31 December 2013
Credit and Debit Cards Are Junk
Date: Tue, 31 Dec 2013 08:43:05 -0600
From: Daniel Brandt
To: John Young
Subject: Credit card system update
The article below is a fairly good summary of the credit and debit card
situation, on and off the web.
Back at the ranch, CloudFlare is still unresponsive to my efforts to get
them to disconnect the major cybercriminal involved in marketing the Target
heist. However, CloudFlare's partner GlobalSign, which issues the SSL
certificates to CloudFlare, has disabled SSL on five of the perp's sites
at my request.
Unfortunately, this means is that you can still use http:// to get there
and purchase the stolen data, but you can no longer use https://. (The "s"
in https:// stands for "security," and it means that your browser tries to
connect on port 443 and negotiate an encrypted session, instead of the standard
http port 80.)
One of the five sites (rescator.la) is no longer connecting at all, even
on http://. This was probably not CloudFlare's doing, since the other four
are still reachable through CloudFlare. If CloudFlare did arrange this, then
I feel that it is merely a cynical move by CloudFlare to defuse the issue
by disabling the one marketing site that got most of the press, while leaving
the others online.
I am pleased that GlobalSign responded. CloudFlare's CEO Matthew Prince boasted
earlier this month that in 2014 he plans to double the number of sites on
the web that use SSL. Perhaps he was thinking that GlobalSign would go along
with this idea. But now I hope that GlobalSign might think twice about this.
GlobalSign is one of the oldest Certificate Authorities (CA) on the web,
with offices in numerous countries, and they have a reputation to protect.
While CloudFlare could find some other CA to be its partner, it would not
be easy for CloudFlare itself to become a CA. That's because an effective
CA has to be recognized and listed internally by your browser. If it isn't,
your browser throws up a warning before it connects on https://. It takes
years for a CA to become established sufficiently on the web before most
browsers recognize it and bypass the warning. Older browsers may never recognize
a new CA even after years have passed. Webmasters shy away from SSL certificates
that throw up warnings, because that defeats the whole idea of SSL contributing
to the user's confidence in the site he is trying to visit.
The good news is that some in Congress are requesting a hearing on the Target
situation. In 2014 I think we can expect a new law to combat cybercrime,
and such a law would probably include U.S. "cloud" companies like CloudFlare.
If it doesn't, the law will be completely ineffective.
The Perils of Plastic: The Problems With Debit And Credit Cards Are Deeper
Than We Thought
By David Sobotta, December 31, 2013
One night, a decade ago, I was on a sales trip. My wife called me up to complain
about the $1,700 dinner that I had enjoyed in Bangkok. Of course she was
mostly concerned because she knew that I was in Washington, DC, not Thailand.
A copy of my credit card had made it there, however. The next day. someone
using my fake card tried to buy over $2,000 in antiques in Singapore.
Fortunately, the credit-card folks were on top of the situation and my only
real inconvenience was waiting a few days for a new credit card to show up.
That time I was a victim of one of the then-high-tech pocketable skimmers
that unscrupulous employees used while settling your bill at a restaurant.
That incident happened long after most businesses quit using carbon-copy
credit-card receipts where we had to worry about tearing up the copies that
carried our full card number.
Fast forward ten years, and things have gotten worse, not better. The New
York Times recently reported that Target is investigating a huge security
breach. According to a December 19 update on the Target problem by security
reporter Brian Krebs, as many as 40 million credit and debit card accounts
may have been impacted between Nov. 27 and Dec. 15, 2013. After first claiming
that ATM PINs weren't involved, Target later conceded they were stolen, too.
A Hack On Small-Town America
If you have read some of my articles on ReadWrite, you might know that I
live in fairly rural area along the North Carolina coast. I have joked that
putting a hand-lettered sheet at the main intersection is a better way of
getting information broadcast in our county than Twitter.
Our area is one of those places where you likely recognize the cashier at
the grocery store and some places they even remember your name. It is not
a place that you think might be a target for high-tech crime, but it turns
out that we were an extremely inviting target for organized criminals.
A very large number of area residents were victimized in the last few months.
Some estimates suggest that hundreds of people in the area had their ATM
cards compromised in recent weeks. That is a lot of folks when the largest
town in the area has 3,600 year-round residents. The issue became very personal
when in the space of a week both my wifes and my ATM card numbers were
This came on top of a credit-card compromise that snared a rarely used card
just a month ago. In dealing with these situations, we got a lot of misleading
information. Multiple people who were helping us fix the problem claimed
that sophisticated new skimmers could read the magnetic stripe on your card
without it even being out of your pocket.
