December 1, 2014

In case any of you loyal readers missed it, KrebsOnSecurity.com and its author were featured in a 60 Minutes interview last night on the credit and debit card breaches that have hit countless retailers and consumers over the past year.

60mk

I spent more than a dozen hours with 60 Minutes producers, film crews and the host of this segment — CBS’s Bill Whitaker, so I’m glad they were able to use as much footage as they did. Leading up to the filming, the producer of the show asked some very incisive questions — some of which I didn’t know the answers to myself — and I was hoping the segment would address some of the less discussed issues that contribute to this epidemic of card breaches. But, alas, I hope to explore some of those questions in future posts.

A link to a video and transcript of the program is here.

Much of the segment was shot in a nearby hotel. The rest of it was filmed right in my living room. The 60 Minutes crew had so much camera, sound and lighting gear set up in that room that they actually had to put a ton of other equipment in our kitchen (see the admittedly blurry picture below).

Film crew working for CBS, in my kitchen.

Film crew working for CBS, in my kitchen.


65 thoughts on “KrebsOnSecurity on CBS’s ’60 Minutes’

  1. mark

    I never seem to see stories about retail fuel sellers at-the-pump terminals and in-store terminals. Not one. Am I missing something, or is this one big elephant in the room that there is really no logic to seeing problems at pumps and fuel stations?

    1. mark

      PS I do think I remember one related story, actually one of Brian’s. But is it widespread or just local where people set up these mechanical skimmers and so it’s limited in some way?

    2. Tony

      Nightline has done a few stories on the pump card snatchers and I think some retail/ATM coverage.

    3. Neej

      Well you need to understand that most news these days is chosen to get eyes on screens not to serve some overarching public interest (although of course that interest can be served by the former occurring I suppose).

  2. Dirgster

    Brian, you are one intelligent fellow, and we are all so privileged to be able to read your blogs which are filled with excellent comments and advice. Seeing you on 60Minutes last Sunday was like knowing you personally. Keep up the good work!

  3. Tom Donlea

    Hilarious that Viagra sponsored the news spot on 60 minutes in which you were featured. I’m about half way through “Spam Nation” and I almost spit out my lunch when i saw that advertisement.

    1. Neej

      Hahaha, I’m not in the USA to watch the segment but that almost made me spray my coffee all over my desk through my nose 😀

  4. John

    Brian, I missed this, but will try to stream it. I saw you on BBC recently. Thought I’ll let you know.

  5. Sally Shears

    Congratulations, Brian. That was a good piece overall, and your part was excellent.

  6. Maureen Hunt

    Loved your report on credit and debit card breaches however why didn’t you press the bank reps for an answer as to when will they replace cards with “chips” inserted instead of sending out replacements with the magnetic strips. They are spending millions replacing compromised cards. This can’t be that difficult or cost effective! Boo Who about the $$ they are shelling out.

    1. Dave L

      Maureen, the magnetic stripe will remain on the back of the card for many years to come, even chipcards. There is an October 2015 timeline in which there is a liability shift so if the financial institution has issued a chip card and the merchant hasn’t upgraded their terminal to accept the card but has to use the magnetic stripe, the merchant will generally take the loss. But it will be years before all merchants replace their terminals, so retaining the magnetic stripe is necessary for customers to be able to continue to use their card.

  7. Larry

    “I was hoping the segment would address some of the less discussed issues that contribute to this epidemic of card breaches. But, alas…”

    Issues like what?

    1. Breeze

      Like how payment processing companies are allowed to profit from credit card fraud. Geeze nobody looks at the payment processors!

  8. Larry of the Traveling Morgans

    Great to see Brian get the publicity. He is providing a great service for all of us. I am not sure how Brian’s time is compensated, except for his book. I will buy it just to support his efforts in some way.

  9. Isma'il

    I have requested cards with chips embedded in them from card companies who currently provide them, and POS terminals where I shop are showing up with the “chipped” card slots. Yet, when I try to use the chip card slots instead of the mag-stripe reader, I’m informed by the clerk that either they’re non-functional or haven’t been programmed yet. My question, Brian, is why do retailers deploy these chip-card readers without them being ready for use? What can we do to pressure retailers to enable their functionality as soon as they’re in stores? I’d gladly use the chip-reader if it worked.

