The latest credit card hack? Goodwill thrift stores.

[thewayne]

No news yet on what locations or how many cards were compromised.

http://krebsonsecurity.com/2014/07/banks-card-breach-at-goodwill-industries/

Comments

[silveradept]

So, thieves will hit the Goodwill, too. That's aggravating, at best. I almost wonder whether everyone needs to have a public-key credit card that can be shared and stolen forever, but not be any help without a private key that's stored somewhere safe. Would that help at all?

[thewayne.livejournal.com]

Most of these thieves are Russian or former Soviet satellite nations, and if they can find a vulnerable merchant, they don't care. It's fairly easy, low-risk, money in a region where unemployment and opportunities are rare.

In an obliquely-related story, I read something on Slashdot in the last couple of days that people who lived under the East German regime were more likely to cheat. This could say something about the political environment that permeates that region.

Storing a public key on the card: I don't know if that'd help. Your private key has to be somewhere and that would be vulnerable to theft. If you use encryption like that on your personal computer, then that PC has to be stolen or hacked to compromise your communications, which provides you with some security: hopefully you'd know if your computer is stolen and you can revoke your private key. But if the private key is on your phone or something, I don't know if that's an improvement. Every week I read about new Android banking malware that's making the rounds.

Chip and Pin isn't a complete solution, either. It only provides secure in-person transactions, it's still possible for your account to be looted by other vectors and apparently it's more common when C&P cards are used for the bank to raise it's hackles by saying that if your account is compromised, clearly it's your doing because the system is obviously secure. It does nothing for online transactions if there isn't a reader on your personal computer to validate the chip.

I don't remember who, but one bank many years ago offered one-off credit card numbers for online transactions. Basically it would be tied to your account for one transaction and a limited period of time, and then that number would be invalidated. I think it was a fabulous idea, a card would not be issued so the only cost would be electrons. But I haven't heard of it recently, so I think it probably died a quick death. You could not do an unsalted hash of the temp card plus permanent card as it would be too easy to compute rainbow tables to break that, so you couldn't use it as part of a crypto key.

[silveradept]

That's too bad the temporary number idea didn't take off, because if it was sensible and easy to use, that would totally be the thing to do. Or that everyone gets a gift card number to use - they can move money into it without fees, so any time they're buying something, only the number with a fixed amount of possible loss is exposed.

[thewayne.livejournal.com]

The gift card idea seems a good one to me, the big gotcha being whether you can refill it without fees. I use gift cards in a one-shot way, use it up and toss it.

I've also considered the concept of a second checking account if your bank allows instant funds transfer between accounts and hopefully being able to open two accounts online at once. One possibility of the latter would be to simply use two different browsers to keep the cookies isolated, I have four browsers on my computers, three of which are used regularly, the fourth is Opera and only used as a (rarely used) torrent client.

[silveradept]

Well, for all that credit card companies get wrong, their fraud liability seems to be the right way of doing things, so the second checking account seems like a potentially riskier prospect.