Scratch the surface of any of the recent hacks and you find gross incompetence. Here’s the latest on Home Depot’s record 56 million card hack:
Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by the New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.
In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charelston, South Carolina—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.
From the Times story:
Several former Home Depot employees said they were not surprised the company had been hacked. They said that over the years, when they sought new software and training, managers came back with the same response: “We sell hammers.”
Target’s CEO lost his job over the hack at his company, so it will be nice to see the head of hammer culture take a fall.
PIGL
I’m going to go out on a limb and predict that when the truth is known this will be discovered to be the result of C suite psychopaths protecting and assisting each other. All must die.
Corner Stone
The only other decent size company I am aware of with systems more outdated than HD is the craft store Hobby Lobby.
There is absolutely nothing surprising about HD getting hacked.
Corner Stone
I wonder if there’s a way to somehow tie Ken Langone’s money into the lawsuit?
dmsilev
From the article, it sounded like Home Depot blew off required security audits. I wonder whether the credit card companies will try to recoup their losses by taking it out of HD’s hide based on that. 56 million cards times however many dollars of fraudulent spending per card should be a big enough potential loss to get their attention.
Corner Stone
Speaking of Science and Technology, fairly interesting read on “School Reformers”
Ego, Money and False Promises: Michelle Rhee’s Big Secret and the Collapse of Education “Reform”
“So it’s not beyond reasonable to wonder if Rhee got out of the business of “education reform” while the gettin’ was good and left StudentsFirst at a time when it has likely peaked in influence and may even be in decline.”
Mike in NC
Home Depot, or as a Republican friend of mine once said “Home Despot”. Billionaire owner Langone is a huge wingnut asshole, so don’t shop there.
Tommy
@Corner Stone: My experience working around technology is most executives don’t want to educate themselves. I am not a programmer but made my living for many years working with some of the largest tech companies in the world. The programmers liked working with me because I tried very hard to understand what they did for a living. When I didn’t understand something I asked for them to explain it to me. My experience is when you ask most tech nerds to explain something they are more than happy to do it. You just have to ask.
WereBear
@dmsilev: I hope so. We need consequences to stupidity. The only contributions current business culture has brought is the dubious skills of offloading responsibility on customers.
I’ve been involved in some recent discussion, both on & off-line, of how much everyone now dreads picking up the phone for that 800 line. It’s not a sense of “here goes an hour of my life getting this thing straightened out.” It’s the dread of “we’re talking two hours just to get the right person on the phone, and it might take a week to fix this. Maybe.”
It’s jerks like “We sell hammers” that have gotten us to this state. Honestly, I’d LIKE to avoid doing business with idiots, but in so many ways, there really is no alternative; like getting access to the Internet, for one. So, there’s no escape from the idiocy.
Mike in NC
If you hire a guy named Ricky Joe to run your IT department, you just might be doing something wrong.
Corner Stone
@WereBear:
Had a safety issue with a local utility recently. Took me trying over four days to get to a supervisor. And by that time they had resolved the safety hazard, so I’m like, “I don’t have the issue anymore but just wanted you to know I am very unsatisfied at the process.”
Of course, it’s a utility so…
Corner Stone
@Mike in NC: Don’t you think you’d ask the guy under what conditions he left his previous employment?
“Oh, they tossed me so I totally spite-fucked their systems for like 30 days. It was awesome!”
Howard Beale IV
@dmsilev: The issuers will definitely charge HD for each and every plastic they’re forced to re-issue. And the firm that did HD’s PCI audit will probably lose their certification and/or be dragged into any lawsuits coming HD’s way-and there will be holy hell to pay if there was no PCI audit or if was obviously ‘blown-off’.
There’s a real possibility that Target and Home Depot could be headed for some massive liability charges that their business insurance won’t cover.
Corner Stone
“Snack time..and Lunch. Snack time..and Lunch”
*does the Robot dance*
Love that commercial.
WereBear
They didn’t want to spend the money to secure the systems. Heck, they regard employees as pure drains on profit.
This is part of the mindset that has turned any spending at all from “investment” to “lost profits.”
BBA
Will this accelerate the switchover to EMV cards? I hope so. I got a chip card for trips abroad, in the US I see a few card readers with the EMV slot but they’re almost never turned on.
Tommy
@Howard Beale IV: Isn’t part of the problem is everything is outsourced. Cheaper then to have staff members do the actual work. I have to think that somebody at the IT firm that is doing the work for Target or HD might not care as much as somebody if they were working for each company.
Corner Stone
@Tommy:
IMO, it’s doubtful the point of failure is with the folks doing the IT. In the specific case of HD, it’s noted that IT people were quitting because the environment was so adverse to doing the right thing IT/security-wise.
MattF
I can understand why businesses don’t want to deal with the fact that their IT infrastructures are screwed– management is all about power, control, and culture, and building a secure infrastructure requires putting a lot of new and strange faces in the executive suites. It’s a new world, and the old guard doesn’t like it.
Tommy
@WereBear: I totally agree with you. Good security isn’t inexpensive and ever changing. I am willing to bet there were internal conversations at these companies where somebody said, “we are not doing enough to secure our customer information.” Then some drone executive said let’s do a cost benefit analysis of what would happen if we don’t spend the money. Then they decided not to do what was needed.
Howard Beale IV
@Tommy: I know some IT functions at Target are outsourced, but I don’t know if the retail POS systems are. Regardless, Target is still on the hook-outsourcer or no.
