The Credit Card Industry’s Dirty Secret

Posted by Justin A. Parr on July 24, 2019
Posted in: Good Design - Bad Design. 1 comment

They COULD protect your data… they CHOOSE not to…

 

 

Background

We hear about data breaches, and how costly they can be.

Worse, it seems like there is a new “worst-ever” data breach announced several times per year, and in reality, data breaches that we DON’T hear about occur several times per day.

 

What is a Data Breach?

A data breach occurs when a company (or the government) stores your data inappropriately, and someone gains unauthorized access to that data.

This happens when a company:

  • Stores more data than necessary
  • Stores data insecurely
    • Fails to maintain a secure environment.  For example, applying security patches on a timely basis, and upgrading to newer, more secure operating systems are part of this.
    • Stores data in the wrong part of the infrastructure.  For example, many data breaches have resulted from a report or other file that sits on a web server, and is therefore not protected by the more secure parts of the infrastructure.
    • Fails to authenticate.  Gives an attacker access to your data by pretending to be you, or pretending to be a system administrator.
    • Fails to adapt to emerging threats.  The threat landscape changes constantly, and a secure operating environment must be continuously evaluated in terms of additional layers of protection, new technologies, or architecture changes that need to be implemented in order to mitigate new types of threats.
  • Fails to follow internal policies.  In addition to legitimate mistakes, an attacker might use social engineering to convince a “helpful” employee to:
    • Install a Remote Access Trojan (RAT) on their own computer, by telling to the employee to go to a “support” website, or install an important update from a USB drive.
    • Install a key logger, which the attacker insists is a simple hardware upgrade.
    • Connect unauthorized equipment to the company’s network, which the attacker claims is simply diagnostic equipment.
    • Unlock an account or reset a password without verifying the user’s identity.

A data breach usually results in a bulk disclosure of information, where hundreds, thousands, or even millions of people’s data being downloaded by an attacker.

 

What Data do they Get?

The data obtained by a data breach varies based on the type of company, and the types of personal information they store about you.

At minimum, a thief might get your:

  • Name
  • Username
  • Password
  • Profile data

Note:  Passwords should always be hashed and stored in a non-reversible format.  If a thief obtains your password, they can attempt to gain access to other websites where you might have used the same password.  If the company stores your password properly, as a non-reversible hash, there is nothing to steal.

Banks, stock trading companies, and other financial services companies are required to store your social security number, which provides the thief with an easy target.

Did you answer any security questions?  The thief has that information, too.

If you paid for goods and services, the thief now also has your credit card information.

 

What Happens to the Data?

Once the bad guys have your personal data, they sell it along with thousands or millions of other people’s data to other bad guys, who do things like:

  • Take money from your bank account.  If a thief has your social security number and some other personal information, they can easily gain access to your bank account.
  • Commit Identity theft – use your personal information to:
    • Sign up for new lines of credit (for which YOU get the bill)
    • Sell your house
    • Apply for retirement, healthcare, or other benefits
    • Breach other online accounts using passwords and personal data
  • Make fraudulent purchases:
    • Online
    • Retail (point of sale)
    • Breach other online accounts, such as Amazon

 

Why is a Data Breach bad?

Your accounts are insured.  Your bank and your credit card company will reverse fraudulent charges.

So what’s the big deal?

  • Fraud, especially online fraud is a multi-billion-dollar industry.  The bad guys literally make 100’s of billions of dollars every year.  This drives up the cost of goods and services that are purchased legitimately, by people like you and I.
  • The cost impact due to fraud and fraud-prevention is a TRILLION-dollar industry.  All of this directly raises the cost of goods and services, but also raises the cost of financial services, which then also indirectly impacts the cost of everything you purchase.
    • Banks and credit card companies spend time and effort investigating fraudulent charges, and working with their customers to reverse charges or take some sort of action.
    • Banks and credit card companies are directly impacted by fraud, in the case that someone steals money from your bank account.  When the bank reverses that transaction, the bank absorbs the cost.
    • Banks, credit card companies, and merchants spend billions of dollars per year on anti-fraud and fraud-detection systems.
    • Merchants often directly absorb the cost of fraud – especially in the situation where goods and services are purchased using a stolen credit card.

