There was a time when “activist investor” Carl Icahn actually owned and ran businesses, one of which was TransWorld Airlines (TWA), eventually sold to American Airlines. In an attempt to cut costs, TWA under Icahn outsourced reservation service to a call center built in a prison with prisoners on the phone. When you called to book travel you were giving your credit card number to a felon and telling him when you’d be away from home. Smart move, Carl, and very akin to what may have caused the post-Thanksgiving theft of 40 million credit card numbers from Target, the U.S. discount retailer.
Target used to do its IT all in the USA, then to save costs they moved IT to a subsidiary in India. Care to guess where the Target data breach came from? I’m guessing India. I’m also guessing that there will never be any arrests in the case.
It could have started anywhere, I suppose. Certainly there are plenty of thieves in the USA. But the possible link to offshoring can’t be ignored. Most big U.S. corporations have some IT work being done offshore. This greatly limits oversight and introduces huge new risks to their businesses — risks that are consistently underestimated or even ignored. The data that runs these businesses and most financial transactions are in the hands of workers over whom the America customer has little management control and almost no legal protection. Even the ability to verify skills or do real background checks is difficult.
But offshoring is far from Target’s only mistake. Target CIO Beth Jacob, whose background is in operations, not IT, told ZDnet last month that Target was especially proud of its quick customer Point of Sale experience. That suggests a lot of IT attention to POS, which of course is exactly where the credit cards were grabbed.
Mary Alyce, my young and lovely wife, was in our local Target store yesterday and saw them replacing every POS terminal in the place. No pun intended.
Let’s guess what actually happened at Target sometime around November 15th. There are a couple concepts in the management of IT systems that are relevant to this issue. The first is configuration management — managing how you have the components of your IT shop installed, configured, etc. The second is change management — how you manage changes to those configurations. While both concepts are important and critical to an operation like Target, it is an area where tools are sorely lacking. For either to work well there needs to be an independent process of verification and checking: if you changed something, did the change work? Was the device or system changed outside of the change process? While it is great to tout good processes, ITIL, etc. You can’t assume people will do their jobs perfectly or follow the processes to the letter. There will be mistakes and sadly, there will be mischief. How do you know when this happens? At Target I’m guessing they didn’t know until it was already too late.
Someone probably made an out of process change to Target’s POS system and nobody noticed.
This is an excellent example of why everything in your IT shop should not have access to the Internet. Clearly Target’s POS terminals had access to the Internet. If they were on a secured private internal network, this crisis may not have been possible. Just because a machine has an ethernet connection, it doesn’t mean it should have connectivity to the Internet.
One final question: Where is the NSA in all this? Are they using all their technology to investigate and deal with this crisis? I don’t think so. This attack on Target is nothing less than a major cyber attack on the USA banking system. Show me the metadata!
Another question is why EMV/chip cards have not been embraced by US issuers? They’ve been proven to cut fraud to minimal levels and are unfeasible to clone.
Huge breaches every couple of years from supposedly PCI DSS compliant organizations shows that the ancient magstripe cards must be retired ASAP.
Its trivial to clone these cards nowadays, there’s even a startup touting a hardware solution that allows you to change the magstripe on the fly “coin”.
I’ve ordered one, can’t wait to load a few of these stolen cards up and go shopping!
The link to the POS is reasonable speculation but at this point speculating re outsourcing as the avenue or cause is irresponsible.
Accept for the fact that U.S. companies have a lack of legal protections, controls and insight into how their data is being handled and the myraid of suppliers and support service businesses involved than if it is all happening in the United States, or a country with similar legal system, culture and language.
“…speculating re outsourcing as the avenue or cause is irresponsible” Really? Surely not considering the type and size of theft involved. [Baffled] ? [/Baffled]
Irresponsible to speculate outsourcing cause this??? I think it is irresponsible to willy nilly outsource sensitive data. Yikes. You are off base!
Well pointed Wilson, this article was just plain prejudice.
Having the highest prison population in the world (more than 1 in 100) the US is the agent, not the victim of the majority of data theft in the world, and yes, even your government does that.