Howard Beale IV
@BBA: Visa and MasterCard have mandated EMV in the United States by 2015; otherwise, merchants are 100% on the hook for chargebacks.
? Martin
Government regulation doesn’t work. Market competition ensures that optimal solutions are found.
Ruckus
@Tommy:
Thing is it really isn’t cheaper. It is easier, it does require less management and thought about how to do things right and how to keep from doing them wrong, but it isn’t cheaper. Unless you pay someone not to do all the work required to actually accomplish a given task. The problem is they think it’s cheaper, they think it builds the bottom line, but what they really want is money with no responsibility.
The ideal company is one with an idea, no employees, no capital costs, everything outsourced, a huge stock market evaluation, a hundred million a year paycheck, no requirement to actually do anything or be anywhere and no legal responsibility. That’s what is wanted. The ideal company.
Mike J
@Tommy:
I doubt they even did a cost benefit analysis. Corporate culture in America says sales departments bring in revenue, IT departments just spend money. This is why salesmen are given new BWMs at the yearly meetings and software developers are expected to buy their own. This is true
evenespecially at software companies.Redshift
@Tommy: Yup, it’s all about money. From what I’ve read, fixing these problems at all the large retailers required replacing point of sale hardware at all of the stores, which costs a lot of money. So they kept their decade (or more) old systems which security people knew weren’t secure, and hoped it wouldn’t happen to them. Or at least not until the executives making the decision has taken their golden parachutes.
WereBear
We got credit cards specifically because we buy online a lot and were worried about using a debit card online. I am glad not to carry cash; I know someone who lost their wallet with their rent and grocery money in it… that hurts a LOT compared to losing cards.
I am very typical in this. Companies who mess around with people’s cards don’t realize what they are gambling with. One high profile incident, like Target and now Home Depot, and people are going to look at your company as the financial equivalent of poisoned Tylenol.
PIGL
@MattF: The thing is, it’s not really a new world. It’s been here in the present form for 20yrs and it started growing in the 1960s. There’s no excuse anymore. It’s not reluctance, or fear of the unknown, or stupidity by the part of some mythical old guard. It’s the dominance of high level corporate life by sociopaths who recognize and aid one another in their predatory behaviour…..not unlike pedophiles are said to do.
Tommy
@Ruckus: I don’t disagree. I am something of a tech geek. Not at the level where I would run a national network for a major big box store. Not even close, but I know what I don’t know and if tasked I’d hire people smarter than myself to run things. When I see tech related things it seems everybody wants to do things on the “cheap” then are stunned when things don’t work out so well.
Citizen_X
@Mike in NC:
More like “if you retain a guy under federal indictment named Ricky Joe to run your IT department.”
They need to be buried up to the gills in lawsuits.
Villago Delenda Est
@? Martin: Yup, it’s snark, but I’ve always held that “letting the market find the optimal solution” is pretty much the equivalent of hitting glare ice, taking your hands off the wheel, and letting the car decide where it’s going to go.
You’re just along for the ride.
This is why beating glibertarians senseless with hammers is the way to go. Doesn’t even take a single hit…they’re senseless already.
I'mNotSureWhoIWantToBeYet
@Redshift: The stock market didn’t think it was a big deal so it’s unlikely that they’re too upset:
Let’s see. ($62M – $27M) net expected cost / $78.8 B in sales = 0.044%. “Cost of doing business”, amirite? Less than a dollar a card number….
A BMF hammer fine might get their attention.
FWIW.
Cheers,
Scott.
Schlemazel
@Howard Beale IV:
Actually there is a way to blow off PCI audit, my employer has been doing it for years based on the fact the fines were much less than compliance. That is changing now though so there is a panicked rush to get compliant.
As with all audits I assume the auditing agency (QSA) probably has a decently written contract that only holds them accountable for verifying compliance, not on security. If HD hit all the checkboxes (not easy but very doable) then the QSA is clear. The problem is it is easy to be compliant but not secure. I have been hectoring companies to focus on being secure and having compliance grow from that but nobody – NOBODY – wants to do that. Well, actually one very large, very well known insurance company does an excellent job as far as I can tell but nobody else.
If you use a credit card ever you are just one of the zebras hoping there is safety in the herd.
biff diggerence
Who the fuck hires anyone named Ricky Fucking Joe to manage anything?
Tommy
@Villago Delenda Est: I could be mistaken because both Home Depot and Target have competition, but to a large extent I don’t think they care. They assume they are so large they can weather the storm and people will still shop there. I am at fault here. I still go to Target. I try to shop local but I live in a rural area where if I didn’t have a Target 30 miles away outside of a local hardware store I’d not be able to buy much of anything.
Schlemazel
@Howard Beale IV:
Having done both network & security work for Target I can say that the extent of outsourcing with IT is a lot of contractors (almost all supplied by Indian companies who ship workers to Minneapolis for 2 year stints). Some is done by a subsidiary, Target-India. Security is as far as I saw was all handled in Minneapolis thought I was contract there myself so not wholly internal.
I worked with some real lemons there and some of the best people I have worked with. But then everywhere I have been has been that type of mix (though Targets best are better than other places I have been). Target culture and management is amongst the worst though. It is big and petty and institutes a climate of fear that would be funny if it were not so serious.
? Martin
@Howard Beale IV: That’s not quite correct.