  10. DS

    @Isma’il The problem you have there isn’t that uncommon anywhere in the world. The card terminal is a computer in it’s own right. The firmware (OS) is often a Linux variant and is the same accross the board, The actual software running on that OS layer is developed using either the core code given to the vendor if its a big vendor, or the vendors own code using the API layer given to them. (Given meaning under licence). Whatever the case is, any change or alteration (even changing logo’s on the device) will prevent it from working because the manufacture of the device AND Visa/Mastercard/AMEX AND the chosen merchant services provider all have to recertify the device and the code and all agree to allow it to work. The smaller vendors often have default set ups with standard code, but have to pay a huge fee for the privilege. Different versions of the code allow for the services provider lock out or done allow the use of some payment types or facilities.

    The recertification process can take months, my own employer had changed to chip and pin earlier this year, but took over a year testing the code and multiple recertification until it was stable and reliable. The cost for doing this was huge too. You can understand that some small vendors are going to be unwilling to move to chip and pin if they don’t make enough money a year to pay the fees demanded by what amounts to a cartel of sorts.

    The basic code might allow a vendor to have a custom logo on the till receipt without the need for recertification, but that depends on the device and manufacturer.

    The benefit of using your own code on these devices is you can have a loyalty card scheme that scans card mag stripes and knows what it is. My last place of employment used such a system to handle staff purchases on a mag stripe card. The use of this card put discount on the purchases and allowed a budget of free food, and also the same card was used as a door access card and time card.

    I seldom use my card now because I use contactless payment in most places and tend to shop only in places that have adopted this method. I use my phone and most people use there bank card. The value of purchase is limited to £20 but it’s a good way to control spending too. Payment using this method is quicker because the transactions are not process through merchant services until the end of the day, and it works out cheaper per transaction for the vendor as a result.

    I had an American enter my store yesterday and they tried to pay for their purchase. The problem was the young girl on the till at the time has never seen a Mag swipe card and signature card before, and the rather elderly American had never heard of Chip and Pin or Contactless. Both looked lost – two people from different worlds. In defence to the girl she has only been working for 2 weeks.

    1. Isma'il

      DS, I understand your points. However, one would think that retailers would have the infrastructure in place before installing the chip card readers. Doing it the other way around is akin to “putting the cart before the horse.” Let’s look at it from the European angle: Say you go to a Wal-Mart here in US with your EMV card, but can’t use it because the terminal’s software isn’t installed, and therefore can’t pay for your purchases?

      IMHO, installing the readers before the system is ready is bass-ackwards. It’s almost as if retailers are paying the public lip-service by pretending to do something about the problem.

  11. Derek Currie

    The amount of bogus and ignorant garbage in the 60 Minutes presentation is astounding. I kept wanting Brian to step into the scene and say:

    “No, sorry. But you’re wrong. THIS is what’s happening.”

    Last February, I gave a presentation about the in-the-clear data problem with POS machines running Windows XP Embedded. Never was this fundamental source of the problem mentioned. Instead we got Corporate Oligarchy lies lies lies to hide their raw ignorance and incompetence. Astounding.

    Apart for the usual corporate ‘protect your butt’ manoeuvres, this also points out the worthlessness of having tech-ignorant journalists covering technology. How is 60 Minutes at CBS supposed to make a viable, useful presentation (which they did not) about ongoing credit card hacking and fraud when they the journalists haven’t got a clue about what they’re presenting. It’s great to have Brian on the program and point out his role as watchdog. But why didn’t CBS read what Brian has written on his website in order to understand what is ACTUALLY going on. Instead, the journalists languished in ignorance, the corporate got away with covering their butts, the viewers became utterly misinformed about the source of the problems. Ignorance was perpetrated by this program.

    This is the modern world where technology has become a black box so huge that criminals and lazy corporates can easily hide behind it leaving the tech ignorant public totally in the dark of the shadow of the black box. This MUST change.

Comments are closed.