In addition to all of this, fraud impacts you directly:

  • Fraud and identity theft affects your credit – it reduces your ability to borrow money and make major purchases, and could cost you hundreds of thousands of dollars over your lifetime.
  • As a victim of identity theft, it could take many hours per week over the course of months or even years to correct everything that needs to be corrected.  This is time for which you will never be compensated.

Worse, the bad guys might wait weeks, months, or even years to use your data, so you might have to pay for credit monitoring and other tools and services to protect your money and identity on an ongoing basis.

 

Data Breaches are Insidious

A data breach consists of extracting information from a website, that their users put there.

This means that everything you enter online is potentially a ticking time bomb.

Likewise, companies like Experian and Equifax, who gather information about you without your consent are setting you up for identity theft in the event of a data breach.

Some of Your Data Remains Static

Once the thieves have certain types of your data, it can’t be changed.  This means that they can use it repeatedly, to try scam after scam after scam, and there’s nothing you can do about it.

  • Once you have a Social Security number, it’s with you for life.
  • Any of your personal data that you’ve used to create an online account is always going to remain the same, including your mom’s maiden name, the street you lived on as a kid, your first pet’s name, etc…
    Tip:  This is why you should NEVER give out personal information.  See: “Thou shalt protect your identity” among “Password Commandments“.
  • Your birth date.
  • In many states, your driver’s license number.  In some states, your driver’s license number IS your Social Security number!
  • Your name.  Yes, you can legally change your name, but it’s not very practical.

Even Temporary Data can be Damaging

Some data DOES change over time, but not before the bad guys can use it against you.

  • People have a tendency to use the same password for every website.  If the thieves can get your password, they can probably use it to get in to your e-mail, your bank account, or other online accounts.
    Tip:  Do not repeat passwords, user names, nor e-mail addresses.  Thou Shalt Use Unique User Names.
  • Your address certainly isn’t permanent, but it’s awfully difficult to change.
  • Your e-mail address is also, very difficult to change, especially if you’ve had the same e-mail address for years.  You can sign up for a new e-mail account very easily, but it’s difficult to find all of the stuff that’s currently linked to your account, and move it over to your new e-mail account.
  • After a breach, payment card information can be purchased by a thief, and used dozens or hundreds of times before anyone even knows that it has been stolen, and long before the credit card company can shut it down.

Most Data Breaches are Self-Inflicted

Most data breaches are at least somewhat preventable.

  • Companies tend to gather and store more of your personal data than they need.
  • Companies tend to store data insecurely.
  • Companies tend to store data for longer than needed.
  • Companies tend to store your data in a reversible format.
  • Companies often fail to follow their own internal procedures.

Thieves are lazy, and tend to attack targets of opportunity.  Companies that DO properly protect your data, either don’t store it at all, or make it much harder for a thief to steal.  As a result, thieves will tend to go after easier targets, avoiding hardened ones.

 

What are the Credit Card Companies Doing About It?

In short, nothing helpful.

Fraud Detection / Prevention

Credit card companies have sophisticated anti-fraud systems that detect and in some cases, prevent what they consider to be fraudulent purchases.

They do this with a sophisticated set of algorithms that track your purchases over time and geography.

These algorithms continuously evaluate new data in near-real-time, trying to guess if YOU made that recent purchase, or if a bad guy obtained your credit card data, and the BAD GUY made the purchase.

Because this process isn’t perfect, and because credit cards are useless if they aren’t reliable, the credit card companies have to tune them to be less aggressive, and err on the side of caution.

Because of this margin, by definition, not every fraudulent charge will be detected.

Also, because it can take several purchases (and therefore, time) for a pattern to emerge, the other problem with automated fraud detection is that a thief can make dozens or hundreds of purchases very quickly before the credit card gets shut down.

Often, after the data breach, the first group of thieves will sell the credit card data in large blocks, and then a second group of thieves will subdivide them in to smaller batches, print physical credit cards, and farm them out to a gang whose job is to make as many purchases as quickly as possible.  They use a physical copy of your credit card to buy gas, tools, televisions, and whatever else they think they can sell, before your credit card is maxed out, or shuts off.

Or, they farm the data out to gangs of thieves who make hundreds or thousands of online purchases from companies like Amazon.  The seller doesn’t know that the credit card data is forged.  By the time they figure it out, the thieves have received whatever was purchased, which they subsequently liquidate.