Visa and Mastercard have indicated that they are transferring liability to merchants in Oct 2015. They aren’t mandating that any specific technology be adopted but if they use chip+pin (EMV is Eurocard/Mastercard/Visa), then merchants won’t be liable for fraud off of EMV chip+pin purchases.
NFC chip+pin was assumed to be dead a year ago for two reasons:
1) It’s utterly useless for online purchases, which is an increasing share of purchases.
2) Debit transactions can’t move to EMV chip+pin in the US because there’s a provision in Dodd-Frank that gives merchants the power to choose their payment network, and chip+pin doesn’t have a way to allow for that. Either the law needs to change, or some other solution needs to be offered up (and there are competing solutions).
3) Google killed a lot of trust in NFC transactions with Google Wallet. By bypassing the long agreed upon method for securing NFC transactions (using the standard secure element on the SIM, which the carriers blocked Google from using) and instead introducing HCE (host card emulation) everyone in the industry took that as evidence that anyone could bypass NFC chip+pin security. Only Google knows if the transaction is secure, and though Google has maintained PCI compliance, the banks HATE the fact that they have to take Google’s word for this, and that Google is capturing all of our purchase data.
The competing payment systems (Softcard, MCX) were surging until Apple introduced Apple Pay. Apple Pay isn’t some yet new standard but is mostly based on a new EMV payment structure with an Apple-specific means of securing the user identity with the banks. So it’s an extension of EMV chip+pin designed to address the many shortcomings of the platform. Because the banks are so strongly backing Apple Pay (and therefore the EMV standard) that momentum has shifted somewhat back in favor of EMV chip+pin, but there are real challenges here.
Outside the US, it’s pretty clear that EMV is entrenched, but inside the US that problem with the debit cards remains, and that’s a HUGE problem. Apple Pay/EMV will work fine for debit cards as it allows merchant choice of network, but NFC based chip+pin/EMV doesn’t.
judge crater
There are a lot of 19th century minds still at work in corporate board rooms. The Amazon “fulfillment centers” treat their employes like criminals in order to prevent pilferage. Yet consumers get back-of-the-hand protection of their credit data allowing thieves to essentially steal millions or billions of dollars worth of our wealth.
Buying back company stock is now the cash cow for corporate execs. It inflates stock prices and therefore executive pay. Who cares about point-of-sale technology when it won’t add a cent to the bottom line.
Tommy
@Schlemazel: One of my clients years ago was one of the top security professionals. My ad agency was hired to do PR for his firm because he kept keynoting security conferences where he was literally yelling nobody knew how bad things were. This freaked out a lot of people. Ten plus years ago but everything he said has come true.
Schlemazel
@Tommy:
They also assume (and not incorrectly IMO) that their competitors all have the same problems. In both cases they make their money by having the lowest prices on goods that they can. & that is all that matters. Its just a matter of time before Loews & WalMart get hit.
Mike G
@Tommy:
Then you’re not upper management material in corporate America. Their sociopathic culture demands that they give the appearance of bring “in control” and dominant at all times to justify their oversize paychecks. They hate and fear IT and ignore it as much as possible because they don’t understand it, and listening and learning from smarter people threatens their egos.
They don’t understand the risks of not doing it right, so it becomes an idiot-game of doing it cheap.
HeartlandLiberal
Having been responsible for certifying the compliance of a major system for several years that required being PCI compliant, I can tell you with certainty that the credit card companies are going to take Home Depot to court over this. They were obviously and demonstrably out of even minimal compliance with requirements for current security scans and evaluation of system logs. Frankly, everyone in a high position at the company should be fired out the door ASAP, and replaced with someone who is competent. Problem is, I have come to the conclusion that our corporations today are all ruled by sociopaths, if not psychopaths, and not being a sociopath excludes you from eligibility to be included in the hallowed halls of the 1%.
Tommy
@Schlemazel: In the comment I left above that guy never named names. As you might guess he did a lot of work behind the scenes and signed some ironclad NDAs. He said he worked for the largest banks, insurance firms, Fortune 50 companies and NONE of them were secure. What he found most troubling was no CIO/CTO felt this was the case so he often just hacked their system to prove he was right.
Ruckus
@Tommy:
It’s like @Mike J: said, IT costs money. Big company execs don’t spend money(except on themselves), they invest in the share price/dividends. IT costs money, doesn’t add to the share price/dividends, therefore spend the least amount possible that looks like you are doing something, which keeps the share price up, confidence up, money coming in. That in the long run you might make more money? Never figures into the equation. Can’t take maybe to the bank.
Schlemazel
I know a place, not my current place nor Target, my last place. They do things better than most. They have firewalls and intrusion detection (both network and host based) anti-virus and a program to patch for the latest issues.
About a year ago a friend of mine was reviewing firewall logs and noticed a very large amount of traffic on port 53 (technical info this is the place servers ask for addresses for devices they know the name of) requests going out. He set up sniffers & captured packets & noticed immediately that the data in the packet was encrypted & the host it was going to was a known command and control server for a hacker network.
The server sending the packets was protected as well as a company would expect, patched up to date, no reports of any issue. It was a virtual server so the made a soft copy of it & installed it in a protected ‘sandbox’. Investigating they found the issue & cleaned it up. Over the next day they saw the thing rebuild itself using a different set of files. They cleaned that up & then saw it rebuild itself a third time using different files.