Why do you think the POS devices are not on a private LAN? How does a private LAN makes them safe?
The attacker needs access to a system with internet access that has access to those systems… maybe even passing through multiple hops/firewalls/ssh tunnels..
Sure, you can ask for an “air gap”, but then how do remote workers access the devices? One solution is they don’t.. to update firmware or make any changes you must be physically at the POS device. It’s still possible the data was intercepted somewhere other than the POS terminal. (central router/server?)
How much harm will Target (or the CC companies) feel due to this breech? Probably not much. Until it’s higher than the cost of developing a more secure system, nothing will change.
If the early news accounts are correct, a virus was installed on most of the POS terminals in most of the stores. The credit card information was captured at the terminals and communicated to the perpetrators. This involved most of their 1900 stores. It would have been logistically difficult to have intercepted the traffic in another way. They found a way for the POS terminals to send the data over the Internet. So in this case the “air gap” would have been a solid protection.
.
More important — why do the POS terminals, why do the sales management computers in the stores need any access to the Internet? Why do any of the financial transaction systems in a business like Target, or a bank, or… need any access to the Internet? The ONLY thing that MAY need access is the service by which card payments are processed with the bank. That can be done on a protected connection. If none of your business systems can access the Internet, you’ve eliminated the easiest way for criminals to reach your business data.
But all those hops across the private network or networks introduces latency at the point of sale. Didn’t Target’s CIO just tout how awesome it was that they’d focused on reducing latency? If it turns out that in the process of doing so, Target’s POS systems were directly connected to banking systems through the internet (in the interest of speed over security) heads should roll.
“Why do you think the POS devices are not on a private LAN?” I think Bob jumped to that conclusion since Target was seen replacing them at one store soon after the data breach. Of course, he may have had other sources as well, but wanted to give his wife credit for the discovery. 🙂
Every time I read about how wonderful it will be to store or process data in the cloud, I always wonder. Wonderful for who? The hackers who are able to steal masses of confidential data? The governments that are able to access masses of confidential data? I wonder, wonder, wonder.
I remember hearing a speech by Bill Gates sometime around the release of Window 95 where he basically spelled out what is now known as “the cloud.” His argument was that there was no way people could store and manage their own data, nor were there enough IT professionals willing to maintain computers for regular people. Over the years I’ve maintained PCs for friends and family, sometimes taking money, usually not. But the business model falls into 3 camps: one on one cash under the table, Geek Squad high dollar bricks and mortar, or online and cloud systems. I have nothing against any of the models, but you gets what you pays for. If these sorts of shenanigans continue maybe the masses will wake up and realize it’s worth a couple of bucks more to keep your privacy.
Gates was right. But not about individuals needing help storing their data. That is trivially easy. It is IT departments that need cloud services.
–
How many of you have worked in corporate IT? If you have, you know that nearly every system out there is archaic and barely functional. Most of the staff are complete idiots. Large and small, these systems survive because a small handful of competent staff can troubleshoot the constant stream of problems.
–
I’ve worked at dozens of these places. One insurance company actually had programmers who couldn’t figure out how to use windows. Yet no one would fire them. No kidding, folks. Anything that cloud systems can do to simply and reduce the need for these apes would be an improvement.
Many of these systems were decades in the making, are core to the proper functioning of these organizations, and (for all of their faults) their organizational, operational, and security foundations put things like Windows to shame. Having worked on many of these systems myself over the years, the bigger problem that I’ve run into is that the younger crowd is often totally unwilling and/or completely unable to mentally grasp these systems – and if it’s not chock full of eye-candy and whatever the latest fashion in computer software design happens to be at the moment, then they won’t touch it. (One article I read not long ago complained that the younger crowd usually doesn’t want to work on anything more than six months old, and often doesn’t want to stick around for more than six months or so anyway.) So it falls to the grown-ups (or “apes” as you call them) to keep things running.
.
BTW, not only do those “apes” have well-earned skill-sets that you probably can’t even begin to comprehend, they have job security that you will probably never have (as you yourself point out) and probably also a paycheck to match.