Chip and Pin

So-called EMV (Europay Mastercard Visa) “Chip and Pin” uses a small computer chip embedded inside the credit card to perform a cryptographic operation.  Rather than a traditional “card swipe” that reads the card’s magnetic stripe, the user inserts one end of the card in to the point of sale terminal, and types a PIN on the keypad.

Chip and PIN was rolled out in the United States between 2012 and 2014, and is designed to prevent a thief from stealing someone’s physical card, and then using it at a point of sale terminal.

  • Chip and PIN was hacked months before it was rolled out.  Thieves found that they could affix a “blank” chip on top of the real one, on a stolen credit card in order to use it.
  • Chip and PIN doesn’t work for online or phone purchases.  A thief doesn’t even necessarily have to have a physical card, as long as they have the card number, expiration date, and security code – all of which would be included in the information obtained from a data breach.
  • If Chip and PIN fails, the point of sale terminal automatically “falls back” to a traditional swipe and sign method.  If the chip dies (or is intentionally disabled), a thief can simply use the card normally.
  • Most merchants don’t prompt for a PIN.  Simply inserting the card is sufficient.

On top of all of these problems, chip and PIN is both confusing and slow.

PhoneFactor and Other Multi-Factor Methods

PhoneFactor is a method for sending text messages to your phone, to help authenticate a login or transaction.

Here is how it works:

  1. You order a monstro mocha coffeechino.
  2. You swipe your card.
  3. You get a text message containing a PIN.
  4. You enter the PIN in to the PIN pad on the credit card terminal.
  5. Transaction authorized.

The nice part about this is that it also kind of works for online transactions.

There isn’t really a way to enter the PIN as part of your transaction, but you at least get a text when you make an online purchase, and you can respond to that text with “yes” or “no” (or maybe 1 and 0) in order to “authorize” your transaction.

Many merchants (online and retail) use payment processors, which act as an intermediary between the merchant and the credit card company, and this means that the payment processor doesn’t necessarily have the ability to send you a text message, since it’s the credit card company who has that information.  In many cases, the transaction isn’t even conducted in real-time.

As a result out-of-band authentication methods like PhoneFactor are used more for Debit cards, which work differently from credit cards, where the processor makes a direct connection to your bank in real-time, and your bank sends you the text message.

In addition, this type of multi-factor authentication requires that you have a phone with you at all times, and that you have a good signal from your carrier, so that you can send and receive text messages – all of this hampers the convenience factor of being able to simply slide a little plastic card.

Google / Apple Pay and Others

Google, Apple, and other companies have tried to address this problem by letting you store your credit card (“payment”) details in a “wallet” that you can access online, or store in your phone.

When you make a purchase, rather than make the purchase directly, Google or Apple makes the purchase on your behalf.

This approach still requires that there is a credit card number, cardholder name, expiration date, and security PIN buried deep inside the system somewhere, and if it exists, a hacker can eventually figure out how to extract it.

PCI Security Standards

PCI (Payment Card Industry) Security Standards are a voluntary set of security requirements for all merchants, payment processors, and credit card companies, and includes a compliance process with regular assessments.

Failure to meet PCI requirements means that you might lose access to process credit card transactions, so everyone in the industry takes these seriously.

Every year or two, the security standards are updated to eliminate weaker standards, include emerging standards, and implement controls designed to mitigate emerging threats.

PCI brings with it three problems:

  • The cost of compliance constantly increases as new requirements are added to the standard.  For larger banks, retailers, and payment processors, this is simply the cost of doing business.  Smaller businesses bear a disproportionate cost.
  • Although PCI provides an ideal security scenario, in the real world, all it takes is one unpatched server or one careless employee, resulting in a security hole that could be exploited by an attacker.
  • With the threat landscape constantly evolving, PCI has to be constantly revised, resulting in a lot of churn.  In some situations, a continuous stream of internal changes could create new security holes where none previously existed.

 

The Problem:  Data is Reusable

The problem with credit cards is that the data is reusable.

Once you have a person’s credit card information and a few personal details, you can effectively make purchases or even open up additional lines of credit, by reusing that information.

Stated more simply, the same data that the user enters in to a website can later be extracted and reused by a thief, because the data itself doesn’t change.