Because it was all encrypted they have no idea what info was copied out but they did rebuild every server on their network.
? Martin
@Redshift: Well, there’s a lot of tension within the financial services industry. The issuing banks are PISSED because they rely on the loyalty of their customers and none of this is in their control – and they’re the ones paying for most of this fraud. The merchants have no incentive yet to stop any of this. It doesn’t cost them nearly as much, and they don’t want to invest in chip+pin if it doesn’t solve the debit card fraud problem, only to have to invest in yet another solution a year later. So they’re waiting for someone to actually fix this (and pushing their own solutions – MCX is the merchant consortium), but banks aren’t eager to keep control with the merchants who have done nothing but fuck up. Softcard is the consortium of carriers pushing their own solution, which everyone hates, because the carriers fuck everything up.
That Apple approached the banks and EMV with a solution and got them all on board speaks volumes as to how fucked up this situation is. Apple’s a complete outsider and has now built the most powerful alliance, and they have the cash and incentive to incentivize the holdouts. Target has one of the more prominent members of the MCX consortium, but had a high-profile in the Apple Pay rollout.
Mike J
@HeartlandLiberal:
These incidents will continue to happen until they become more painful for the responsible companies than they are for consumers. When it affects share prices more than the credit rating of individuals, stuff will get fixed.
Tommy
@Mike G: That is sad but I think true. I’ve never worked for a company of more than 60 people. When I started to hire people the owner of my last firm said “hire people smarter then yourself. Then give them direction and get out of their way. You will look like a rock star if you can do that.” Very sound advice.
Villago Delenda Est
@Ruckus:
What, in some future fiscal quarter? Does not compute. Short term ROI is the only thing that matters. You could be gone by the time long term ROI kicks in, and there will be no money for you for hookers and booze. Fuck that!
Schlemazel
@Tommy:
I was fired from a different big box retailer for pointing out the obvious flaws and exposing the very large consulting house’s failure to do even the minimum required. I cut up that credit card & only buy with check there. But checks are not really safe anymore as they don’t use the paper, they take, store & transmit the electronic numbers so we’re screwed.
max
@Corner Stone: Don’t you think you’d ask the guy under what conditions he left his previous employment? “Oh, they tossed me so I totally spite-fucked their systems for like 30 days. It was awesome!”
You think they’d ask the company that fired him. You’d think they’d note that he fucked the network for which he was under federal indictment. I can’t imagine screwing a network in revenge; that would be an awful thing to do and bad for business besides.
@WereBear: I am very typical in this. Companies who mess around with people’s cards don’t realize what they are gambling with. One high profile incident, like Target and now Home Depot, and people are going to look at your company as the financial equivalent of poisoned Tylenol.
They don’t care what they’re gambling with – it’s not their money.
max
[‘Clearly, a standard part of the MBA curriculum is hiring incompetents who want to do a bad job. Of course, if you set up your HR department to effectively only hire people who lie convincingly, it’s bound to happen.’]
Tommy
@? Martin: I said in another comment I know what I don’t know, so I ask questions :). Is the EMV payment Apple is promoting what is used in most EU nations and some of Asia? Where you can just use your phone to make a payment at a store or even a vending machine? I so want this if it is secure. For many years my wallet was away on me. Now my phone is never more than a few feet from me.
Ruckus
@HeartlandLiberal:
Martin and I had a discussion about this on another thread last night. All merchants are supposed to be PCI compliant but the big guys are not. Thinking about it more, I had a single register retail store and the cost of compliance for me was $100. for a new card reader. My sales software company upgraded everything else as the cost of doing business. I used a very small online sales software company(I think I was customer #61 when I signed on in 05). If I had one of the major sales programs, like MS, I would have had to spend a lot more. Big companies that do their own software or contract it out would have had to spend some pretty good sums to upgrade both the hardware and software. As long as the penalties are smaller than the cost of compliance there will be those that take the risk of getting caught. And if getting caught only costs what it looks like HD will have to spend, it’s still cheaper to cheat and fuck over customers than to do the right thing. It’s always about the money and how much of it someone gets to keep.
Ruckus
@Villago Delenda Est:
It’s like a mind meld you and me.
Tommy
@Schlemazel: Well I got a question. My local gas station takes my check. A local not national chain. They scan my check and hand it back to me. I had never really thought about this, but I guess my checking info is stored on their server. Do they delete this info after my check clears? How is that info handled?
mai naem mobile
First, Ricky Joe? Really? Ricky Joe? Didn’t HD know they need to hire Mohankumar Srinivasanangar or Igor Stillyschvilch for IT stuff?
? Martin
@Schlemazel:
But that just underscores how badly things are. Why is the primary identifier I’ve worked out with my bank (my card number) being passed around in such a manner? There are too many points of failure – the user getting phished, the merchant POS, the merchant payment back-end, the acquirer, and so on.
Server security is necessary and helps, but the perpetrators of this will simply shift to a different attack point. Target was losing the data on the POS. Others are getting it via phishing – directly from the user. That’s got to get closed up.
Ruckus
@max:
There was a time that asking a “competitor” about a past employee was a complete waste of time. The company didn’t want to tell the truth as they may get sued by the disaster of an employee(which may not have been the employee’s fault at all) or they lied because you might hire the idiot and they’d gain an advantage. I never bothered. Problem is that led to finding other ways to figure out if a possible new employee might be a disaster. So we have credit checks, landlord checks, etc, etc. Does this work? I’d bet it doesn’t rule out disasters but it does limit the potential of a lot of people to be employed. But isn’t that what HR is supposed to do, cut down the number of possibles?
