Toys R US' Communications

A skimming device that collects Magstripe data and PINs is a crims dream.  Got the stripe, got the PIN, go get the cash - easy!  Write a white card and off you go ...

A chip and PIN terminal would have provided the crims with nothing more than the PIN and track 2 image from the chip, which (as I have said many times before) would be useless to the crims if the issuers had taken notice of the iCVV advice provided by MasterCard and Visa.  Ultimately, it is all very simple: if the cards are personalised properly, there are no "cherry trees".

Even so, Toys R Us haven't suffered, except for looking a bit stupid; and it's not like TK Max where the database was hacked and the clever crims got away with loads of data that TK Max should not have been storing.

Concerning TJMAX :

"A wireless network that employed less protection than many people use on their home systems appears to be the weak link that led TJX Companies, the US-based retailing empire, to preside over the world's biggest known theft of credit-card numbers.

Despite a market capitalization of almost $13bn, it appears the company couldn't afford to secure its Wi-Fi network with anything more robust than the woefully inadequate Wired Equivalent Privacy protocol. (The much more secure Wi-Fi Protected Access has come standard on most routers for four years now.) It also failed to use firewalls or install software patches and disregarded requirements imposed by Visa and MasterCard concerning how card information is stored and transmitted.

"According to a front-page article in today's Wall Street Journal, the nonfeasance allowed hackers to use a simple telescope-shaped antenna and a laptop to intercept data flowing through a Wi-Fi network used at a Marshalls discount clothing store near St. Paul, Minnesota."

David, you are correct. As long as non-DDA cards are issued, proliferation of standalone terminals will compromise cards. As it is, standalone terminals even in countries where only DDA cards are issued will still have to accept non-DDA cards. Also, Fallback will have to be prohibited to make DDA (ICVV) work.

I know ... :o)

but you also have to consider the following:

DDA prevents the creation of cloned (chip) cards, as unlike SDA cards, they have their own public/private key pair, which protects them from being copied.  However, a crim can still harvest the track 2 from the chip and create a magstripe card using the data, and assuming the crim is also able to capture the PIN, whoopee!  

So ... only issuing DDA cards does not prevent data harvesting from POS terminals.  It only prevents the cards from being copied.

And ... iCVV has nothing to do with DDA, or SDA for that matter.  The iCVV allows the card issuer to spot where a magstripe-originated transaction has been initiated (in a foreign ATM, or maybe, a POS fallback) using a magstripe that has been constructed using data originating from a chip.  The problem is that the card issuers never bothered with iCVV, and so when a magstripe transaction comes in from a non-chip ATM, they can't tell if it's a duffer.  And, no amount of SDA, DDA rhetorical security claptrap will alter that fact.

If you can read the card, you can extract the magstripe data.  If you can then write it to a magstripe and use it in a non-chip ATM, job done!

The problem, as is often the case, is in the implementation.  There is no point in trying to solve these issues with technology, as the cause (certainly in this case) can be tracked down to stupidity.

I know ... :o)

but you also have to consider the following:

DDA prevents the creation of cloned (chip) cards, as unlike SDA cards, they have their own public/private key pair, which protects them from being copied.  However, a crim can still harvest the track 2 from the chip (which is what they are doing now) and create a magstripe card using the data, and assuming the crim has also been able to capture the PIN, whoopee!  

So ... only issuing DDA cards does not prevent data harvesting from POS terminals.  It only prevents the chips from being copied.

And ... iCVV has nothing to do with DDA, or SDA for that matter.  The iCVV allows the card issuer to spot where a magstripe-originated transaction has been initiated (in a foreign ATM, or maybe, a POS fallback) using a magstripe that has been constructed using data originating from a chip.  The problem is that the card issuers never bothered with iCVV, and so when a magstripe transaction comes in from a non-chip ATM, they can't tell if it's a duffer.  And, no amount of SDA, DDA rhetorical security claptrap will alter that fact.

If you can read the card, you can extract the magstripe data.  If you can then write it to a magstripe and use it in a non-chip ATM, job done!

The problem, as is often the case, is in the implementation.  There is no point in trying to solve these issues with technology, as the cause (certainly in this case) can be tracked down to stupidity.