In case any of you loyal readers missed it, KrebsOnSecurity.com and its author were featured in a 60 Minutes interview last night on the credit and debit card breaches that have hit countless retailers and consumers over the past year.
I spent more than a dozen hours with 60 Minutes producers, film crews and the host of this segment — CBS’s Bill Whitaker, so I’m glad they were able to use as much footage as they did. Leading up to the filming, the producer of the show asked some very incisive questions — some of which I didn’t know the answers to myself — and I was hoping the segment would address some of the less discussed issues that contribute to this epidemic of card breaches. But, alas, I hope to explore some of those questions in future posts.
A link to a video and transcript of the program is here.
Much of the segment was shot in a nearby hotel. The rest of it was filmed right in my living room. The 60 Minutes crew had so much camera, sound and lighting gear set up in that room that they actually had to put a ton of other equipment in our kitchen (see the admittedly blurry picture below).
I am not a brain surgeon, but to me there is a fairly easy solution to all these credit card number thefts.
Stop storing them.
Get the authorization and then get rid of the numbers one the batch authorization batch has been settled and make all companies settle transactions once per day.
There is no reasons, that I can see why companies need to store the card numbers other than for ease of return.
The crooks will just catch the card numbers in the terminals or in transit.
If you really want to solve the problem use public key crypto. Hardware built into the card itself would sign the transaction. The bank can validate it was my card that signed it and nothing is ever in the terminal or in transit that the criminal can use to produce false charges.
The crooks are not stealing the cards from databases, they are stealing them right from the terminals. Why bother with having to decrypt them when I can just RAM scrape them then batch them and exfil them to my server.
These companies keep ignoring security is why it continues to happen. They either don’t patch, don’t monitor alerts or fail to use the right technology such as FireEye to catch breaches and block malware callbacks.
As a consumer I really don’t care if my card is stolen, I am not responsible for the fraud and the credit card companies pay me to use the card.
The banks pay you from money they charge the retailer who adds this levy to the cost of the item you are buying. As money changes hands the next pair of hands increases the cost a little more than the guy before them. The small retailers are suffering because they pay for to have free money for using a credit card. The world doesn’t revolve around money, the world revolves on debt.
From where do the banks get the money they pay to defrauded card holders? Obviously from all tjheir card holders. Ergo every single cardholder in the U.S. who is insured against fraud by their card issuing financial institution pays. The total fraud load is spread into the overhead of every financial institution and they in turn distribute it equally to all their card holders in form of their fees that are charged.
What is FireEye going to do alert you after the breach has occurred? I have seen better next generation solutions on the market and FireEye is okay but it is certainly not a solution to the problem we are talking about.
So what other solutions are better?
Finding the solution to credit card theft is not the real problem. The real problem is the human nature problem. ;^)
People want convenience. At any cost.
Why not use cash? Then the only risk is counterfitting & that’s a problem for the Secret Service.
“But I don’t want to use cash. It’s not convenient. Besides, you might get robbed!”
Yeah, you have to reach into your pocket & count it out, & that’s really tough! & BTW, you’re getting robbed anyway. & you’re contributing to cybercrime. ;^)
The real drawback is that you couldn’t shop online. Unless,…wait a minute….you actually used the phone to put in orders.
Wow! Sometimes the way forward may be to go backward. Mmmmmh….
Maybe that’s because it’s human nature to alway rush past the best (safest) solution to the next one with ever more features (riskiest), one that’s new (exciting), and promises to be free (which nothing is!) ;^)
Improve human nature & you change the world. Good luck! ;^)
Uh, even if you use the phone to make an online purchase you still have to supply a card number. Just saying
brilliant idea..
Great piece Brian. I enjoyed it very much.
Nice episode Brian! I read the transcript & watched the replay..one interesting tidbit is I have been trying to send money to a man in the Ukraine and both Western Unoin and Money bookers will not do it! They refuse to send money there. The fraudulent card buyer’s and other people in the Ukraine clearly are an issue at least for me , as sending money there is currently not possible. I’ll have to see how that plays out.
Thanks for the interesting note on the Banks being the victim’s, I’m sure many people are going to chafe at that…they don’t like the banks to begin with.
Keep up the good work!
The best way to stop credit card theft is to stop allowing the payment processors to profit from the theft. Every time a stolen credit card is used a payment processor collect triple the fees they would collect from a legitimate purchase, and they are not on the hook for any of the money. This is all indisputable fact, has never been challenged and still goes on today. There should be a law that forbids any company from legally profiting from credit card fraud. Once the payment processors can no longer profit they will increase security. Yes, the people who profit from the crime are also mostly in charge of securing the transactions.
Was nice seeing you on that. One thing that I thought needed to be mentioned that wasn’t: The segment seemed to focus on store card readers. Is the problem also apparent for online transactions, like Amazon?
Ruined by greedy CBS with a gaggle of ads.
When I viewed the segment on the CBS website, it started with a screen that said “Sponsored by Viagra”, which of course is incredibly funny/ironic given the subject matter of Spam Nation!
Yes, and the video keeps looping on this Viagra without actually going to the relevant video. Worse than having these disgusting pharmaceutical companies trying to inject their drugs onto people’s body, it is having to watch stupid ads like this one.
Great segment Brian! The whole nation has access to view 60 minutes, so it’s great that word is getting out on this major breach problem.
When I walked into the living room last night and saw you on the TV, I about dropped my water glass on the floor! Congrats on the big interview.
Well done!
Man I’m sad I missed it. I seen it on and seen they were talking about the HD breach. I thought it was going to be more FUD like the one 20/20 did after the Target breach, so I turned. Wish I would have watched it now.