Villago Delenda Est
@mai naem mobile: One hires Ricky Joes for things like beer purchases, or kicking tires.
WereBear
Exactly why we need effective, and serious, regulation. Companies always think they can finesse their way out of customer wrath.
And, sadly, they aren’t even wrong. I’m apparently rather unusual for not doing business with certain screwed up companies, even when it imposes slight inconvenience. I hear all the time from people who claimed they wouldn’t go back… and three months later, during some sale or other, they’re back. And complaining again.
I’m not perfect in this regard; I have a limited budget, a mostly housebound spouse, and I live an hour away from malls or big box stores. I look locally, but if I can’t find it, then I have to buy online, because what are the alternatives?
I try not to, but sometimes it’s inevitable to get something made in China, or buy from a retailer with less than good practices.
There’s a serious shortage of happy elves making products.
Not Adding Much to the Community
I work as IT in the gaming (Vegas-style) industry. I’m happy to report that our PCI compliance and cyber security polices are robust and stringent. Then again, we’re not publicly held, and the Nevada Gaming Commission has rules about protecting customer information, and those guys don’t fuck around.
mai naem mobile
I have unfortunately spent big $$$ at HD in the past few years and, hell,before too using checks, credit, and debit cards. I try using smaller local cos.for some stuff but some of this comes down to the hassle of going to several stores for different items. Lowes does not always have what HD has and I do try going to Lowes. Price wise HD is not always the cheapest and furthmore some stuff seems to be builders grade or seconds.
Ruckus
@? Martin:
That sounds like a billion dollar idea if you could make that happen.
I’m not sure that it ever can. As long as there are electrons flowing there will probably be a way to read them as they pass some point. As long as they are readable they can be put into some form that can be used, good or bad. As long as the amounts of money to be made/stolen are huge, someone will take the risk. And that someone can be anywhere.
Tommy
@? Martin:
I’ve only said this indirectly here and assumed people knew my point about IT security costing money. Criminals are always going to look for a way to steal. You put in new security and they will start to hack/breach that. This might be the wrong phrase but it is an ongoing war isn’t it?
Update: You can’t put in a system and let it stay for five years.
Villago Delenda Est
@? Martin:
Na gonna happin. You can only go so far with technical approaches to social problems, as the heart of the problem is human behavior, which goes all over the map. You can only mitigate the damage somewhat.
Efforts at consumer awareness only go so far, when you’ve got stupid people who object to you saving them money (see the entire incandescent/LED “controversy”). Stupid is very, very difficult to fix without resorting to drastic measures that will attract the attention of law enforcement.
Villago Delenda Est
@Tommy:
Which is why fumigating executive suites is essential.
Villago Delenda Est
@WereBear
HALP! We’ve got some socialist fanatic in our midst!
Villago Delenda Est
@WereBear:
The Elves are unhappy, because in the real world they’ve got expenses of their own that are very hard to cover at minimum wage, and even then MBAs moan and bitch that they have to pay them that much. We’re not at Hogwarts, the Elves are not thrilled to work for nothing at all with no reason for their existence but work, despite the best efforts of the 1% to make it so.
Ruckus
@WereBear:
This is the crux of the matter. A lot of people shop at wally world, even if they hate it. Because wally world went into a lot of small places and ran right over the local merchants, ran them out of business, some by low prices and some by having stuff that people thought they wanted but couldn’t actually get locally. I’ve been to rural areas in several states that this picture fit perfectly both before and after wally world. The small town, old world charm is gone but they can buy cheap crap, cheap. How many small town lumber yards/hardware stores are gone from 30 yrs ago? Or those places you can get prescriptions filled?(that’s a FYWP)
Southern Goth
The storing of credit card numbers by merchants is never going to be safe.
You’d think there would be some effort on the part of the credit card companies to come up with:
1. Owning the the transaction and encryption at the point of sale (outside the PC).
2. Offering some sort of token back to the merchant for working with transactions later (refunds, etc).
It sounds like something like this has been required for smaller merchants.
On a side note, I was working with a client to implement EHR. A particular server needs to communicate with other servers outside the network to send encrypted messages. A network guy told me it wasn’t PCI compliant.
To which I replied, EHR is a federal standard. PCI is not.
Tommy
@Ruckus: Hardware and a pharmacy since the 1860s are all the local shopping I can do. Walmart ran over everything. Now Target. I try to shop local but prices are maybe 20% more. Most months I can afford that. But if you are lower income how can you?
WereBear
@Ruckus: Exactly. I love Costco and want to shop there, but it’s 2 1/2 hours away and we have a tiny apartment with no storage.
I won’t shop at WalMart, but what if it was the only game in my town?
Howard Beale IV
@? Martin: Target is supporting Apple Pay via the Target app-quite a different deployment method than the base ApplePay method. WalMart and Best By are saying no thank you to ApplePay.
Sounds like the bad old days of Microsoft and Visa when they tried foisting SET on everybody….