There are two problems with chip and pin. The first is that I can’t remember that many pins so either I’d need to use the same ones across multiple cards or cut back. I only have two credit cards (one is a backup) plus a debit plus another debit for health savings. I’d need to go from remembering two pins to four. Most people have far more cards than I do. (Don’t forget all the other access codes, passwords to password managers etc I have to already remember.)
The second is I’ll avoid using them as much as possible. If any fraud does happen I’ll be the one that is out the money. The banks will claim that only my pin can be used, therefore I must have given it to someone. You are completely and utterly screwed. You may be thinking that banks wouldn’t take that blame the customer approach, but exactly that happened in the UK. They essentially claimed their systems were perfect therefore it was the customers at fault. They were wrong: https://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
I’m sure the US is different than Canada, but we’ve had chip and pin for several years. In October, my wife and I went on honeymoon to Florida. A couple of days after I got home, I received a call from my bank asking if I was at a Target in Florida using my credit card (obviously I was not). Long story short, your bank will still not make you pay for fraudulent purchases even if you have chip/pin. I’m guessing my card got skimmed or the number copied when I gave it to a server at a restaurant, if the US actually used the chip/pin, it would have been useless to the thief.
All that said, I have read article where chip/pin is easy enough to circumvent too.
Joel
Target doesn’t use Chip & Pin terminals so the issue didn’t come up. If a chip and pin terminal had been used you would have found yourself having to prove your innocence rather than the bank having to prove your guilt.
Suspect the card reader firmware was hacked to allow the perps access to the credit card data before it was encrypted. Perhaps storing the card data on the reader to be retrieved later. The newer card reader/signature capture devices are much more like a PC than the older magnetic stripe only readers. The new units encrypt the card data on the device before it is transmitted over the network. That’s how it works in Canada anyway.
Where’s the NSA? They may very well have had people that are part of the scam…..based on the recent RSA revelations, US Companies can’t be trusted and next are UK and Canadian tech firms.
What is the connection between internet connected POS terminals (located in the US) and outsourced operations in India?
Most of Target’s IT is being done from India. A large retailer like Target is updating the price files on their store systems daily. The IT group maintains the software that runs the POS terminals and the software applications that run the business. If something is not working in a store, they try to fix it remotely. The IT group has access to almost every aspect of the firms computer systems and networks.
.
When Target moved its IT operations to India, they put 8,400 miles, 11.5 time zones, and huge cultural differences between its corporate management and the people that run its data systems. As Bob hinted in his column an operation like Target needs solid operational processes in how it manages its IT shop. In the best of circumstances putting that much separation between HQ and IT makes it hard to keep do things properly. The risks of slip ups is enormous.
.
If you were paid $5 an hour and someone offered you $1000 to help plant a virus in a network of POS terminals, would you be tempted? Worse, if you were good enough to write the virus how hard would it be for you to get an IT job in India? Target could have very well hired the people that did them in.
.
We don’t know for sure if the problem came from India. The point is off-shoring one’s IT presents many new and terrible risks. Why is IBM having so many customer sat problems — they’ve off-shored most of the IT support.
.
One more point — if you take a close look at a typical POS terminal, you will often find an embedded version of Windows running it. If its not Windows it is running another well understood OS. To write a virus to do what happened at Target does not require rocket science. The trick was to get it installed on every POS terminal in the company. That too is not difficult if the IT processes are weak.
My laptop has a button on it for turning on or off the wifi link, which is my prime way for getting on to the internet.
Would it be wrong to have some kind of electro-mechanical switches on every device for access onto and off of the internet? The switch could be turned manually, or by hitting the return key, or by device born code?
I know that doesn’t stop hacking, but it might create more of a head wind – like washing your hands frequently and using hand sanitizers to reduce the likelihood or frequency of catching a cold. Then again, maybe this already happens. But just because you can drive a car up to your garage doesn’t mean you don’t have to open a garage door to enter into your house.
You could have several doors, like “Get Smart”, some that during a full on attack, can only be operated manually.
“Get Smart” 🙂
Just to bust some misinformation about emv/chip and pin.