I did some research on the Internet and found the information available to
be almost as confusing. Just to make us feel better as we were trying to
understand the situation, we ordered some credit-card protector sleeves and
a couple of blocker cards that we could carry in our wallets. I suspected
these were useless, designed to protect the RFID-enabled cards that I don't
even have. However, when you have three card numbers stolen in a short space
of time, you start looking for solutions quickly and hope that something
What really shocked us was that our ATM cards which were compromised were
from a bank that does not even have a branch in the area. I only used my
card in the four local grocery stores and my ATM card never leaves my hand.
Also each time I was careful when using my PIN. My wifes card theft
was even scarier in that the only time she used it in months was for a small
transaction in the local US Post Office when she pulled out the wrong card.
Shortly after we finally resolved our issues with the bank, an article was
published in the local newspaper. It suggested that much of the card-number
theft might have happened with skimmers on gas pumps.
That was the final straw that convinced me that we were not hearing the full
story. I called the regional Secret Service office -- that agency is involved
in both protecting the President and investigating financial crimes == and
talked to the agent that was handling the investigation. He confirmed my
suspicions: The problem is far worse than we imagined.
While there are no real answers yet in our area, it appears that some computer
systems have been compromised either at stores or in the companies handling
the processing of card transactions. In other words, a company involved in
the flow of payments has been hacked. It could be more than one company.
The computer hacking has exposed everyone whose cards are going through those
systems. The thieves are using the ATM card information in a way that does
not require the PINs.
As the agent explained it to me, what happens once the thieves have stolen
a bunch of numbers from a company is that they print gift cards with their
name on them and our billing information on the magnetic stripe. He said
they rarely bother with printing up credit cards anymore.
So here is what we have learned.
* ATM cards with their current security are too dangerous to use. The Secret
Service agent I talked to quit using his years ago. We no longer use ours.
They stay in a secure place in our home. If a thief gets your ATM card, they
can clean your bank account out and it can take weeks to fix the problem.
* Credit card issuers are smarter than regular banks when it comes to fraud.
When someone tried to do a $7.01 trial purchase using our compromised credit-card
number, we got an automated call from the credit card company 30 minutes
after the transaction because they thought it was fraud. The transaction
never went through.
* When someone tried a similar transaction with my compromised ATM card,
we caught it ourselves and called the bank. I had to fill out a fraud affidavit
and fax it back to the bank. It took 10 days to get back our money.
* The only reason a $1,400 fraudulent transaction did not go through on my
wifes compromised ATM card was that we only had $1,300 in the account.
* The standard response from the companies is that someone is reading your
card number while the card is still in your pocket. That is probably not
What We Can Do
I asked the Secret Service agent for some advice -- aside from just not using
ATM cards, period.
He said he always tests the card-reading device on a gas pump to make certain
it is part of the pump and not an attachment. He also looks for anything
suspicious before swiping his credit card in a store. He said if you must
use an ATM machine, you should only use a trusted one at your local bank.
The banks check those daily.
He also recommended checking your credit-card balances and your bank statement
as often as you can, probably once every 24 hours. He also confirmed the
online security precautions that most of us are already practicing such as
being very careful about downloading any software that you do not trust and
avoiding clicking on links that might be suspicious. He basically said that
you might as well accept the fact that your cards will be compromised and
be ready for it. He said his credit cards had been compromised a number of
We were lucky this time and did not lose any money. We have gone back to
cash now that our ATM cards have been replaced. The new ones have never been
used. I carry only two credit cards in my wallet and even though I suspect
the card sleeves do nothing for non-RFID cards, my two credit cards are in
As far as RFID cards, I am not interested in one. I have read about some
clever smartphone software that uses some of the newest smart phones to read
your RFID card information. I do not need more risks in my wallet.
Europeans do make use of make use of chip-and-PIN cards. Those have their
own problems -- for starters, they're completely unsuitable for e-commerce
and mobile payments. And I suspect their protections don't help when the
thieves manage to crack into companies processing the transactions.
Right now cash sounds like a good low-tech solution to me. Maybe the banks
should start hiring more tellers if they're not going to fix this problem.