Ruckus
@Tommy:
I used wally world as I think they are the worst of the lot, but big box stores that decide they need only the lowest cost, never better products are the main issue. Of course we need low cost because wages are low. I assume that low cost goods are there to placate us with the lower stalled wages. Problem is it’s chicken/egg. To have always lower prices one has to cut costs somewhere. Executive pay/perks? No fucking way. Big expansive, expensive offices? No fucking way. A nicer shopping experience? Sure, why the fuck not. Lower wages/benefits? Those assholes don’t work hard anyway, absolutely cut those! Bring back slavery! Those were the good ole days. Almost no costs, sell at any price.
Have I about captured the essence of upper management?
different-church-lady
I’m sure this will somehow all be fixed when we start paying for things by waving our phones at objects we want. Yes, that will be foolproof.
Ruckus
@Not Adding Much to the Community:
Aw, the crux of the matter.
Actual regulations/laws that are enforced and penalties that make the enforcement work.
Southern Goth
@different-church-lady:
Clearly the solution is to merge banks with mobile carriers so they can hand out smart phones when you sign up for an account.
Howard Beale IV
@Tommy: Lots of financial CIO/CTOs with mainframes think their big iron is significantly more secure than their Wintel/Unix/Linux farms especially due to the robustness/feature set of mainframe security systems (RACF/ACF2/Top Secret). Well, turns out that’s not quite the case-they are just barely more secure. It took the same kind of activity (hacking the company’s system using unsecured SVC’s) to deflate the CIO/CTO’s ego a few notches (if not an outright soiling of underwear…)
? Martin
@Tommy: Sort of. Everyone is getting terribly confused on all of this.
When you go and buy something with Apple Pay, it will work securely with any existing NFC terminal. It works differently (better) than chip+pin but nothing needs to happen from the merchant for it to work. The Apple Pay/EMV system uses the same NFC communication method, and passes the same format of data as chip+pin. The actual data it passes is different, how it’s processed down the line is different, and how you set up the system with your bank is different.
Essentially, they’ve reused all of the existing difficult infrastructure bits (the POS and merchants) and the overall data format, and swapped out most of the big points of identity failure. The problem with security is that there are two distinct aspects of it and we usually only think of one. Consider a key and a lock. We think of someone picking the lock and demand an unpickable lock and lets say we get that. But if you have the key you get in, even if you shouldn’t have the key. So access to the key is equally important, and that’s largely ignored. Can the key be copied, stolen, lost and found by someone else, etc? The problems we’ve seen lately with credit cards are with stealing the key.
Apple Pay does a bit to secure the lock and a LOT to secure the key. It starts with adding your card to your iPhone. It does this by capturing your card number (your PAN) and then setting up a secure connection with your bank so your bank can verify your identity – it may ask your security number like anyone else, but your bank can challenge for any other information – your SS#, your bank login/password, your DOB, etc. Your bank then issues a fake card number called a token which is stored deep inside the phone. Looks just like a card number (16-19 digits) but can’t be processed normally because card numbers have specific characteristics – they start with certain digits and they have a checksum. Tokens don’t validate as card numbers. They also issue another code which serves as a private encryption key which is also stored in there. The only way to unlock these codes is via the TouchID element. Your iPhone doesn’t store your card number, the security number, or anything else like that. If you have two devices, the bank issues two different tokens, so in the event your phone is stolen, you can deactivate one set of tokens but not the other and not need a card reissue. (Card reissues cost between $3 and $20 depending on magstripe/chip and the size of the bank).
In a transaction you unlock these (your approval) and the secure element chip in the iPhone (a custom part to meet the security requests from the banks) takes the token and key and creates a cryptogram that is the token and some other data encrypted. The cryptogram is unique for each transaction. The token and cryptogram are formed and sent to the POS via NFC or any other mechanism (in-app, presumably via the web, etc), and the merchant adds the amount to purchase, etc. to that data. It’s then routed through the existing payment network. The network processors see that this is an Apple Pay token, and route it to an entity called a Token Service Provider (TSP). The TSP can be the network processor, the issuing bank, or a 3rd party, but not the acquirer (the merchants bank) or the merchant. They decode the cryptogram, see that it properly validates the token, and then pass the transaction to the issuing bank. If it doesn’t validate it goes back to the merchant. The issuing bank takes the token, looks up your account number (the token is random and not derived from the card number, so it can’t be reverse engineered) and then approves payment for that token.
The security for the system comes from the fact that your account number is only ever known by your bank, and as needed by you to make non-Apple Pay transactions. In an Apple Pay only world, even you wouldn’t know that. Your bank doesn’t need to trust the merchant to verify your identity – check your signature, look at a drivers license, etc. Only the bank verifies identity and trusts Apple’s hardware to protect it (so far TouchID hasn’t been hacked). There is no security code or pin, just a code that only the bank and your device (but not you) know. You unlock using your fingerprint. This makes the system impervious to phishing attacks. You can’t inadvertently reveal information you don’t know, and you can’t hand someone your fingerprint. Spoofing your identity requires physical access to your device, or reverse engineering the private key (which isn’t going to happen with modern encryption standards). The merchants get your token, but have no means of generating a cryptogram without your private key. Chip+pin does the encryption in the POS system, so your card number is passing in the clear, and it requires the merchant do some things to further protect the transaction. Apple Pay does all of this on your handset. Basically, the merchant can’t fuck this up which is the point.
And the system works equally well online as in-person, but you need a digital interface for it to work. Apple has that in place for in-app purchases, but hasn’t announced anything for web-based shopping carts. I imagine that will come in time.