The same is true for ALL personal data, but I’ll limit the scope of this article to just credit card data.

If, for example, your credit card number “magically” changed every time you used it, there would be nothing for a thief to steal.  They could steal a copy of your credit card number that had already been used, but if the thief attempted to reuse it, they would quickly find that (because it changes) the credit card number they stole is no longer valid.

A continuously-changing credit card number presents some challenges.  For example:

  • If two merchants process their transactions out of sequence, each will have the wrong credit card number.
  • Typically, you would save your credit card details to a website as a convenience, so that you can make additional purchases n the future.  However, if that information changes with every purchase, there would be no point (and no convenience).

 

Possible Solution – Digital Credit Cards

Although there may be others, there is at least one simple solution that is proposed repeatedly, and this solution gets shot down by the credit card companies, every time someone proposes it.

The excuse always centers around cost – this will require programmatic changes to back-end systems, and will require any payment processor to provide new tools that interface with the back-end and front-end systems.

For example, when you enter a new payment method on Amazon, this solution would require that you do it in a slightly different way.  The second and subsequent use would be the same as it is today – click and go, or possibly click, PIN, go.

A credit card number is usually 16 digits, of which one of those is a check digit, leaving 10^15 (1 trillion) individual credit card numbers.  Some of those won’t ever be used, like 0000-0000-0000-0000, so if we make some basic assumptions, that leaves probably around 700 billion possible usable credit card numbers.

This solution requires that we change what we think of as a credit card number, and that the credit card industry invests in software and tool sets that support new formats.

As the concept is for more than protecting just online use, new hardware and software updates would be required.  That could be considered expensive, but hey, chip and PIN required a full hardware and card replacement, and chip and PIN doesn’t even work properly.

So what it boils down to, is that the credit card companies don’t want to invest a few hundred million dollars to mitigate billions of dollars in fraud, and a trillion dollars in overall economic impact.

Not the Solution: Virtual Credit Cards

Although the concept of virtual credit cards is used to some extent today, it only begins to address the issue of reusable data.

The concept is that you go online and generate as many virtual credit card numbers as you need, and you use a different one for each merchant.

For example, you have a specific credit card for grocery shopping at Kroger, and a different, specific credit card for online transactions with Amazon.

Ideally, you would have a different virtual credit card for every retail and online merchant, and there would be a system to limit a specific virtual credit card to a specific merchant.  So if you tried to buy coffee at the local coffee shop, you would have a specific card for THAT coffee shop, and if you tried to use your coffee-shop-card at the store, the transaction would be denied.

There are a few limitations and caveats:

  • This solution depends on the consumer to be disciplined.
  • Works better for online.  Carrying a pocket full of physical credit cards isn’t practical.
  • Need a way to restrict access by merchant and virtual card.
  • All of these extra credit cards require extra credit card digits – back to investing in back-end code and tools to support this.
  • If, at any time, you use your “main” credit card, it might be compromised, and you’re now back to the original problem.

This last one is pretty important.  Again, with an online purchase, it’s easy to open a new browser tab, log in to my credit card’s website, crank out a new virtual card, and then use that to make my purchase.

But, what if I’m out somewhere, and I decide to buy a snack?  Unless I already have a “throw-away” card, I have to use my main card, which puts me back to the position of giving my super-secret main card number to some guy selling snacks, and trusting him that he and his credit card processor will keep it safe.

Difficult Solution: Pre-Paid Credit Cards

I know people who take a middle ground approach – they use their main credit card to purchase pre-paid credit cards, and then they use those for online and retail.

So if the ISP wants a credit card for automatic billing, here’s a pre-paid card that you can top-up from time to time, and if the card becomes compromised, your entire liability is limited to whatever happened to be on that card at the time.  If you’re disciplined, you keep a near-zero balance, and transfer just enough money to pay your bill each month.

Taking a day trip?  Load up a couple of pre-paid cards to take with you…  Use them for minor purchases, and then use your “main” card for major purchases.

Again, the trade-off is time and effort, and in some cases service charges to do all of this.

Better Solution: Digital Credit Cards

What is a digital credit card?

Unlike a physical piece of plastic with your credit card number prominently displayed all over the front of it, a digital credit card is cryptographic software that runs either as an app on your phone, or on a physical credit-card shaped device that you carry in your wallet (like a conventional credit card).