You do not have to always enter your PIN when doing an emv transaction, the acquirer can allow the merchant to do a transaction without the pin. This is normally for low value transactions. This is common in Australian supermarkets for a few years now.
The laws in the UK are different from other countries. So any of Ross Anderson’s research around the topic needs to be taken with a grain of salt, the conclusions are normally very UK centric and don’t apply to other countries(I.e the US)
It is painful for banks to switch to EMV, as it should be. The US banks have for years been delaying upgrading their financial systems to secure solutions and as such are getting bitten.
It is proven that implementing EMV reduces fraud.
Have you heard of a dump of card details out the euro area?
PINs are a pain, but I would prefer having to enter a PIN with an emv card then trusting a negligent retailer.
I live in Canada and France. On a recent trip to the US I was surprised that my card had to be swiped most of the time (instead of the chip/PIN method.) I’m curious why the US of all places is behind on this?
Roger writes that he’ll be liable if his chip card is misused. I don’t spend much time reading fine print, but I don’t think the TOS of my cards changed significantly when they all switched to chips a few years ago.
Clearly this breach had been planned for a while – it’s no coincidence that it happened on the biggest shopping season in the US. This wasn’t a casual attack and all the information so far (and the lack of information – the stuff that they are not saying) points to a breach that was carefully planned and executed. Whoever did this has done it before – I would be very surprised if we ever find out who organized it, or if by chance we do finger the perpetrator, we say anything.
This may speed up the introduction of chip and pin to the US but even chip and pin is probably only a temporary speed bump in the road for this type of theft. Chip and pin simply raises the bar and if you have corporate or state level resources (DPRK etc) then cloning chip and pin on this scale is probably not a huge problem. I’m not being paranoid about this, just trying to think down the road a little.
I wonder what the full fallout of the timing of this incident will be… Will Target survive the aftermath? Worse?
No consumer level payment system is or will be Protected against a state level threat. Its just not worth the effort to do it.
The threat model is focussed on this kind of mass breach by organized crime, compromising a single emv card is feasible given time, money and resources, compromising many? Infeasible.
A emv/chip card contains public keys for verifying account data and symmetric keys for generation of dynamic CVC codes.
The idea is to use the chip to generate transaction unique data to secure and allow for verification. A magnetic stripe just cannot do this.
A state actor would not steal a typical consumers money, you’re nuclear codes, mistresses details, thats what they want.
You can print money when you’re the state(even nth Korea)
Many states have some amount of their cash reserves in US dollars or Euro’s, or the currency of other states. There are many good reasons for this. If you are a rouge nation, then having currency of other nations makes it easier for you to buy things you shouldn’t be buying. If a company asked to buy a centrifuge from you in North Korean WON’s, you’d probably say no. If they appeared to be a western country paying in US dollars, you’d probably accept the sale. No is cyber crime a good way for a nation to raise foreign currency — NO. But there is a bigger problem.
.
The same people who are helping nations find ways to penetrate networks are now selling their know how to criminals. You can now purchase tested, working exploits to get past firewalls, to infect smart phones, etc. Let’s face reality here. When cyber criminals can compromise Target, few firms are safe. Target was the victim this month. It could have been almost anyone. The USA credit card systems are no longer safe.
Sorry. your typo made me laugh!
“If you are a rouge nation,..”
I’m assuming you meant ‘rogue’, not ‘pinko liberal Marxist’.. 🙂
Imagine the confusion if he’d said “rouge state”. You’d have to wonder if they meant red states or states that use a lot of make-up!
So isn’t the first question to find out who makes the POS for Target? I’d like to find a manual on it.
If the POS was compromised (and I’m 90% sure it was), how did the firmware get updated? Sure seems that is had to come from inside unless Target was dumb enough to allow firmware updates over the Internet.
Found my own answer:
Target utilizes its own in-house point of sale system that has been developed by its IT department, Target Technology Services. Each store has its own servers capable of running about 30 registers and these are supported by a third party IT services provider who have technicians trained in Target store procedures.