Some parts of this aren’t totally new. I’m almost positive that Apple has for some years been tokenizing all of those credit cards they have on file for iTunes/App Store customers, so there are no *actual* credit card numbers in their database. They shipped all of them off to someone else in the network. And for users whose bank isn’t yet set up to provision tokens to iPhones, Apple will let you pay with that iTunes account card. They do this by provisioning their own token that is associated with your AppleID which sends the payment transaction to them as if they were the issuer, and then they look up your card on file, and initiate a 2nd transaction, passing that result back up through the payment network. It’s invisible to you, but allows Apple to get small banks on board and non-credit/debit as needed.
Apple Pay is actually more valuable outside of the US than inside. The US is just the test market because it’s convenient for Apple and because the banks are so motivated to do something about this. Outside the US the NFC POS network is already in place, so it’s just a matter of getting banks on board. The banks love this system. They’d prefer to not be paying a security fee to Apple, but it’s smaller than what they’re losing to fraud and the banks keep control. The merchants aren’t too happy yet, though it should allow them to secure their systems more cheaply, but Apple is working on a loyalty card program that will work through Apple Pay, so you can do both your purchase and loyalty activity in the same transaction. They should start to come around once that lands.
? Martin
@Ruckus: Apple closed it up by eliminating the need for a login/password or ID/pin combo. The bank issues the ID but your device controls access to it – and you unlock it using a key you simply can’t hand away (your fingerprint). The key is validated using strong encryption that you can’t replicate – only the bank can. I’m pretty sure that the validation cryptogram is time sensitive – so it self-destructs after a certain amount of time.
Certainly thieves will find a way around these things, but they’ll be MUCH harder and they’ll have far fewer targets to try from. The merchants will be completely off limits within this system since they have no useful information. Apple’s device security has held up very well so far. There’s some proof-of-concept local exploits but no in-the-wild remote ones, and nobody has demonstrated breaking through TouchID remotely. I’m sure the NSA, with someones iPhone in hand could get in, but that’s not a realistic threat against any of us. Stealing this information is only economically viable if you can do it in bulk. If you are targeting individual phones, it’ll never pay off.
That leaves the banks as targets (which they’ve always been) and the protocol itself, and the key bits of this have been in use for ages. Kerberos works along a very similar design and is 25 years old.
? Martin
@Howard Beale IV: Yeah, they say that, but it’s not exactly accurate: http://www.nfcworld.com/2014/08/26/331018/walmart-moves-emv/
Apple Pay will work just as well as a Walmart Mastercard for in-store purchases. True, their iPhone app may not support it but that’s not what customers are thinking about right now. I think Apple by building on EMV and releasing it as an official EMV protocol minimizes the possibility of any such market fracturing. Now MCX and Softcard are the ones creating confusion for merchants and consumers, not Apple.
polyorchnid octopunch
@Schlemazel: The technical term for that technique is VPN over DNS, and it’s nasty. Very hard to detect unless one knows what to look for. Also very hard to defend against; DNS is simply put very necessary. Best approach is a caching name server that makes DNS requests on your network’s behalf and firewalling any port 53 to other hosts on your network, hardening the caching name server… and keeping an eye on the caching name server(s) for unusual traffic.
Ruckus
@? Martin:
Thank you.
This is the way it should work. Just read a piece from someone in the UK that they don’t like the apple system because they will have to use a device that has to be unlocked and then read, which will slow down small transactions(under 20 pounds) which are now just a chip read away. Rapid transit and such. We of course do that now with small purchases under some amount(fast food, etc) but without the chip as an additional process, just a swipe, no pin, no signature. At some point in the near future I’d bet there will be some system, and it sounds like apple has one now, that will not require a lot of interaction with the merchant or purchaser and that doesn’t let actual usable info fly around.
I was thrilled when PCI mandated a safer process, as we discussed it is really apparent to me that lots of merchants were/are just not compliant.
Only problem for me with apple pay is that I don’t feel the need to purchase a smart phone and it’s attendant monthly cost to spend my money. I’d like to see some way around that.
Robert Sneddon
@Ruckus: I’m already using a Tap to Pay card in the UK for transactions of up to 20 UKP per day (about 30 bucks), a debit card tied to my bank account. It can now be used in London and other places to pay for bus, tube and train journeys with automatic topping-out (travel around and when your accumulated travel per day reaches a limit any other journeys are free, like buying a day rover ticket). Of course there’s the dedicated London Oyster card, Tokyo’s Suica and other such cards that have been offering this sort of capability for years but based on the card’s account being topped-up on a regular basis. Suica is actually built into phones in Japan but they’re a simple tap system, no fingerprint-sensor juggling required.
If I lose my tap card or it’s stolen the card issuer is on the hook for those small sums when I report it missing at which point it gets disabled. Apple Pay covers much higher amounts — the canonical purchase is of an Ipad or similar in an Apple store hence the extra fingerprint security facility.
I think Apple Pay needs a low-value option to be really useful otherwise it’s going to be awkward to use in places like subway stations — imagine juggling a phone, getting your thumb or finger on the sensor and doing a tap to get through a subway station gate while carrying bags, holding a child’s hand, pushing a stroller etc. Apple Pay needs to be able to work in such low-value high-traffic situations without the fingerprint security as it’s a distraction and will slow things down in places where you really don’t want slowdowns.
Another Holocene Human
@Corner Stone: I’m wondering if his reference at the previous employer was someone who had already left and HR didn’t do any sleuthing about whether they were calling a cell phone or a landline because seriously, who does that? And likely the asshole hiring manager thought his steaming asshole vibes showed he was a real winner who would fit in well at HD.
