Latest credit card hack: PF Chang's

[thewayne]

An unknown number of cards were compromised, Krebs reports "thousands" turning up for sale on carder sites on June 9th, the attack occurred between March and May of this year. Apparently their faster food chain Pei Wei is unaffected.

The interesting part is that this appears to be the same guy/group that did Target and Sally Beauty. They've made themselves one giant target....

Discussion on Kreb's site for this article talks about the need to switch to Chip & Pin, there's only one problem: it doesn't protect you from online purchases, since that will still require card-only because you don't have the device that lets you read the chip in the card. After that eBay hack, I switched my PayPal account to a verification system where they text you a number to enter to confirm the transaction. I wonder if this will help spread NFC phone tech, which is something that's been proposed before and with the continued growth in smart phone sales, increasingly viable.

http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

In other news that provides a nice contrast to the above, yesterday I bought a new camera online for about $2700, this morning I got a call from my bank asking about the charge since it didn't fit my previous patterns. I really appreciated that, it's nice to know that my bank is keeping an eye out for me. (and I'm REALLY going to appreciate my new camera when it gets here Monday!)

Comments

[moiraj.livejournal.com]

How do you stay on top of all of this stuff?

[thewayne.livejournal.com]

You have to understand my breakfast routine. Every morning I wake up my desktop and load my 'comics' tab. It opens 60-some windows of mostly web comics, but includes: Wired, Slashdot, Krebs, my LJ friend's page, several game design blogs, etc. Between Wired, Slashdot, Krebs page, and getting Bruce Schneier's blog through an LJ feed, I have a pretty fresh stream of computer stuff every morning. Plus lots of humor, which is always a good way to start the day.

[silveradept]

So many places with data that they shouldn't have makes things much more appealing for thieves. How difficult would it be to have encryption on cards so that even swiping something only produces encrypted data?

[thewayne.livejournal.com]

I've seen a proposal where the process would be something like this: Person A who banks at B goes in to store Y who banks at Z. A initiates an order with his bank to pay X amount for invoice whatever to Y's account at Z. This is encrypted. B transfers to Z, Z notifies Y that payment has been received for X amount for invoice whatever. Transaction concluded. Y knows he's paid, but only his bank knows that a payment came from B, they don't know A's account info. The merchant doesn't know the customer's banking specifics, the customer doesn't know the merchant's banking specifics. High level peer-to-peer security can be used throughout.

It can be done, but the banking industry currently feel that it's cheaper to do refunds when demanded and re-issue cards rather than strengthen the entire system to make it more resilient to attack. Meanwhile, because one of my bank card's wore out long before it was scheduled to be replaced, I had to pay $9 to get a new one.

[silveradept]

If we made banks liable for all the damage that hacks caused, or some other way of punishing entities that let out that kind of data, I'm sure security would improve quickly. Not that we could get those kinds of rules or laws passed through our current legislature, but still.

[thewayne.livejournal.com]

The question of damages is a nebulous concept. How much monetary damage have I incurred if someone steals my identity and plunders my checking account? That one is quantifiable to a point, we can say 'X amount of money was stolen from my account and incurred Y amount of NSF charges.' The amount of money that I have to spend locking down my credit accounts and monitoring everything, not to mention stress and lost sleep, are more difficult to quantify. In the past, insurance payments for car accidents to the not at fault driver were typically three times the medical costs (it might have been med + car repairs, it's been a long time since I've had an accident), I'm not sure if such a standard would be appropriate to this situation.

But if we expand these punitive damages to identity theft, things get more difficult. If someone trashes my credit score yet doesn't plunder my bank accounts, how do you assign a dollar value to it? Damages certainly have been done, but how much?

A thought does occur to me. I recently received an email saying that I was a member of the settlement class of a suit against Ticketmaster, the award that was due me was something like $4.75 off my next purchase through Ticketmaster. Big whoop. What would be awesome would be something like if Google had to pay the Feds $50,000,000 for some security offense or another, that the money would go to open source security researchers and developers.

It'll never happen, but it's a pleasant thought.

[silveradept]

Yeah, forcing companies to give up their fines to researchers that do work in the public interest would be great.

I think we could start assessing fines based on credit manipulation based on the extra interest that someone would be charged on, say, a mortgage based on their new score versus the old one. If we start with a multiplier based on that, we can start to assess appropriate amounts of damages. Bigger breaches mean more fines based on more people being potentially affected, which get revised upward as the actual costs of the fraud in relation to credit scores and bank accounts roll in.