The Target breach will encourage the US to adopt EMV, but it’s not a magic bullet. However, the breach may have wider implications for the future of retail transactions than EMV adoption.
Target breach may have consequences beyond EMV
Tag: fraud
Are gift cards a present to fraudsters?
The BBC asked me to comment on the security of gift cards in connection with a story they were running on “You and Yours” (it’s about 35 minutes in if you are interested). The story was about a woman who had bought a gift card at Debenhams and given it to a relative. When the relative went to use the card, it was empty because it had already been used (in a series of transactions)
Defending cash
[Dave Birch] I was listening to a recent episode of Skepticality, about the TV show “Numb3rs”. The presenters were interviewing one of the writers about the making the show and they made a comment that caught my money-obsessed ear. The writers said that they had been researching a show about counterfeiting and during the course of this research they had copied a $20 bill on a photocopier to see how well it came out. Shortly thereafter they got a phone call from the US Treasury! The photocopier was online, and phones home when someone tries to copy money! (Incidentally, the Treasury guys weren’t very happy to hear the proposed plotline about the FBI investigating some counterfeiters because it’s the Secret Service — until 2002 part of the Treasury — who take care of that.) I thought they might be exaggerating, but it turns out that not only do some photocopiers have this feature built in to them, there are many printer drivers that won’t print scanned bills!!. Ever-vigilant for the cause of monetary trivia, I tried it out myself. I scanned a fiver and tried to print it, and I got this error message.
It’s always, always the same
[Dave Birch] One of the reasons why a digital identity infrastructure ought to be more than just building a big database of everyone and then letting everyone have access to it is that the infrastructure will inevitably be abused by those on the inside, no matter how much effort goes into keeping out the bad guys on the outside.
Missouri Citibank employee Brandon Wyatt… accused of tapping Citibank's computers for customer information, then using it to set up checking accounts online with competing banks, including Bank of America, Washington Mutual and AmTrust. Wyatt allegedly wire transferred customer funds from Citibank to the new accounts, then cashed them out with additional transfers, checks, debit card purchases and ATM withdrawals. His take, according to federal prosecutors in St. Louis, was at least $380,000.
[From Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts | Threat Level from Wired.com]
It's hard to see how you can stop this from happening completely in an economic way, but what you can do is make sure that there is an audit trail so that someone how decides to have a go at this kind of fraud has a reasonable expectation of being caught. Although I have to say that armed bank robbers have a reasonable expectation of being caught (and a reasonable expectation of a long sentence if they are caught) but they still do it. Anyway, my point is that if you take people personal data and put it in a honeypot, there is only one outcome. A database is not an infrastructure.
