Credit Union Geek

Marketing, Strategy, and The Force by Joe Winn

Tag: emv

A Merchant Breach Rant For You To Empathize

This CUbit is an extension of a comment I shared on a CUInsight article today. You can view the full story (and my comment) here. Background: Wendy’s appears to have experienced a POS (Point of Sale) breach sometime in the past, oh, few years. The malware (bad software) has crept around their systems and locations under the radar, only mentioned briefly in a corporate report and supported by credit unions seeing increased debit card fraud from members who frequented the chain.

I don’t eat at Wendy’s, so my cards are not compromised (by this breach, at least). But why should that make a difference? Just because you enjoy an occasional Frosty doesn’t mean you should have to watch your account for fraud. And, in all honesty, when faced with limited options, I’ll have their baked potato. Will I pay with plastic? Of course. Will millions of others? Sure.

If you read my posts regularly, you’ll know this isn’t the first one on merchant breaches. Nor will it be the last. At least with how they’re treated today. The onus on security is akin to me paying someone to watch my car, having it stolen, then the watcher just looking at me while shrugging their shoulders. When was the last time you heard about a card breach affecting the issuer? That’s right, almost never. Because they care about security. In fact, they have regulations mandating their adherence to stringent policies. Whether you’re Bank of America, our regional community bank, or one of thousands of credit unions, you protect card information. And given how rare an issue arises, I’d say you are all doing a great job.

(From this point, my original story comment is expanded upon, so if it looks familiar, that’s on purpose, and thank you for reading!)

My frustration isn’t with the credit unions. Not at all. It’s with the retailers. Wendy’s just happens to be the case in point today. Let me repeat what I’ve said before many times: We. Have. The. Technology. To. End. Breaches.

Between adopting EMV and contactless payment (Apple Pay, Android Pay, CU Wallet, etc.), we can have tokenized transactions at all purchases. This means your card number, unless physically lost/stolen, is impossible to be compromised. Even if the merchant’s system is crawling with malware. All the criminals get is a one-time use number (which is immediately identified as fraud when attempted again). The number you see on the piece of plastic never appears on their end.

Would new systems solve the problem? Mostly. But there are also an enormous amount of dangerous practices still being performed. Know anything about PCI compliance? No way these actions would pass. Now you want examples, so here are two I’ve experienced in just the past few weeks. The first came while I was with a friend getting his car serviced. This wasn’t at a mom-and-pop shop, rather, he went to one of the largest dealerships in the southeast United States. What did they do upon payment? They photocopied his credit card, front and back, to store with his service paperwork.

Let me repeat: They took a picture of his credit card. Then they put it in a glass office with hundreds of others, in full view of staff and customers. “We lock that office”, they said. Color me comforted.

Another crazy action occurred just two days ago at a hotel in Los Angeles. Upon check-in, hotels like to keep your card on file for incidentals (or if you decide to rock-star-style destroy the room). That’s fine, and there’s a proper way to do it. This Comfort Inn (again, big company which knows better) took an imprint and put it with the regular paperwork, under no lock and key.

And we wonder why breaches are so common (imagine their security on digital if that’s how they treat in-person).

Since merchants (especially multi-nationals) have little responsibility in the breaches (it’s not like we’ve heard credit unions talk about this before…), they are slow to make any changes. If they had to burden 100% of the breach costs, do you think we’d still have major merchants doing such dumb things with your information?

As a technologist, it’s incredibly frustrating to see event after event of preventable breaches occur, while those completely not in the wrong having to bear the costs (the Big 3, community banks, and credit unions all included).

Plus, who likes having to reset all of your automatic payments and online shopping accounts?

Image credit:[email protected]/11406986014/

Yeah, Another Hack

This isn’t the first CUbit you’ve read discussing a hack. Wasn’t the first about cars?

Well, there’s another high-profile hack to discuss today. This time, cyber criminals hit Starwood Hotels across the country. Starwood is the parent company, but I’m sure you’ll recognize Sheraton, Westin, even the Dolphin hotel at Walt Disney World. If you’ve stayed at any of these properties in the past year, keep an eye on your credit/debit cards.

How did they do it? “Who cares?” you say, “the data is already stolen, and it’s always the same thing.” To some extent, you’re right. Obviously, people looking to take your money gained access to your data somewhere down the line. What I consider important is the point on the line where it happens. First, kudos to the entire banking industry, since we almost never hear about leaks stemming from their end. Your security processes mean the low-hanging fruit for criminals is somewhere else. That “somewhere else” is at the point of sale. Malware (read: software made to do mean things) was installed on POS systems, so every card swiped could potentially be saved for later use.

I have a few issues with this type of hack, which tends to be a more common approach. The primary being: It’s completely avoidable!

That’s right. There’s no reason for any card information to be stolen in this way, ever again. We have two advances to thank:

1. EMV chips. You know that gold square on your card? It houses a computer chip which creates a one-time use card number and does some other voodoo along the way to increase security. However, it’s not always used! That chip (and the security that comes with it) only runs when you insert your card in the bottom slot, not when it’s swiped. Personally, I’d never swipe with an EMV card if at all possible. When I was in Peru, we ate at a restaurant where the server came to our table with the card machine. He inserted our EMV cards into the slot, right there. No one walked away with the card. That was the norm. As EMV cards become ubiquitous, this should be demanded here, too.

2. Mobile payment. Systems like Apple Pay and Android Pay bypass the attack vector of this hack as well. Like EMV, they pass a one-time use number to the system, and hold your card number close to the vest. On iPhones and some Android phones, they also require a fingerprint, further ensuring the person paying is actually you. These mobile payment platforms protect your data from everyone, sometimes to the chagrin of the merchants (who want that data for marketing purposes).

Bottom line: You’re going to see these hacks on a regular basis. Whether your information is part of the leaks is partially up to you. Are you using an EMV card, and doing so in the bottom slot, every time? Or did you add your cards to Apple Pay and “touch to pay” wherever you go?

No security is 100%, but by embracing the best tech we have (and mobile payment is awfully convenient, too), you can reduce the chances of needing to have your card replaced again and again.

Image credit:

© 2019 Credit Union Geek

Theme by Anders NorenUp ↑