Reader is a Hypercom Optimum L4150 according to Google search. I live in Minneapolis (Target’s corporate headquarters). Quick calls last night say that Bob may be on to something with the India outsource. Others I talked to know of what Target off shored.
You can’t air gap a POS terminal. It must communicate with banks to do the authorizations. But I agree it should not be able to get direct access to the internet. Most POS terminals connect directly to the cash register (a PC) which handles communicating to a central server probably in the store which then communicates with a server centrally located. The higher up the chain you can breach the fewer systems you need to break into. It’s much easier to put a virus on a PC, then to create special firmware.
Yes you can air gap the POS terminals. And you should!
.
Credit card transactions should be routed through a relay server. It should be the bridge between the stores isolated internal network and the banks, and NOT the Internet. With a single (or for redundancy, pair) relay server(s) you can (and should) have firewall rules connect it to only the bank’s card processing systems, and nothing else.
.
If you are a small operation with a single point of sale terminal, then you need to do things differently. However if you are a business of any appreciable size you absolutely should not have your cash processing applications anywhere near the Internet.
.
You need to look at this differently. If you are running a business, or a hospital, or… why does anything on your network need Internet access? Instead of providing wide open access ask yourself: what Internet services do we really need? Access to the Internet is rarely a requirement or a necessity. If you look at what is truly required, then you can provide it in a much more secure way. When you design your network start with the assumption of ZERO INTERNET ACCESS. Then add the access that is needed, but in a safe and secure way.
Those here who are throwing stones at Bob for his outsourcing comments might want to stop and consider the fact that, having been in this business for several decades now, he has friends and contacts all over the place who are more than willing to feed him bits of inside information off-the-record – information which may not be public yet and which may not ever really be made public. I expect that time will time whether or not what he speculates here has a factual basis or not.
The Target thieves and the NSA are in EXACTLY THE SAME BUSINESS…..breaking into other poeple’s business affairs. The only difference is that the American public is funding the NSA to the tune of 50 billion dollars each year.
Oh, and some of that 50 billion is corporate welfare for private enterprise companies who are supposed to be in the business of making theft and hacking more (not less) difficult….see the latest news about the NSA paying RSA 10 million dollars to subvert RSA encryption. Nice business if you can get it….playing both sides of the street!
I tried three different days to purchase Christmas gifts at Target on their web page. Then I tried to order two different times over the phone. I am a patient guy, but I probably spent nearly 2 hours, with zero success. Everyone I spoke to was very nice but they were totally unable to place an order. They all sounded as if it was their first day at Target. As for business practices, this has to be an indication of management incompetency.
A nice lady from my bank called this morning and cancelled our bank brand debit cards. Target wouldn’t tell us personally that we were compromised but would tell my bank and force them to call everyone all weekend.
Apparently our target card is linked by debit to my bank account in addition to my normal debit card. I had no idea til my wife just told me and pissed me off. That card has to be shut down through their online system because they aren’t answering the phones according to my bank. Finding the appropriate place on their website to send a ‘secure email’ is useless unless one uses an external search engine. Then to top it off, when you do get to the right page it says it won’t work with mobile browsers. What year is this?
My wife just got done filling out all the online forms hit submit and the page said the server was crashed- use the 800 number. This company’s IT is failing horribly.
I was at Target last night in Emeryville, CA and they have not replaced those POS terminals yet. The wand you use to sign the credit card purchase had broken off. There was just a frayed bit of plastic where it usually connects to the POS.
Many moons ago, Bob wrote that WalMart keeps all of it’s IT in-house because it would be insane to outsource that part of the company. Does WalMart still keep it’s IT in-house?
After reading the stories on the dissatisfaction of customers with companies like IBM and Target’s credit card fiasco, I see why keeping IT in house is a good idea.
Walmart hires a lot of contractors, but none in India.
BS Dick, Been down to Bentonville AK, head quarters for Walmart. Wipro (Indian contractor) does so much business with Walmart, that they leased a building right across the street. Keep the lies in DC!
Why do you think Indians are more likely to be crooks than Americans? Indians are more creative? More entrepreneurial? What?