Using a starting seed value, it’s possible to generate a virtually unlimited number of credit card numbers.

Here’s how it works:

  1. You download the digital credit card app, or purchase a digital credit card device.
  2. Your credit card company issues you a digital credit card seed value, that you enter in to your digital credit card, and you protect it by constructing a PIN.
  3. The digital credit card uses your PIN and the seed value to generate a thumbprint, which is uploaded to the credit card company.

Later, when you make an online or retail purchase:

  1. The merchant presents you with a merchant ID.
  2. You enter your PIN and the merchant ID in to the digital credit card, which uses the seed + merchant ID to construct a unique, virtual credit card number, that can now ONLY be used for that merchant.
  3. You present the virtual credit card number, your thumbprint, and other relevant information to the merchant, who processes your payment.
  4. When the processor submits the payment to the credit card company, they use your thumbprint to identify who you are, and your account details.  They can also verify mathematically that the virtual card number used for payment is correct.
  5. The credit card company processes the transaction.
  6. If someone tries to use that specific virtual credit card number with another merchant, the credit card company can detect the inconsistency immediately, and deny the transaction.

There are variations of this process, where even the thumbprint is unique either per transaction or per merchant, and yet other variations that employ public-key cryptography, where the merchant and payment processor are given enough information to verify mathematically that only a person holding the “real” digital credit card could have generated that specific credit card number.

However, the above is a very basic but workable blueprint for using digital credit cards.

Using a digital credit card for a retail purchase would involve having the phone or device seamlessly exchange information with the payment terminal.  This could be accomplished with a protocol similar to NFC (Near-Field Communication) where the phone / device and the payment terminal communicate via radio, or it could be a simple quasi-manual process where the payment terminal displays a barcode that you scan in to your phone, which then displays another barcode that you then scan in to the payment terminal.

Using a digital credit card for online purchases would follow basically the same process.  Installing a copy of the digital credit card application on your laptop would allow you to make online purchases almost seamlessly.

Here are the advantages of a digital credit card system:

  • Credit card numbers stolen from one merchant can’t be used for another merchant
  • Your credit card information is stored on your device, and requires a PIN to unlock them
  • Online merchants can store your credit card details as a convenience, without risk of that information being disclosed and used elsewhere.
  • There is no physical credit card to lose or steal.  Your phone or digital credit card device could get stolen, but the information is protected by a PIN.  Entering the PIN incorrectly too many times wipes the credit card data, requiring that the digital credit card must be reinitialized to use again.

Here is what the credit card companies would have to do in order to support this:

  • For people with smart phones, it’s fairly easy to write a digital credit card app that implements industry-standard cryptographic security.
  • For people WITHOUT smart phones, you must build a physical credit card device that’s capable of interacting with the user as well as the payment terminal.  Although this requires a hardware investment, all of the hardware is commercially-available today, and the development and production cost would therefore be minimal.
  • The payment terminal software must be updated to accommodate the new workflow and longer credit card numbers.  This is a large and costly logistical challenge, but existing standards already require that these terminals are updated regularly.
  • The credit card companies would have to re-write their back-end software and tool set.  This is a significant investment in software development, but not an overall significant cost.
  • Merchants and end-users need to be trained.  This constitutes a logistical challenge, but it has already been done for chip and PIN.
  • Today, if you eat at a restaurant and pay with your credit card, you give it to the waiter / waitress, who then processes the payment using a credit card terminal.  The use of digital cards would require a specially-designed terminal that the waiter brings to your table, but many chain restaurants are already rolling out “pay at the table”.

 

Conclusion

As you can see, replacing plastic credit cards with digital ones, eliminates reusable data that thieves obtain during a data breach, and then use to make fraudulent purchases.

Simple, off-the-shelf cryptographic tools and libraries can be used to construct this process.

The Credit Card industry has been resistant to this approach for over a decade, stating instead that band-aids such as chip and PIN will “solve the problem”.

Until we eliminate reusable data, we won’t eliminate the threat posed by a data breach.

 

 

 

 

 

 

 

 

 

 

 

One comment on “The Credit Card Industry’s Dirty Secret

  1. Pingback: Cryptocurrency Should be Banned – Here’s Why | Justin A. Parr - Technologist

Leave a Reply