I saw the piece, thought it well done, and knew myself fortunate to be a Krebs follower and fan, and familiar with the story.
Thanks, Brian, for educating viewers and readers.
Very nice Brian. So often in those segments the real issues are ignored or distorted, but with your help I felt that the piece provided actually useful information that was accurate.
Well done.
Here’s a link to the 60M video: http://www.cbsnews.com/videos/what-happens-when-you-swipe-your-card/
Brian….A Star is “Born” (actually gets his place locked into the Cyber firmament)! Great job….you came off as totally professional, easy going, “Un-Nerdish” and a great all around Cyber resource. I’m sure you will get much deserved new business from this. I broke away from the Denver-Kansas City game just to see this segment….when I saw you were also one of the interviews I locked in until the entire segment finished. I was very happy with your comments, positive demeanor and the severity of the subject. You added many much needed assessments and clarity to the seriousness the topic. Thank You!
you are beatifull krebs
i want make love with you
It was a great segment, Brian! I thought it was well-done and informative in a way that the viewing public could understand.
Very informative and interesting. And may I add, you looked very handsome too! 🙂
Great segment! I’ve followed your work since the Washingon Post column days and have always thought that a good part of your genius was that you could make obscure technical issues understandable to the average Joe. Last night’s appearance was no exception. You took a difficult subject and made it accessible to all of the viewers of 60 Minutes. The type of public awareness you provided will help tremendously in the effort to end cybercrime. You have reached far beyond the professional community that gathers here on the blog to get information to the general consumers who need to know it. That’s important stuff.
Brian…………..I think you should be the next President. If you can clean up the industry, just think what you can do for Our NATION! Everyone needs to read your book, Spam Nation. No pun intended. Great 60 Mins piece too. Thank YOU!!!!!
Hah! You couldn’t pay me to be president. To take nothing away from presidents current and past, but I think you have to be a bit crazy to want that job.
Great job Brian. The piece was informative and on point and a bit scary for the average Joe. It was interesting how the National Retail Federation responded. They have a point. We as banks share some of the blame because we’re issuing payment devices (cards) with 1970’s technology. Of course, as banks we cannot change things on our own without the merchants being ready to accept new payment mechanisms, but I had not thought about that before. As a community, we have to do more.
Great Job!
Nice segment! I am trying to find out how someone did the same thing to me. We need more awareness
I found it interesting that the NRF pointed the blame for “fraud-prone cards” at the CARD companies. It’s been the retail federation that has been fighting the upgrades to EMV for a decade.
I also got a new ‘chip’ card from Chase today, replacing one that had fraud on it the day after Thanksgiving. Disappointed to see that it’s Chip and Signature and not even Chip and PIN capable…
This might have already been mentioned and if so my apologies. I too would like chip and pin, but my banks are only offering chip and signature citing chip and pin only helps when a person loses their card. Not sure how many cashiers actually check a signature on the card. I heard MasterCard is one of the few at this point rolling out chip and pin while others like Visa saying chip and pin costs them more compared to chip and signature. I also heard it may take another 3 years for most retailers to have their POS’ in compliance with chip and signature or pin. At this point it’s better to have it and hope the retailer you shop at is one of the early adopters. I travel a fair amount to Asia and cards with chips, even ATM cards is so common over there nowadays, at least in Hong Kong, Taiwan and Singapore.
Back when I carried a card….I’m a no carder now….I asked the lady checking stuff why cards were never checked for signature. She advised that the signature didn’t verify the card owner. So, I signed the scanner with “Horse Collar” purchase was processed without a problem.
Unfortunately it’s no longer on the Web, but some years ago the operator of the comedy site zug.com decided to see just how outlandish a signature he could get away with while using his credit card. He was verging on begging people to deny him, and he couldn’t make it happen. Eventually he did get turned down at–oh, the cheap irony!–Circuit City.
Brian;
If the banks and c/c processers wanted to stop fraud they would. Chip and pin, chip and signature, fingerprint id, whatever it takes.
The sad possibility is that in spite of low interchange fees, they stand to make the big bucks from the finance charges from undiscovered fraudulant charges.
And this would help HOW if the merchants refuse to upgrade their terminals(like they are currently dragging their feet, whinung about the cost for upgrading the magstripe based terminals)?
@Christoph-it isn’t up ti the merchants or the banks, the payment processors control and distribute the terminals and since they profit every time someone uses a stolen credit card what is their incentive to make the process more secure?
Nice job Brian. It is nice to see these topics making it into mainstream media. See you in about a month at the ICCS.
Very informative and interesting. In Europe we have only Chip cards for many years, terminals do not allow use of magnetic strips to pay if card has a chip. But still we can’t block “magnetic transactions” in other countries. So EU stolen cards can’t be cashout in Europe but there is no problem in taking money from it in USA/Brazil/Asia.
If only VISA/Mastercard would allow banks to limit transactions to One country, with “30 days tourist activation” option in case of overseas vacation…
Very informative…
Brian, the 60 Minute piece was great! I’m thrilled that you’re gaining a wide, well deserved audience. By the way, you’re new book is so well done. I’m totally enjoying it!
Why couldn’t we have a smart card that sends the account number as usual then is fed a nonce at the terminal, have the card encrypt the nonce along with possibly the transaction amount using a private key that never leaves the card. Send that encrypted info to the bank server who would then use the corresponding public key to prove the card is genuine and is present.
Just wanted to say again, thanks for all the work you do and time you put in. I realize the thanks on donate would mean more but its been a lean, crappy year with a lot of life changes 😐
Very well done! Thank you for all that you do – year round.