I think the idea here is that the folks in India might be difficult to track down, difficult to prosecute, and could probably just buy their way out of any real trouble if they had to – and they know this, so they would be far more likely to try and pull something like this off. These same notions could apply to folks in any number of countries, too, of course.
Here is an example of what some of these folks have been up to lately. This is the same company (one of the largest Indian outsourcing organizations) that not too long ago suggested that the Indian government should make it legal to let them give bribes.
https://www.nytimes.com/2013/10/30/us/indian-tech-giant-infosys-said-to-reach-settlement-on-us-visa-fraud-claims.html
This blog is beginning to feel like Bob using news stories as hooks to rant about his personal pet peeves, whether they are relevant to the news story or not.
Let’s rant about outsourcing, because a company that outsources was robbed!
Microsoft buys a company, let’s complain about tax laws(with an example that makes no sense whatsoever to boot. Under Cringely Financial Accounting, a company can take all of its overseas profits buy some real estate, sell the real estate for the same price, and bring in all the money tax free, as there were no profits made on the real estate transactions.)
I used a chipped credit card at Target on Nov. 30. On Dec 19 my account showed a transaction for $1.00 at a gas station less than a mile from my house – clearly fraud. I reported the transaction that same day and the card was cancelled. I asked for the chipped card because we will be traveling to Europe. I have never been asked for a pin # here in the US. – they just swipe it like a regular credit card.
Part of the problem is that the consumer isn’t asked (directly) to pay for the convenience of using credit or debit cards instead of cash. There are a few places like some independent gas stations that will offer a “cash discount” but I would guess most people have no idea that the Visa/Mastercard mafia charge about 2% of a purchase price for using their services. Retailers shop around for the best deal they can get, and really don’t put a lot of thought into why that deal is so great. It’s also why we’re still holding on to magstripe readers even though there has been far better technology out there for decades now. And as long as the banks have insurance to cover the illegal purchases it really doesn’t matter to anyone unless word gets out to the media. But even then the story is soon forgotten.
I really don’t know what it will take for us to wake up and demand better security in cyberspace. Even all the NSA stuff is just a joke to most of us, even though there’s grave implications for everyone. As it stands now, even if I vote with my feet and shop elsewhere, the fact that this happened is going to encourage copycat attacks everywhere.
This is not about India, it’s about corporate leadership that only sees “cheap” and stock price. Breaches happen in the US as well, but it’s the axiom that the average CEO is still awed by their smartphones.
Thanks Quint! You are absolutely correct.
.
This is not about India. I don’t think anyone, even Mr. Cringely is blaming anyone in India for this mess. I work for a firm that has off-shored its IT support to India. Most of the people in India I’ve worked with are good people. They are clearly over extended. There is too much work, not enough people, … I really feel bad for them. Off shoring IT has become the “sweat shop” of the 2000’s.
.
On the world market these people are horribly underpaid. Then to add insult to injury, they under staff the teams. CEO are saving lots of money replacing $70 an hour people with $7 an hour people. Then they squeeze even more — having 7 people do the work of 10.
.
When people are overworked and treated poorly bad things happen. In the 1800’s sweat shops it took several horrible disasters, strikes, and violence to wake up society and government. How many attacks on the USA banking system will it take before we wake up and start doing the job correctly?
.
Our neighbors in India or anywhere can do great work. We have to enable them to work well. We have to give them the tools, training, and resources. What caused this problem is corporate greed and arrogance, and nothing else. They have created an environment where people can’t do their jobs correctly.
What do you mean this is not about India? For those of you lacking in direct speaking Indian friends let me make up the deficit for you. My good friend Mohinder tells me you can not even rely on the Post Office in India because your stuff will be stolen in the mail. That is indicative of a high level of corruption in the society! Yes India is a BAD choice for sensitive data. Plain / Simple!
Your good friend seems to be reciting some stories of his childhood about the post offices in India. Ask him to grow up! You can also think of some other story to make up the deficit about India.
Indian-origin post office worker stole X-mas parcels
All India | Press Trust of India | Updated: April 19, 2011 11:45 IST
https://www.ndtv.com/article/india/indian-origin-post-office-worker-stole-x-mas-parcels-99804
?
