Maybe I'm a little ignorant on how/why companies store this sort of info. Someone at work informed me that Target storing CC numbers at least made sense when you needed to make a return. But at a Sonic Drive-In? I'm not returning my burger+shake combo.
What is possessing Sonic to keep the number any longer than the period it takes to receive money from the CC company? And why is this period any longer than the 20 or so seconds it takes to process the card at a machine? Are all of these magnetic-only or do they store CC numbers with chip cards as well?
I don't believe in this case the hack targeted any cards held on file, as the article suggests it may have been a hack of the POS software system that would allow the thieves to copy the info from the magnetic strip as it was captured in real-time and then clone the card.
"Malicious hackers typically steal credit card data from organizations that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers."
"The last known major card breach involving a large nationwide fast-food chain impacted more than a thousand Wendy’s locations and persisted for almost nine months after it was first disclosed here. The Wendy’s breach was extremely costly for card-issuing banks and credit unions, which were forced to continuously re-issue customer cards that kept getting re-compromised every time their customers went back to eat at another Wendy’s."
That provides an interesting lesson for vendors doing CC transactions: card compromise does not impact repeat business, so don't worry about breaches.
Target wasn't storing credit cards. They installed spyware onto the POS systems, and the CC numbers were not stored in memory on the actual register. So there was a point in time that they could be pulled from system memory. There was an in-depth analysis I'm struggling to find at the moment. But Krebs shines a bit more light on it.
While Target does store transaction information, they don't store the actual credit card info. That's why you need to provide the physical credit card to do a return, or they give you store credit.
> ... Target storing CC numbers at least made sense when you needed to make a return.
This is why I think the merchant processors should be instead be doing this by some kind of transaction ID. I.e. send the refund amount to the processor with the transaction ID instead of sending a new transaction to the card. It's more secure, and less error prone since you could build in checks for the amount returned and other such bits.
If there is a fingernail in my milkshake you can bet I will get a refund. That's still no excuse to be storing this information because as pointed out they should only need the transaction ID to issue refunds.
Ignoring batch processing, they're also keeping this information in case of fraud issues, refunds, customer tracking for marketing purposes, etc. Even with PCI compliance you can store card information. You only can't store the CCV number. If your storing methods uses easy to circumvent encryption, then, ta-da, the hackers get all the credit cards.
So I'm pretty ignorant to the history of personal identity/credit breaches, but for those who aren't, is this only getting to get worse? More and more companies are holding more and more data, to the point that these breaches seem to affect so many people. I entered the credit card game pretty recently, and almost immediately I'm affected by the Equifax breach. As a young person, this doesn't make the future of privacy/security seem so promising.
The news looks bad, but reality is worse. Remember that huge trove of NSA hacking tools and exploits that dumped last year? And the numerous follow-up dumps? There are LOTS of new weapons in the hands of everyone from everyday script kiddies to organized crime to enemy nations.
It's possible Equifax was the only credit agency with enough information to require public disclosure... if Transunion doesn't have the right logs or monitors, they may never find out they've been breached, and nor will we.
At this point, I assume everything on a computer can become public.
As it says in the article, this should get better once chips become standard. At that point, the chip will be doing something like an encrypted transaction with the bank, so listening in on any stage of the transaction shouldn't matter (not that I have any details on the process).
Someone should plot them to get an idea of how worse things are getting but it feels like we had one major data breach nearly every week for about 3 years now.
I'm surprised Krebs end up plugging chip-and-PIN instead of the current leapfrog technology exemplified by Apple Pay. I feel there is not enough awareness of just how much more secure this is.
A huge advantage of Apply Pay is that you get the security of a PIN without the hassle of entering a PIN -- or the risk of it being stolen during PIN entry. You just authenticate with your fingerprint or, soon, your face. (Please no comments speculating that this is less secure than a fingerprint. It's premature to say and unless you know something Apple doesn't, you're probably wrong.)
Another less understood advantage is that Apple Pay takes the strongest approach to tokenization, which makes it effectively immune to merchant hardware compromises. Even chip cards rely on the card readers at points of sale to handle tokenization, so a hacked reader could in theory leak PANs. On top of that, lots of merchants/processors don't even bother with tokenization, so it's a crap shoot with every merchant.
Apple Pay tokenizes when you enroll your card, so the PAN (primary account number) never passes through any merchant systems anywhere ever. This means the tokenized numbers that hackers could steal from merchants are useless outside of two-factor-secured Apple Pay.
