The wall starts to crack
Merchants and credit card processors are not allowed to store a host of sensitive data, according to Visa and MasterCard.
That includes personal identification numbers, or PINs, used to withdraw cash, the three-digit code on the signature panel, and data on the magnetic stripe on the back of credit cards.
A Visa spokeswoman would not comment on recent data breaches because of continuing investigations, but she pointed to inappropriate data storage as a cause of criminal activity.
“I can tell you generally that one of the biggest causes of criminal activity is from the inappropriate storage of this card information,” said Rosetta Jones, a Visa spokeswoman.
In other words, she wouldn’t say it happened this time, but generally when this kind of problem is observed, it’s happened.
I wonder how much of a public relations hit Citibank needs to take before they say whether OfficeMax was involved in this, or pressure Visa to be more forthcoming?
A few weeks ago, I was chastised for asking:
How would a retailer lose so much info, especially since reports in December were that the detected frauds likely were from customers who bought gasoline at Sam’s Club?
Sam’s Club said this in a press release on 12/2/2005:
SAM’S CLUB stressed that the electronic systems and databases used inside its stores and for http://samsclub.com are not involved.
So, databases “inside its stores” and the web site didn’t get penetrated. That leaves, uh, POS devices, and….dare I say it…wireless?
A couple of things to note. First, Wal-Mart has decided to be more specific, and says that the fraud activity linked to Sam’s Club months ago didn’t involve PINs, and was limited to their gas stations.
If any compromise occurred, it appears to be limited to the Sam’s Club fuel station point of sale system.
I wonder if those gas station systems use RFID? You know, the kind that Avi Rubin and asssociates at http://www.rfidanalysis.org/ successfully attacked?
I have no idea, but if they did, it would be possible to clone the RFID modules, as Rubin, et. al. proved. Another theory, advanced by Avivah Levitan, is that more conventional physical skimmers were used.
If this is the extent of Sam’s Club’s problem, though, I don’t think the current rash of fraud can be attributed to the breach they suffered. So, I’m going to back off on Wal-Mart, but stand by the POS theory I advanced.
If Sam’s Club cards were skimmed, or RFID fobs cloned, this could account for the 600 known frauds, while not requiring an enormous number of breached identities (according to the ID Analytics theory).
Meanwhile OfficeMax is under increasing scrutiny as having stored PIN information at its POS terminals. It’s probably about time for OfficeMax, like Sam’s Club, to say something other than “”We have no knowledge of a security breach here”.
Suggestion for Visa, MasterCard, and their ilk: please increase enforcement of the PCI security standard. A 70-90% non-compliance rate is embarrassing.
Update: Here is another wrinkle I just found via Computerworld.
According to Gartner’s Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transaction.
That makes sense, but the thing I can’t fathom is why a processor would keep all the information that seems to have been revealed, especially in a post-CardSystems world.
After all, the FTC complaint [pdf] against CardSystems said:
In early 2005, issuing banks began discovering several million dollars in fraudulent credit and debit card purchases that had been made with counterfeit cards. The counterfeit cards contained complete and accurate magnetic stripe data, including the security code used to verify that a card is genuine, and thus appeared genuine in the authorization process. The magnetic stripe data matched the information respondent had stored on its computer network. In response, issuing banks cancelled and re-issued thousands of credit and debit cards. Consumers holding these cards were unable to use them to access their credit and bank accounts until they received replacement cards.
Surely, other processors would avoid this kind of a practice, wouldn’t they? Hopefully, someone will say something definitive soon. Legislators and Attorneys-General, I would imagine, are aware of this situation. Is it unreasonable to assume that they are sharpening their pencils and crafting laws and regulations to require disclosure under circumstances like these?
[Edited 29/4/2017 to unlink RFIDanalysis.org because Google claims its distributing malware.]