Sadly, using bank cards at places such as shops, restaurants and bars (you know, actually spending the money you earned) puts you at serious risk of having your information stolen in data breaches.
This could then lead to your money being stolen via carding and mules.
At least, that’s the case if you’re in the US, or any other region which has been slow to adopt ‘Chip and PIN’ or similar variants of EMV payment card security.
The retail and ‘food and beverage’ sectors are prime targets for hackers, with lots of fresh card data passing through and generally poor security measures in place.
Outsourcing IT security to under-skilled and under-engaged third parties, sloppy password policies and vulnerable outward-facing interfaces make this enticing data easy pickings for the bad guys.
I’ve been ploughing through Trustwave’s annual security report. I’m a bit of a glutton for annual reports, usually pigging out around Christmas time with the feast of year-end summaries.
This epic offering is a little different from my standard diet, and not just thanks to its mid-year arrival. Trustwave is big player in PCI compliance, penetration testing and post-data breach forensic investigation.
So, in and amongst the usual stats on prevalent malware families and spam rates are some juicy morsels from their research into companies which have actually been breached and robbed of their data.
Their figures show that the bulk of companies they have been called in by are in the retail (45%) and food and drink (24%) industries, with ‘hospitality’ a distant third (9%).
Here’s the breakdown from the report:
Of course, there’s room for some sampling error here, as there may be bias in the types of companies which call them in, but those numbers look pretty significant.
Almost all breaches go after customer data, with a pretty equal split between attacks targeting ecommerce and web installations and those which go after point-of-sale or payment processing systems.
Some 63% of issues were put down to third-party support or IT service providers, with 47% of breaches facilitated by inadequately protected remote access systems. Many of these were thanks to default or too-obvious passwords.
In Europe, where EMV has long been the standard for bank cards, point-of-sale (POS) is barely targeted at all.
The chip system makes it too hard to clone usable cards with data harvested at the POS. So the main targets are often small (and thus under-secured) web traders and ‘card not present’ transactions.
The US continues to put off the transition though.
Shifting liability from the banks and card companies to merchants and ATM operators – i.e., putting the pressure on them to switch to more secure systems – is not planned to start there until 2015.
That’s a full decade after Europe and much of the rest of the world – while Canada, Australia and New Zealand are just going through the process now.
So, US retailers and food outlets continue to put their customers at risk, years after epic breaches like TJX put the issue in the headlines.
It’s bad enough being nervous about handing your card details to unknown websites. We really should be able to feel safe physically swiping our cards in stores and cafes.
EMV may not be perfect, but it’s clearly helped a lot where it’s been implemented.
For now, I think I’ll carry on using cash wherever possible in the US – although of course, that’s not going to help me if the ATM system gets hacked…
Image of credit card and fork and credit card chip courtesy of Shutterstock. Image of data breach percentages courtesy of Trustwave.
There's a longish history of compromise *of the EFTPOS devices themselves* (Naked Security has written about a few such incidents).
How does that affect chip-and-PIN security?
In the U.S., the laws favor consumers when a credit card is hacked or a thief makes a swipe copy. The consumer is simply responsible for reporting the theft in a timely manner and they are reimbursed. On the other hand, if an ATM card is hacked, the law says the consumer is held responsible. The bank assumes the consumer shared the PIN. Chip and Pin systems are also vulnerable to hacking. No thanks. I'd rather stick with a system that protects consumers from losses due to theft and hacking.
Those costs are ultimately passed back to the consumer in the way of fees – ever notice that businesses give discounts if you use cash rather than credit? The credit companies pass along the high costs of losses to the vendors who user their system, who in turn increase the prices of their goods and services to cover those costs of offering credit card usage. Nothing's for free. Your consumer protection is only for those who are gullible enough to buy into it. You simply subsidize the losses of individuals among all the card users. I'd rather reduce the losses and keep the money in my pocket when I purchase goods and services.
And yes, I'm American.
Bad information Tim. Under Reg E the consumer is protected both on ATM / Debit cards as well as credit cards. Banks are not allowed to assume that the consumer is at fault. Consequently banks eat most of the cost involved in debit card fraud.
and it’s cheaper to pay insurance against it than to take the security measures that they should.
I travel quite often in the UK, and the people at the cash registers are constantly amazed that I don't have a pin and chip card. It's standard there and has been for years. I think the US needs to do some catching up – and fast. The technology already exists – how hard can it be?
Chip and Pin has been compromised far too often in the UK for comfort. It has been shown to be relatively easy for the knowledgeable miscreant to obtain the information needed to clone cards and obtain knowledge of PIN numbers. Banks,sadly, always assume the customer is at fault even when they still have the original card in their possession, banks assuming they 'lent it' to the miscreant, even though subsequent transactions may be in a location many miles away.
Chip and Pin is not as secure as the Banks would have us believe.
Bad banks might behave like that but good banks would disable your card automatically when noticing such impossibilities (incoherent location usage) and send you a new one.
This happened to me 10 years ago with my pin protected card. The bank disabled my card even before I had noticed the strange withdrawals on my bank account log. They refunded me almost immediately.
Of course the withdrawals came from internet websites where the pin and chip were useless…
Since then I only use one time credit card numbers when buying on the internet (numbers generated by my bank that can only be used for a specified amount and only by one merchant)