Credit Cards With Increased Security, Work Offline

For years countries outside the United States have used a system called EMV for their credit cards. The short version is that there is a chip inside the card that authenticates the transaction, plus the users has to enter a PIN instead of signing the receipt*. This has some major benefits. The biggest is security, and after the Target credit card leak I think that's becoming more important to everyone. If someone steals your credit card number, they'll still need your PIN to make charges.

It is far less of an issue with ubiquitous broadband like we have in the States, but this new technology also works offline. This should cut back on the days of shops "not taking credit cards today because the system is down."

Visa and MasterCard are making the switch in October 2015; I plan to get my hands on this as soon as my bank and credit card company offer it.

*There are limitations to the PIN usage. The way the PIN is processed depends on the card reader, and there will be a period of time where the infrastructure hasn't caught up with the new system.

Target Credit Card Breach

The breach of data from Target (along with Neiman Marcus and reportedly a few more) seems to be getting worse by the day. There are some things I find highly concerning.

First, some facts.

  1. Attacks started on November 27, 2013 (just in time for Black Friday).
  2. The attack went unnoticed until December 15, 2013, over two weeks later.
  3. Hackers got names, addresses, email addresses, and phone numbers of 70 million people; 11GB of data total.
  4. Siphoned data has been sent to Russia and who knows where else from there.
  5. Attackers used a RAM scraper to capture un-encrypted data from point-of-sale systems after the credit card swipe, but before it was encrypted and sent to a central location for routing to the credit card companies.
  6. Target and Neiman Marcus both passed all annual compliance testing for their handling of credit card data by the credit card industry standard (PCI-DSS).
  7. A similar attack happened in 2005.

Why does this keep happening?

The short answer is pretty simple, as disappointing as it is. The industry standard is subpar, retailers are too cheap to upgrade, and people are frequently reactive in nature. Now there's something to react to, let's see if it works.

So let's break that down. The standards exist, but they're too weak. In fact, these retailers passed their most recent annual inspection, though the post-crisis analysis shows they're no longer in compliance. Seems like a pretty obvious solution - there needs to be constant monitoring for compliance. 

Even constantly being compliant will not suffice though, case and point:

In August 2006, Wal-Mart was also certified PCI-compliant while unknown attackers were lurking on its network. [Emphases is mine.]

So what needs to change? Two excerpts caught my eye:

PCI standards don’t require companies to encrypt card data while in transit either on the company’s internal network or on its way to a processor, as long as the transmission is over a private network.

Target was likely using such a secure channel within its network to transmit unencrypted card data. But that wasn’t good enough. The attackers simply adapted by employing a RAM scraper to grab the data in the point-of-sale device’s memory, where it was not secured.

To overcome these obstacles, there needs to be an unbiased third party to write the new compliance standard. This new standard needs to be written with the understanding that retailers can and will opt for the bare minimum implementation that meets the standard; they have very little incentive to do otherwise (sadly caring for their customers isn't nearly as profitable as appearing to care for their customers). This means adopting the already-circulating EMV card standard and end-to-end encryption on payment systems. 

There is no silver bullet. It's a general rule of thumb that hackers will always be one step ahead of security. With the right measures in place, we just might be able to catch the leak after 70 credit cards are stolen rather than 70 million. I am also not a security expert, but when flaws are this glaringly obvious people have the right to be outraged.

Your Phone is Divulging More Information Than You Think

It is no secret that the NSA is, or is at least capable of, tracking your every move. Many people also realize that advertisers have a lot more access to tracking you than you'd think (or like), but most people do not.

Your phone is constantly connected to cellular towers, scanning for WiFi, and in some cases searching for Bluetooth. To make wireless connections, a handshake of sorts has to take place. This handshake includes some indentifiers to tell the source who you are. This information isn't your name or email address, but a MAC address is unique enough to pretty easily trace you as an individual.

Combine that with using free WiFi to log into Facebook or Twitter, and you've just told an advertiser your name, email address, and MAC address. Any other hotspot you walk by or log into knows exactly who you are, what your internet browsing habits are, and even when you've been. This technology allows companies to know a lot about you.

"Locations have meanings," says Eloise Gratton, a privacy lawyer. Marketers can infer that a person has a certain disease from their Internet searches. A geolocation company can actually see the person visiting the doctor, "making the inference that the individual has this disease probably even more accurate," she says.

It doesn't stop here though. Once the data is collected, it is immensely valuable, why else would it be collected? The sale of the data is often more concerning than the collection of it.

Viasense Inc., another Toronto startup, is building detailed dossiers of people's lifestyles by merging location data with those from other sources, including marketing firms. The company follows between 3 million and 6 million devices each day in a 400-kilometer radius surrounding Toronto. It buys bulk phone-signal data from Canada's national cellphone carriers. Viasense's algorithms then break those users into lifestyle categories based on their daily travels, which it says it can track down to the square meter.

I added the emphasis myself to highlight how prevalent this is. We aren't talking about shady back-alley operations here, this data is bought and sold by major corporations including your cell phone provider that can pin point your exact location at any time any day since you signed up for the service.

This isn't to say that there is no potential benefit to being tracked. There are some regulations on what is bought and sold and to whom, though the laws tend to lag the technology. There is some upside to this data being available to advertisers. For ages we have considered ads to be annoyances. This largely stems from the fact that ads are generic and meant for large audiences. However, we're all consumers, we all buy things, so what if the ads we got were genuinely meaningful and saved us money on things we need or want? These highly specific targeted ads are only possible if the advertiser knows a creepy amount about you.

There is no substitute for being educated to understand what you're sharing and when.