> A huge advantage of Apply Pay is ... without the hassle of entering a PIN
You are forgetting that tools like Apple Pay are not hassle free for most people, especially those outside of IT circles. Millions of people struggle to use anything beyond basic technology (American banks have even decided that PIN's are too confusing! A four digit number that has been common in the rest of the world for decades!). Combine that with other factors like fears of being caught with a flat battery or businesses that are reluctant to spend money on new POS devices - it's unlikely that plastic cards are going away anytime soon.
Also, I'm not sure entering a PIN is really any more hassle than using a phone as a payment device (I use Android Pay whenever I can due to the added security features but the POS readers are often incredibly slow).
Does that actually help all that much? I doubt most people know how to, or want to, keep their keys secure enough, so you'd likely end up with them being managed by central services anyway.
Edit: it is sad that my comment that is relevant and contains nothing but facts is downvoted... What has HN become?
Say what you want about Bitcoin, but it does solve credit card theft for good. If I could use my Bitcoin hardware wallet¹ to pay Sonic, I wouldn't be affected by this security breach.
¹ No Bitcoin theft has ever occurred on a hardware wallet thanks to their tamper proof isolation of private keys.
Your digital wallet gives up consumer protections such as chargebacks which is a regression in consumer benefits. It is also accepted approximately nowhere, with very little incentive for merchants to add support.
Apple Pay and related solutions offer "tamper proof isolation of private keys" while still offering all of the consumer protections of cards, plus broad and growing acceptance via compatibility with standard contactless card terminals and POS systems.
So does using a chip reader. Assuming its up to current standards the card's information is cryptographically locked to Sonic's vendor ID and any stolen stored CC info could only be used at other Sonics.
Chip + Pin solves it even better by forcing the attacker to learn the pin for the card. We're not there yet in the US but once everyone has modern chip readers, adding pins will be trivial.
Also as a customer I'm not liable for these issues. The vendor is. With cryptocurrency, if there's a hack against me and my coins are gone, well, they're gone forever.
Sure beats giving up on cc's entirely for cryptocurrency, which comes with its own headaches and problems, especially Bitcoin which as a network wouldnt be able to cover 1 hour of credit transactions in the states.
Bitcoin is more analogous to gold bricks or cash, not credit cards.
Credit cards are built on underlying currencies, offering easy short-term debt and a simpler payment process (compared to check/cash)... I expect that bitcoin credit cards are another prerequisite for consumer adoption.
Yeah, if I keep my credit card in a safe and never use it, no fraud is going to happen. If I use it to pay for things multiple times a day, this happens. It's not like if there hasn't been bitcoins stolen in the past.
> Say what you want about Bitcoin, but it does solve credit card theft for good
Bitcoin is very similar to cash in many respects, especially when compared to credit cards.
I doubt anyone would say this:
> Say what you want about cash, but it does solve credit card theft for good. If I could use my cash wallet to pay Sonic, I wouldn't be affected by this security breach
It's obviously true, but it's also trivial and pointless. Saying Bitcoin instead of cash doesn't change any of that.
[+] [-] TheGRS|8 years ago|reply
What is possessing Sonic to keep the number any longer than the period it takes to receive money from the CC company? And why is this period any longer than the 20 or so seconds it takes to process the card at a machine? Are all of these magnetic-only or do they store CC numbers with chip cards as well?
[+] [-] bspn|8 years ago|reply
[+] [-] peterwwillis|8 years ago|reply
They don't. From the article:
"Malicious hackers typically steal credit card data from organizations that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic stripe. Thieves can use that data to clone the cards and then use the counterfeits to buy high-priced merchandise from electronics stores and big box retailers."
"The last known major card breach involving a large nationwide fast-food chain impacted more than a thousand Wendy’s locations and persisted for almost nine months after it was first disclosed here. The Wendy’s breach was extremely costly for card-issuing banks and credit unions, which were forced to continuously re-issue customer cards that kept getting re-compromised every time their customers went back to eat at another Wendy’s."
That provides an interesting lesson for vendors doing CC transactions: card compromise does not impact repeat business, so don't worry about breaches.
[+] [-] tw04|8 years ago|reply
https://krebsonsecurity.com/2014/02/target-hackers-broke-in-...
While Target does store transaction information, they don't store the actual credit card info. That's why you need to provide the physical credit card to do a return, or they give you store credit.
[+] [-] simcop2387|8 years ago|reply
This is why I think the merchant processors should be instead be doing this by some kind of transaction ID. I.e. send the refund amount to the processor with the transaction ID instead of sending a new transaction to the card. It's more secure, and less error prone since you could build in checks for the amount returned and other such bits.
