhelming to date by nearly every objective standard,
including initial penetration of smartphone users and repeat usage rate. While
up to one-third of U.S. phone owners have enrolled in the payment plans,
frequent usage is uncommon, the analysts said. Only 8%, 6%, and 3% of people
use Apple Pay, Samsung Pay, and Android Pay at least once per week."

~~~
BHSPitMonkey
I've switched to Android Pay pretty much everywhere because it's nearly
instantaneous, whereas chip transactions require 10-20 seconds of awkward
waiting around. Before I had a phone with a fingerprint reader it took more
effort to wake and unlock the device, but now that part is frictionless.

~~~
knz
Android Pay is almost always as slow as chip transactions here in Minnesota.
The app seems to work quickly but the POS machine is always slow to complete
it's part of the transaction. It seems to vary depending upon the POS machine
- for example Trader Joe's is always quick but those in the larger grocery
chains or local sandwich shop are painfully slow.

From the downvotes I assume it's a regional thing!

------
nsxwolf
Millions of people eat at Sonic?!

------
perseusprime11
Can we all now move to Bitcoin? We have enough evidence with all the breaches
so far. This is not going to stop anytime soon.

~~~
stordoff
Does that actually help all that much? I doubt most people know how to, or
want to, keep their keys secure enough, so you'd likely end up with them being
managed by central services anyway.

~~~
perseusprime11
I sense an opportunity here for someone to figure out better UX when it comes
to managing keys. A lot of folks do dabble and use 1password or lastpass, etc.

------
mrb
Edit: it is sad that my comment that is relevant and contains nothing but
facts is downvoted... What has HN become?

Say what you want about Bitcoin, but it _does_ solve credit card theft for
good. If I could use my Bitcoin hardware wallet¹ to pay Sonic, I wouldn't be
affected by this security breach.

¹ No Bitcoin theft has ever occurred on a hardware wallet thanks to their
tamper proof isolation of private keys.

~~~
QAPereo
If someone else uses my cc, I’m not paying it. If someone steals my bitcoins,
they’re fucking GONE.

~~~
mrb
Wrong. In the US you may be liable for the full amount stolen if you fail to
notice the theft in 30 days. Even if you report the theft promptly, the law
allows your issuer to make you liable for the first $50.

Also you completely ignored my point about hardware wallets making theft a
non-problem.

~~~
castis
> the law allows your issuer to make you liable for the first $50

This has never happened to me, and ive had a CC compromised a few times.

If someone steals your hardware wallet, what do you consider that?

~~~
mrb
Physically stealing a hardware wallet is typically not usefull because they
are PIN-protected. And you can back them up by writing the 12/24-word seed in
a safe/hidden spot.

