Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is

There's no good reason for the U.S. to be so far behind in adopting EMV

We're still doing it wrong. How on earth, in the year 2013, nearly seven years after the record-setting TJX breach, can a retailer suffer a credit card breach that actually compromises user account numbers?

And yet here we are, witnessing Target scurrying to make things right after announcing that some 40 million customers' credit and debit card data had been illegally accessed in what amounts to the second-biggest credit card security breach in U.S. history. While there are doubtless many problems that led to this breach, at least much of the culpability must rest on the fact that we're using ancient payment card technologies here in the U.S., whereas the rest of the world has long ago eclipsed us with more modern tech.

Almost all of the burden for this, of course, falls on the side of the merchants and the payment card issuers/processors. But we consumers also need to pull our weight and demand more modern systems from our providers.

So let's consider the issues from two perspectives: 1) the merchant side and 2) the customer endpoint, at least for online purchases.

First, the merchant side, since that's what was compromised in the Target breach. Our best hope for ending this type of wide-scale breach that harvests millions of account numbers is the Europay Mastercard Visa (EMV), cards used throughout the world -- except for here in the U.S.

While certainly not perfect (as a group of researchers at Cambridge University discovered a couple of years ago), EMV, or "chip and pin" cards, have one massive advantage over the magnetic stripe system used in the U.S.: The merchant does not gain access to the customer's account number. Since that number doesn't leave the customer's card, massive system compromises should never result in the harvesting of millions of card numbers.

Unfortunately, EMV cards are not yet commonly available in the U.S. Things could be changing, since some U.S. banks are offering them, and during my holiday shopping this year, I did see two vendors whose point-of-sale terminals had chip-and-pin slots. I've used EMV on my overseas travel. I hope a lot more U.S. residents have experienced them as well and will create a groundswell for widespread U.S. adoption.

Now for the consumer perspective. I know that most people have done more online shopping over the past month than they did in the 11 months before that, but there are things we can do year-round to protect ourselves while shopping.

For starters, ask your credit card issuers if they support EMV cards, or what their rollout plans and timeline are. The card issuers need to hear a solid message from us consumers that we're fed up with magnetic stripe systems that are so trivially compromised.

If you can't yet get an EMV card from your issuer yet, there are other things can make online shopping more secure. For example, some credit card issuers these days support one-time account numbers for things like online transactions. You can request as many as you need, and you can specify the merchant a particular account number will be used with and a purchase limit for each one-time account number. If you had used such an account number at Target, the credit card number in its records would pose no threat to you, since it can never be used again. In fact, one-time numbers will be useful for online transactions even if EMV were available.

Another good idea: Many online merchants give you the option of not storing your credit card numbers on their sites. It's always smart to select that option when it's available. The more places that store your card numbers, the less safe you are. If you like the convenience of having your credit card info stored but realize that it's a security risk, consider using a password vault system like the one I described in November 2012. With it, you can automatically enter your credit card number when needed. The important thing is to maintain control of your credit card numbers as much as you can.

You can do more, though. I segregate my shopping from everything else I do online by dedicating one browser to shopping and never doing any shopping on any of the other browsers I might use. Not paranoid enough for you? You can use a completely isolated operating system boot environment for shopping and a different one for all other activities. Most modern operating systems enable you to build a bootable disk on removable media. For online shopping, build a clean boot environment -- absolutely nothing extraneous on it. (You can do the same thing in a virtual machine environment.) The advantage of the dual-boot approach is that if your system becomes compromised, the data on it or processed through it will be somewhat limited.

Some of this advice is not for everyone. I get that. But before you decide that even using separate browsers is too draconian for you, you need to realize that doing all your social networking and shopping on the same browser (and at the same time, perhaps) is simply being reckless. You might fare better by finding an angry bear and poking it with a stick.

With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.

Read more about security in Computerworld's Security Topic Center.

Tags TargetCybercrime and Hackingsecurity

More about Cambridge UniversityCarnegie Mellon UniversityCERTMastercardMellonPara-ProtectSmartTopicVisa

Comments

Comments are now closed

Tails 1.0: A bootable Linux distro that protects your privacy

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]