22
Dec
13

How About We Fix The Problem?

As I pointed out in my last post, EMV would have not stemmed the loss of data in the Target breach.  All EMV would have done is restricted where the thieves could use the card data obtained.  Even though the thieves can supposedly clone cards from the data gathered, as far as anyone has reported at this point, cloned cards do not appear to be the method of fraud.  So the assumption I have is that all, or the vast majority, of the fraud committed to this point has been through card not present transactions.

In response to people clamoring for a solution to the breach problem, Visa and MasterCard have curiously remained silent.  I would have assumed that the card brands would have trotted out their press releases touting EMV as the savior.  Yet they have said nothing.  Could it be that the card brands are actually acknowledging that EMV would have not been the answer?  One can only hope.

So what is the answer?

To me the answer is single use transaction codes of 15 to 16 characters in length.  With the advent of smartphones and miniaturization of electronics, the ability to create a card or an application that generates such a code is not only possible, but has been demonstrated in recent years.  Not only that, but the card brands and banks themselves dabbled with such solutions over 10 years ago but for some reason backed off on pushing such a solution.  My best guess is that without a portable method of using the single use code system, there was no point to pushing such a system.  But times and technology change.

With the capabilities of today’s technology, the single use codes could be displayed as bar codes so that existing merchant POS systems could scan them and avoid data entry errors.  Since they are no more than 16 characters in length, the codes can be stored in applications’ existing fields used to store card numbers without modification.  Since the card brands and banks have already developed the algorithms for this approach, they only have to agree on which algorithms to use.  But best of all, since the code can only be used once, it can be processed, stored and transmitted wherever and however without fear of a compromise because it can only be used once.

This is just my thought for a solution but there are other people and organizations that have their own solutions to fix this problem.  The bottom line is that it is time to fix the problem, not keep kicking the can down the road with a known format that is at the end of its life.

Advertisements

8 Responses to “How About We Fix The Problem?”


  1. 1 Jenifr
    December 9, 2015 at 8:35 AM

    Applaud the article contents and how well written and informative it is!!

    I appreciate the fair ground you give Target as well!! Since I personally survived ‘the target breach’ working in the credit services dept., we certainly were overloaded.
    But with the chip pin private label and MasterCards issued through Target, they REQUIRE a PIN within Target stores. We are the leading retailer to offer this new and stronger security.

  2. 2 dave
    December 24, 2013 at 2:35 PM

    I disagree with your premise that cloned cards do not appear to be the method of fraud. I think it’s far too early to tell.

    Online sales would be the quickest to manifest but also the easiest to detect because the lack of CVV2.

    A major advantage to this haul of cards is that they contain zip and then also just the sheer number of cards. Cloned cards used near the same location of the owner will be difficult to detect by processors with the result not known for sometime.

    • December 24, 2013 at 3:09 PM

      What is it about the lack of CVV2/CVC2/CID data? It amazes me the number of merchants that do not require it for online or telephone purchases. Yet people point to the lack of it as though it is some sort of magical control when a breach occurs.

      Another thing we do not know is the actual count of unique accounts we’re talking about. The total number of cards is 40 million, but no one has specified a total number of unique accounts. That is because law enforcement does not want anyone to know how much they actually know just as when someone robs a bank the public statement is, “An undisclosed amount of cash was taken.” Given the popularity of Target, the number of unique accounts could be significantly less than 40 million. For example, during the time period involved, my family went to Target twice. If most people did that or even more often, then the number of compromised accounts quickly drops in half or even more. As a result, the actual number of usable accounts could be significantly well below 40 million and we just do not know that fact.

      I agree with your statement that we’re early in the breach. However, in my experience, cloned cards are the eariest manifestation of a breach as they need to be created and used as quickly as possible if that is the method for the fraud. That is because card present fraud in the US is not as easy to commit as it once was. In addition, the financial institutions and their proxies now go to the carder sites and figure out what was compromised to close accounts before they become a problem as well as their fraud recognition systems start seeing the fraudulent purchases.

      Getting cloned cards into the hands of people located in or near locations used is not going to be as easy as one might think. If the people buying the accounts are located in a major US city, then great. But anyone that needs accomplices to work multiple cities is going to be in trouble unless done by gangs. Also, this time around the financial institutions and card brands went on their own expedition when the cards went up for sale. A lot of those cards have already been cancelled so the risk of using them goes up for those buying them to commit fraud.

      It will be interesting to see how this breach plays out as it is being handled differently by the carders as well as Target, the financial institutions and the card brands.

  3. 4 JS
    December 23, 2013 at 9:15 AM

    This may be accomplish with a device similar to the “Coin”, rather than a storage device an intelligent device generating unique single use 16 digits codes… if the companies agree to an industry standard.

    • December 23, 2013 at 9:23 AM

      Coin is just one of many approaches that are available. Unfortunately, Coin requires NFC and not all merchants have NFC terminals.

      Knowing how businesses work, if you can come up with a solution that works within the existing processes, you will get quicker adoption. That is why I am suggesting my solution as it fits today’s existing business paradigm in regards to credit/debit cards. It can work manually, scanned, NFC, Bluetooth, Wi-Fi and anything other technologies.

  4. 6 Peter
    December 22, 2013 at 10:03 PM

    Well the team from Mastercard are all over it – I just received a Seasons’ Greetings card from their Academy of Risk Management 🙂

  5. 7 Peter
    December 22, 2013 at 5:19 PM

    Did you just describe a solution which is a Virtual Credit Card?

    • December 22, 2013 at 7:34 PM

      While a virtual credit card could work in the way I describe. What I have seen demonstrated is credit cards with processing capabilities that generate unique single use 16 digit codes. These cards are only slightly thicker than today’s cards and have an LCD display.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

December 2013
M T W T F S S
« Nov   Jan »
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,884 other followers


%d bloggers like this: