Thursday, March 20, 2014

Missing the (opportunity of) Target

You may have heard that some companies lost some credit card data recently.  I think it was in the news.  Come to think of it, a couple of weeks ago I featured a great guest post by Jeff Man on the topic.


In recent stories it has come out that some of the compromised companies “ignored thousands of alerts”, and many folks are heaping scorn and derision on the compromised companies because victim-blaming is easier than looking inward and securing their own stuff.  Also, unless we have a historical record of “normal” alert levels for these environments, and average false positive rates, with statistical deviation analysis- let’s not assume “X-thousand alerts” means a damned thing.  I generate thousands of alerts in my own labs playpens without even trying, I can’t imagine what kind of background noise a global retailer has.

Oh, and millions of people had cards compromised.  And the impact on the vast majority was nothing.  At least nothing more than getting a new card in the mail.  The payment card security system is, in my opinion, badly broken- but it functioned as designed, and consumers were protected (in that the built-in margins designed to cover fraud covered the fraud to protect the consumers).

There has, of course, been renewed cry for chip and pin cards to replace the US-only magnetic stripe cards of antiquity we cling to.  And, of course, the expected backlash against chip and pin being  an imperfect solution, and thus not worth the effort- forget that getting a little better tomorrow is still a laudable (and arguably the only viable) goal.

And all of this misses a huge opportunity.  An opportunity to make consumers like me happy.  I understand that I am not normal, on a bewildering array of scales of normalcy, but I’m not alone in traveling outside of North America.  I have found myself in subway and train stations late at night, across Europe, with a pocketful of useless US credit cards and no way to buy a ticket without a chip and pin card, the standard for most of the rest of the world.  That’s just plain stupid.


I’ve been plenty of other places where my retro-tech US cards didn’t work, but the “late at night in a transit station” one REALLY sucks.  Now there’s word that we’ll finally start moving away from the old magnetic stripe cards… and the latest is that we will get “chip and signature”, not chip and pin- so much for compatibility.

What we have is an opportunity to make customers and some merchants happier by standardizing technology across the globe- and we could slide a little increase in security into the process at the same time.  But noooooo.  The payment card industry gets it wrong, again.

Glad we never miss opportunities like that in InfoSec.