Part of me wonders if security will ever be something people actually care about, and value.
Home depot had a huge, huge security breach. Their stock price? Up 12 points from last year.
I'm not sure what it would take for people to really value a major security breach. The tech guy inside me is screaming, "why wouldn't you care about this?", but the regular guy inside me thinks, "who cares? the banks will handle any stolen credit card info."
I don't really know much about this sort of thing. I assume that to the retailer that gets pwned, they get a few weeks or months of bad press then pass the cost of that breach on to future customers.
The "regular guy" in me thinks, "Meh, I'll probably ending up paying 5 cents more for light bulbs because of this. Oh well."
I feel bad for the sysadmin/security guys at these companies, probably screaming for budget and not getting it. What do you think they're doing now? Helping some high paid IR consultant restore logs from backups. Good times!
Well, we should find out as NFC and biometric authenticated payments (Apple Pay and TouchID) are about to hit the mainstream US consumer market in a big way. I'll certainly think twice about shopping at any big box retailer (ie the bigger targets, no pun intended) that doesn't let me pay that way.
That's the whole point of the liability shift. It will matter a lot more when the store is wholly liable, instead of this conditional liability depending on "indications of shortcomings in their security".
(In a year or so, stores that don't use EMV assume liability for fraud)
Could someone please explain to me why Home Depot and Target would even have the information of 56M cards?
Is this a result of not using chip and PIN, relying on offline transaction processing or some weird subscription plan?
I understand that there would be a cost involved in implementing chip and PIN across the entire US and it may not solve the issue if they insist on having the card on file. Online credit card processing has been pretty much standard for the last ten years here in Denmark. Terminals are connecting to the credit card processor, either via an ISDN/ADSL/phone/GSM connection, everything is encryptet and the store never has anything expect the cardmask.
So why do companies like Target have the card information of their customers?
"The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation."
So it's not that Home Depot (i'm not sure this applies to Target) had the credit card info stolen from their servers. It's more that it was skimmed from their self-checkout machines, though by software though rather than hardware.
Credit cards are based on a broken "pull money without permission" model.
The only way to get good security is to start with a system that doesn't suck; specifically, one that involves "pushing" money to an account rather than "pulling" it from an account.
Bitcoin got this right. So did the various non-CC services like Paypal and Venmo.
It will, because Apple Pay uses a EMV-based protocol (also known as chip-and-PIN) over NFC. The actual card secrets that can be used to authorise payments never leave the iPhone's secure element.
Additionally, because you authorise the exact amount on the iPhone, hacking the terminal to have it charge a higher amount than shown on its display is impossible.
This stuff goes on while my picture is taken at least three
times if I want to buy a nut at that rediculios store.
By the way, HD does not necessarily have the lowest price anymore--shop around.
Oh yea, your employees hate your company more than your customers do. If there's shortage--It's probally Internal?
Hay Chantel--a manager asked if I wanted to have you written
up. I figured working there was punishment enough.(bad customer service experience--really bad.)
[+] [-] bronbron|11 years ago|reply
Home depot had a huge, huge security breach. Their stock price? Up 12 points from last year.
I'm not sure what it would take for people to really value a major security breach. The tech guy inside me is screaming, "why wouldn't you care about this?", but the regular guy inside me thinks, "who cares? the banks will handle any stolen credit card info."
[+] [-] tacoman|11 years ago|reply
The "regular guy" in me thinks, "Meh, I'll probably ending up paying 5 cents more for light bulbs because of this. Oh well."
I feel bad for the sysadmin/security guys at these companies, probably screaming for budget and not getting it. What do you think they're doing now? Helping some high paid IR consultant restore logs from backups. Good times!
[+] [-] saturdaysaint|11 years ago|reply
[+] [-] sliverstorm|11 years ago|reply
(In a year or so, stores that don't use EMV assume liability for fraud)
[+] [-] smackfu|11 years ago|reply
If the breach doesn't hurt earnings, why should the stock price move?
[+] [-] mrweasel|11 years ago|reply
Is this a result of not using chip and PIN, relying on offline transaction processing or some weird subscription plan?
I understand that there would be a cost involved in implementing chip and PIN across the entire US and it may not solve the issue if they insist on having the card on file. Online credit card processing has been pretty much standard for the last ten years here in Denmark. Terminals are connecting to the credit card processor, either via an ISDN/ADSL/phone/GSM connection, everything is encryptet and the store never has anything expect the cardmask.
So why do companies like Target have the card information of their customers?
[+] [-] opium_tea|11 years ago|reply
"The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation."
So it's not that Home Depot (i'm not sure this applies to Target) had the credit card info stolen from their servers. It's more that it was skimmed from their self-checkout machines, though by software though rather than hardware.
[+] [-] coldcode|11 years ago|reply
[+] [-] Sami_Lehtinen|11 years ago|reply
[+] [-] wyager|11 years ago|reply
You can't checklist your way to good security.
[+] [-] mrfusion|11 years ago|reply
[+] [-] smackfu|11 years ago|reply
[+] [-] programminggeek|11 years ago|reply
[+] [-] wyager|11 years ago|reply
Convenience.
Credit cards are based on a broken "pull money without permission" model.
The only way to get good security is to start with a system that doesn't suck; specifically, one that involves "pushing" money to an account rather than "pulling" it from an account.
Bitcoin got this right. So did the various non-CC services like Paypal and Venmo.
[+] [-] praseodym|11 years ago|reply
Additionally, because you authorise the exact amount on the iPhone, hacking the terminal to have it charge a higher amount than shown on its display is impossible.
[+] [-] breakall|11 years ago|reply
As someone who has to cancel his cards once or twice a year due to unauthorized purchases, this sounds great! (I could go back to cash, hmmm......)
[+] [-] pyre|11 years ago|reply
Funneling more cash to Apple?
[+] [-] post_break|11 years ago|reply
[+] [-] eli|11 years ago|reply
[+] [-] IvyMike|11 years ago|reply
I'm a cynic so I'm going with B.
(Actually, I may go with "C" which is "there are probably breaches that we just haven't heard of yet")
[+] [-] JDDunn9|11 years ago|reply
[+] [-] phaemon|11 years ago|reply
[+] [-] clubhi|11 years ago|reply
[+] [-] sliverstorm|11 years ago|reply
[+] [-] cordite|11 years ago|reply
[+] [-] marincounty|11 years ago|reply
By the way, HD does not necessarily have the lowest price anymore--shop around.
Oh yea, your employees hate your company more than your customers do. If there's shortage--It's probally Internal?
Hay Chantel--a manager asked if I wanted to have you written up. I figured working there was punishment enough.(bad customer service experience--really bad.)