I don’t shop there either, started sometimes to go back to Lowes but still pissed about that American Muslim decision a few years back, but the local Ace disaffiliated :(( So… Lowes.
Another Holocene Human
@Villago Delenda Est:
Apply lotion to the burn.
Another Holocene Human
@Schlemazel:
That’s why I’m using credit not debit, not tied to my bank account. I’ve had to replace my card 3 times in the last 12 months due to hacking and fraud. Fun.
Ruckus
@Robert Sneddon:
Had transponders in the bay area(SF) for the bridges. Free for every car you owned. Keep the account topped up and you don’t even have to stop, just slow down through the reader lanes. Which wasn’t a bad idea anyway, all the transponder lanes used to be toll booth lanes and they are not very wide. So, same system as other transport systems just for the car instead of the person. I was amazed that more people didn’t have them.
I agree that apple will have to come to terms with some amount below which nothing other than a chip read will work, there are too many places that use such a system now and a lot of people are used to it, or getting used to it. Won’t be as safe but will it be safe enough? Chip cards seems to be, how do they handle online purchases?
Another Holocene Human
@? Martin: I can’t understand the technical details but this sounds like it’s time for the government to step in and play market cop (which they have, to an extent) but the big, entrenched players have been buying senators for years precisely to ensure that doesn’t happen, but when it does, they’ll use regulation to keep all competition away.
Another Holocene Human
@HeartlandLiberal: I’d go with sociopaths and malignant narcissists, as well as deluded or neurotic people without anti-social disorders pretending to be sociopaths to get by.
Psychopathy as it is now understood tends to require TBI and poor frontal lobe development as a pre-requisite which probably would keep you out of the executive suite unless you literally inherited your position (so like Roger Goodell, although he strikes me more as just privileged and clueless than likely to have dismembered body parts in his freezer).
Another Holocene Human
@Tommy: The mob’s been taking advantage of this for years. Internal security sucks too. Though what is the difference between your average C-level exec in a publicly traded co in the US and a mafia baron these days? Where they go to church?
Another Holocene Human
@Schlemazel: Maybe the American public would change their mind if they became persuaded that all the money being funneled out by hackers was being used to finance terrorism.
Robert Sneddon
@Ruckus: In my own case in the UK making a credit or debit card purchase online throws me to a webpage run by the credit/debit card issuer where I have to enter a second partial-password (for example letters 3, 5 and 8 from a longer password) to verify the purchase at which point the card issuer sends a yes/no token to the merchant and the purchase goes through (or not). That means the merchant has my card number but doesn’t need to have the validation password, only the card issuer has that which reduces the threat of a merchant’s database being hacked. I don’t know if the same sort of verification step online applies in the US.
I don’t use one myself but other folks I know in the UK have a bank-issued chip reader they can use to query their bank accounts online, make payments, transfer money etc. They put their card in the reader, punch in their PIN and it reads the chip and generates a time-sensitive token that the login or transaction webpage asks for at some point. The token expires after a few minutes or on logout, further activity requires another token. My own bank logs IP addresses and they will email or phone me if my account is accessed repeatedly from other addresses. Occasionally they will phone me to verify activity anyway, especially if I’m moving large amounts of money around.
Ruckus
@Robert Sneddon:
Thanks!
That is what I had imagined, my bank uses a secondary pass key to allow access. It will send the pass key only to places that I have given them written access, cell phone text, email. I have purchased goods from the UK in the last year and it worked for me the same as it does here, plug in account number and exp date along with the code printed on the card(that’s real safe!). Using PayPal works the same as your chip cards, you get sent to PayPal and have to log in and approve the transaction at which time they make a transfer from your bank account to the merchant. Of course that’s still one more place besides the bank that has your info. Banks offer bill pay and you could use that to send a merchant a check but that requires process time. Works OK for utility bills, etc but not for online purchases.
Villago Delenda Est
@Another Holocene Human:
They may go to church, but it’s for PR purposes only. They actually worship Mammon and Moloch.
? Martin
@Another Holocene Human: The various players were still fighting over getting on board until Congress started hauling them in for a chat after Target and after the Federal Reserve threatened to regulate them under their powers. Apple happened to be fairly far along with the banks at the time, and suddenly everyone jumped on board.
Apple got very lucky with the timing of things.
The Raven on the Hill
I don’t know why anyone would trust Apple with, well, anything they cared about.
There’s another group of guilty parties here: the various security agencies, in particular the NSA, which have worked very hard over the years to prevent the widespread deployment of effective internet security. They, of course, wanted to be able to run surveillance to protect us, but they never imagined that anyone else would walk through the doors they left open.
Croak!
The Raven on the Hill
And Bruce Schneier, who is an acknowledged expert in the field of computer security and who has probably forgotten more about the subject than I will ever know, agrees with me.
SWMBO
I have a son that’s disabled. When I went to get fingerprinted for the guardianship, they sent me back every year for three or four years because my fingerprints were blurry. The last time I was fingerprinted, they had the fingerprint expert for the region come do my prints. He tried several times and they were all blurry. Every single time. He finally wrote a letter to the court saying that this WAS my fingerprints and this is as good as it gets. Does this mean I can’t use my fingerprints for id on my phone? What does someone like me do in a case like this?