[+] [-] rb808|8 years ago|reply
[+] [-] mulmen|8 years ago|reply
[+] [-] drzaiusapelord|8 years ago|reply
[+] [-] DarkTree|8 years ago|reply
[+] [-] losteric|8 years ago|reply
It's possible Equifax was the only credit agency with enough information to require public disclosure... if Transunion doesn't have the right logs or monitors, they may never find out they've been breached, and nor will we.
At this point, I assume everything on a computer can become public.
[+] [-] joe_the_user|8 years ago|reply
[+] [-] cm2187|8 years ago|reply
[+] [-] abalone|8 years ago|reply
A huge advantage of Apply Pay is that you get the security of a PIN without the hassle of entering a PIN -- or the risk of it being stolen during PIN entry. You just authenticate with your fingerprint or, soon, your face. (Please no comments speculating that this is less secure than a fingerprint. It's premature to say and unless you know something Apple doesn't, you're probably wrong.)
Another less understood advantage is that Apple Pay takes the strongest approach to tokenization, which makes it effectively immune to merchant hardware compromises. Even chip cards rely on the card readers at points of sale to handle tokenization, so a hacked reader could in theory leak PANs. On top of that, lots of merchants/processors don't even bother with tokenization, so it's a crap shoot with every merchant.
Apple Pay tokenizes when you enroll your card, so the PAN (primary account number) never passes through any merchant systems anywhere ever. This means the tokenized numbers that hackers could steal from merchants are useless outside of two-factor-secured Apple Pay.
[+] [-] b3lvedere|8 years ago|reply
[+] [-] Steko|8 years ago|reply
You're right except when your bank is a bunch of consumer hostile idiots that still make you enter the PIN.
[+] [-] knz|8 years ago|reply
You are forgetting that tools like Apple Pay are not hassle free for most people, especially those outside of IT circles. Millions of people struggle to use anything beyond basic technology (American banks have even decided that PIN's are too confusing! A four digit number that has been common in the rest of the world for decades!). Combine that with other factors like fears of being caught with a flat battery or businesses that are reluctant to spend money on new POS devices - it's unlikely that plastic cards are going away anytime soon.
Also, I'm not sure entering a PIN is really any more hassle than using a phone as a payment device (I use Android Pay whenever I can due to the added security features but the POS readers are often incredibly slow).
[+] [-] nsxwolf|8 years ago|reply
[+] [-] perseusprime11|8 years ago|reply
[+] [-] stordoff|8 years ago|reply
[+] [-] mrb|8 years ago|reply
Say what you want about Bitcoin, but it does solve credit card theft for good. If I could use my Bitcoin hardware wallet¹ to pay Sonic, I wouldn't be affected by this security breach.
¹ No Bitcoin theft has ever occurred on a hardware wallet thanks to their tamper proof isolation of private keys.
[+] [-] abalone|8 years ago|reply
Apple Pay and related solutions offer "tamper proof isolation of private keys" while still offering all of the consumer protections of cards, plus broad and growing acceptance via compatibility with standard contactless card terminals and POS systems.
[+] [-] QAPereo|8 years ago|reply
[+] [-] drzaiusapelord|8 years ago|reply
Chip + Pin solves it even better by forcing the attacker to learn the pin for the card. We're not there yet in the US but once everyone has modern chip readers, adding pins will be trivial.
Also as a customer I'm not liable for these issues. The vendor is. With cryptocurrency, if there's a hack against me and my coins are gone, well, they're gone forever.
Sure beats giving up on cc's entirely for cryptocurrency, which comes with its own headaches and problems, especially Bitcoin which as a network wouldnt be able to cover 1 hour of credit transactions in the states.
[+] [-] losteric|8 years ago|reply
Credit cards are built on underlying currencies, offering easy short-term debt and a simpler payment process (compared to check/cash)... I expect that bitcoin credit cards are another prerequisite for consumer adoption.
[+] [-] jff|8 years ago|reply
[+] [-] cm2187|8 years ago|reply
[+] [-] tzs|8 years ago|reply
Bitcoin is very similar to cash in many respects, especially when compared to credit cards.
I doubt anyone would say this:
> Say what you want about cash, but it does solve credit card theft for good. If I could use my cash wallet to pay Sonic, I wouldn't be affected by this security breach
It's obviously true, but it's also trivial and pointless. Saying Bitcoin instead of cash doesn't change any of that.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] b3lvedere|8 years ago|reply
[+] [-] chrisco255|8 years ago|reply
[+] [-] dungle6|8 years ago|reply
[deleted]