130 million stolen card details - are you kidding?

I don't suppose those numbers are on disk somewhere 'just in case' the hackers get caught and need to raise cash while in prison? Simply selling them. There is little excitement in hearing this stuff.

Are we left to wonder why [the system which makes us vulnerable to] this isn't considered a matter of national security?

I can envisage plenty of 'what-if?' scenariois.

It's a question of risk vs reward. Typically, the card issuers pick up the loss as a cost of business - and they have invested huge sums in fraud prevention tools. Why the outrage - we know cards are prone to fraud and we live with that fact. 3500 people each year are killed in road accidents in the UK annually - but I don't hear you wanting to replace the car!

I think it's also about consumer education and choice. There are alternatives out there but many people are unaware of them as yet.

Then consumers can make a genuine decision about how they want to shop on and offline based on variables including risk-appetite, convenience, cost and availability.

Ah Peter I see you do have 'a vested interest in today's solutions' so I would expect that response.  

Thank you your analogy of the car and giving me a chance to demonstrate how appropriate it really is.

We've spent billions of dollars to reduce the accident rate with cars to reduce the injury toll to drivers, passengers and pedestrians...designs that effectively destroy the car to absorb the impact...now this took a rebuild of the car from scratch...the public determined, over many years and too many lost lives, that it was totally inadequate just to put a louder horn on the front of the car...which is what the 'vested interests' in those days were advocating.  This is my point.  What your company and other hangers on are doing is making money out of building louder air horns instead of dumping the current design and starting again.

I mention the other analogy to do with monitoring and regulation.  There are standards in place that prohibit cars not so designed from reaching the showrooms.  Morerover there are policemen who ask drivers to be of sound mind, who have passed a competency test and can breath into a bag without sending the crystals blue.  This is continued monitoring of the regime.  The current PCI payments regime is farcical to say the least...how many card details have been lost this year so far...200, 300 million or more?

I'm afraid our existing payments system is still in the year of the Model T Ford.

As this article "Hacker charges also an indictment on PCI" from Search Security points out, the recent problems at Hanniford show that the PCI Data security Standard is still not fit for purpose. In particular:

• It needs to move from a "castles and moats" to "protected strongbox" design. Systems can no longer be deemed secure until proved otherwise, so the data should be protected not the system
• Data needs to be encrypted from the card and remain encrypted until it reaches the acquirer - for this a one time password, updated for each transaction is required and Chip & PIN cards still not capable of this
• Developers of any system which has access to a network on which card data is transmitted need to be security trained
• Any system that holds card data should be regularly tested by different external companies, not just one

Anyone need a Senior Business Analyst with experience of PCI DSS?

I would propose another analogy: Can we imagine that knowing the postal address (from yellow pages) is enough to enter a house? No, for sure! Unfortunatelly, knowing only the card's identity (ie. card number, exp date and security code engraved on the back) is enough to pay on the Internet. And to go further on on the analogy, these mega card details databases are a kind of "Bank card yellow pages"!

An efficient way to progress is to render these data useless to pay. This can be done by requiring a dynamic password at the payment stage. Banks having deployed EMV bank card can use the chip to generate a dynamic one-time password, thanks to a personal card reader (know as Home Chip and PIN card reader in the UK). 21M users in Europe are already equipped with such a solution to secure online banking operations. Banks should soon require it to be used in e-commerce payments too.

In this case, the dynamic password generated by the card's chip after PIN validation, will act as the key you use to lock your door.

"An efficient way to progress is to render these data useless to pay. This can be done by requiring a dynamic password at the payment stage. Banks having deployed EMV bank card can use the chip to generate a dynamic one-time password, thanks to a personal card reader (know as Home Chip and PIN card reader in the UK). 21M users in Europe are already equipped with such a solution to secure online banking operations. Banks should soon require it to be used in e-commerce payments too."

We're all selling something, aren't we? "Banks should soon require it to be used in e-commerce payments too." I suppose "require" means "mandate", much like VBV or UCAF/SPA because the only way your company's product (combo card reader/OTP generator) would work effectively is if all the online merchants in the world change their systems to facilitate and accept these OTPs. In fact, in the Le Parisien (in french), June 1 2009, Eric Flour of Societe Generale states this weakness as well.

I agree with Paul's comment about consumer education and awareness. Indeed, there are many alternatives out there but consumers are not aware of them. These other consumer-center solutions do not have to be mandated and can work without requiring changes on the merchants side. For example (and since we are all selling something), wouldn't it be ideal to just enable a cardholder to turn off his card account when he is not using it to make an online payment and enable him to turn it on before he makes an online payment? Same can be done for ATM transactions and cross-border transactions. All these types of transactions (online, ATM and cross-border) are prone to fraud. With such a system, a cloned card or compromised card details will not work, thereby rendering this cloning, hacking, phishing quite useless.

While we are blogging about our systems and solutions, there will be more Hacker Harrys and Cloner Conners out there.

Perhaps someone should start a site, much like wikipedia, maybe 'finapedia' or 'secupedia' (whatever) in which all the different systems and solutions can be listed. This should make consumers, banks and merchants aware of what solutions are available. Consumers and technologists can also comment on their strengths and weaknesses. I'm certain that making the market aware will result into the take-up of efficient solutions.

So is one hacker stealing 130 million credit card details an alarming sign ? Sure it is, and anyone being rather relaxed about it will probably change his mind very quickly after finding a few grands missing from his own account.

Now, there is the danger of throwing out the baby with the bath. Not all payments systems are alike, not all of them are insecure ...

Especially older systems that have been around for decades have proven to be very secure, and many responsible institutions still trust and do invest in proven and secure technology that is extremely hard or almost impossible to hack. None of the 130 million credit card details have been stolen from such secure systems.

The drawback: Those secure systems have a higher price tag than commodity systems based on cheaper and more widely spread vulnerable technology.

However, using open systems for critical payments processing increases fraud risks very significantly - and it requires additional security efforts that finally do cost far more than can ever be saved by buying cheaper technology. And also, the security cost is skyrocketing once your system has been hacked and you have to deal with all the consequences. This is a lesson that still has to be learned by many ...