The Daily Star, Oneonta, NY - otsego county news, delaware county news, oneonta news, oneonta sports

May 3, 2008

Tech, G.P.: Credit card security needs upgrade


My daughter was in a store buying something the other day. When she tried to use her credit card. it was declined.

Not to be deterred, she pulled out another one, and that one worked fine.

After all, who has just one credit card anymore?

Wondering why the first one she tried was declined, she called the issuing bank.

She knew she hadn't missed any payments or gone over her limit, so why wouldn't it work?

It turns out that she shops at Hannaford, and earlier this year it was discovered that the supermarket chain had a data breach where millions of credit card numbers were gobbled up by bad guys.

My daughter's was one of them, and the bank had dutifully stopped the card from working so the bad guys (or maybe gals) couldn't use them. This is not a bad idea.

A bad idea is doing it without informing the cardholder. That's what they did.

And I've found out that my daughter wasn't the only local person embarrassed at the cash register this way.

Geez, guys, couldn't you have made a phone call when you cut off the card? Or even an automated phone call? After all, it's not rocket science.

They sent her a new card after she called them, but the process was _ to say the least _ not handled well.

I can imagine all the marketing people at Citibank cringing. Whoops! Did I say that name out loud? My bad.

Anyway, let's step back and cast a broader view toward the whole mess.

This may be the first data breach that was widely felt locally, but it is certainly not the first time credit card numbers have been stolen.

That's been going on a long time, and is not that surprising. After all, crooks are crooks, and they never stop trying.

But there are a couple big things about this particular breach.

The first is the overall size of it, 4.2 million unique credit card numbers. I think it ranks about No. 2 in the data breach hall of fame. It lasted from December to March before it was detected.

Another thing is that Hannaford appears to have been compliant with Payment Card Industry standards (that's the PCI standard to data-handling freaks). The PCI standard is the security standard to which the people who handle credit cards are held.

This fact should make your sky seem to be getting darker. If they were up to snuff on the standard, and still got robbed, just what does that mean? I think you may be getting the idea now.

Maybe the standard, or the process, just ain't that great.

Taking it a logical step further, maybe using credit cards is getting riskier. See where I'm going with this?

In a recent story in The Washington Post, Kevin Mandia, president of a company specializing in data breaches, said his firm responded to more credit card losses in the past year than in any previous 12-month period.

He goes on to say that the tempo of data breaches has been very heightened since the summer of 2007 and is maintaining the same barrage. ``We're seeing at least two new companies a week discovering that they've lost credit card numbers, and at the rate we're going [the criminals] are going to exhaust U.S. retailers as targets.''

Wonderful.

It makes me feel like finding the top person, whoever that is, in charge of the PCI standard, and going up to him and rapping my knuckles on top of his head several times. ``Hello! Is anybody home?''

That would be a good way to start. Maybe it would get their attention.

Then I could go on with: ``How about end-to-end encryption? Or how about completely separate networks for the credit cards, instead of running them across your malware-laden store networks?''

Somebody's got to do it, or we may all go back to using cash, or sending checks in the mail.

What a scary thought.

Bruce Endries is former systems manager at The Daily Star. He can be reached by e-mail at techgp@dailystarmail.com.