What does this have to do with the post offices in India?
My mother-in-law shopped at a Target in Canada around that time. Someone has since bought a plane ticket on Expedia from NYC to Moscow with her credit card. It seems that the chip and PIN is not enough to stop credit card fraud.
Please, do some real journalism instead of using this vehicle to voice your prejudice against people who do not share the same nationality than you do.
Having the highest prison population in the world (more than 1 in 100) the US is the agent, not the victim of the majority of data theft in the world, and yes, even your government do that.
I suspect the reason for not adopting the chip/pin or another more secure method of electronic payment has to do with ROI. Instead of replacing or maintain two different systems, CC companies invests in software algorithms for detecting suspicious usage patterns. Since fraudulent charges are such a small percentage of total transactions, the process is optimized to reduce usage friction, not “safest” practices.
Just look at what happened after the Target news broke. US consumers only reduced their spending at Target, but not reducing their reliance on credit cards. Until US consumers lose confidence in the the credit card processing system, nothing will change.
When I got my first credit card (back in the early 1980’s in Australia), the back of the card had my signature. Each time I would make a credit card purchase (they used special forms through an imprint device), the clerk would turn the card over, check the signature on the back – then ask to see some other form of ID.
I don’t believe in the 12 years I have been in the US I have EVER seen a store clerk check the signature on the back on my credit card – let alone try to verify that I am actually the person named on the card. One might ask why don’t stores take basic precautions when accepting credit cards?
That may be due to more behind-the-scenes security. For example, the card owner would report it stolen and the credit card company would make it fail the electronic authorization process. In the 80s we were using “imprint” machines with no authorization.
This has changed recently, I believe, but for a long time it was against the credit card company rules to physically verify your ID via your driver’s license. One reason why is that some clerks who were doing this were grabbing name/address/zip code info from the DL and then using that to help commit identity theft. However, in spite of this, in the 30+ years that I’ve had credit cards I still consistently have on occasion been asked to show my ID – maybe 1 in 10 times I’d guess, where there was a human in the loop. Automated systems, of course, won’t ask for this.
A few trends that have come about in those 30+ years:
1. Fewer and fewer cases where a human actually lays hands on my card. These days almost every transaction involves me swiping my own card.
2. More instances where an automated system requires (or at least requests) my zip code. Depending on who’s talking, this is either for authorization purposes (good) or strictly for marketing purposes (bad, and possibly illegal, depending on where you are).
3. Fewer instances where your signature is required. (Lately there has been a big jump in this where my transactions are concerned.) It is my understanding that in situations like this the retailer is basically skipping the authorization process, which saves them time and money, but that they then take on full responsibility for that transaction possibly being fraudulent, so they’ll only do this for relatively small amounts.
4. In my case, at least, a move to using restricted (in various ways) virtual account numbers whenever I can. I do this for all of my online purchases.
5. An almost universal requirement that online purchases have to have the security number (which goes under various names) from the back (usually) of the card.
Rome was destroyed by debased money and excessive spending.
With NSA data logs they are asleep at the wheel.
Put up lazy, stupid, ignorant bureaucrats who we pay for with our taxes. Or tell them to FcukOff and don’t take our money for no effort.
Any breach of law is a crime and its a crime to be an accessory both before and after the fact!
Sue the NSA bastards for criminal negligence!
Good one Cringley!
Before long North Korea will be outsourcing IT services at prices well below what India can offer.
Target should cut a deal with Kimmy now to avoid the rush to the a secure IT service provider of nuclear backed “pink” servers.
This comment section has turned a little tough. For our neighbors in India, I am sorry for the tone of these comments.
.
Regarding the Target story — it is a big problem. Fortunately this time we are now seeing a LOT MORE involvement by the US Government justice organizations.
,
The point of the off-shoring is a common theme lately. Mr. Cringely has written about it often. The basic issue is (as Joe stated) when you put 8,400 miles, 11.5 time zones between you and your IT team, you are asking for trouble. Why do you think outsourcing is being criticized so much. The problems are increasing. Firms like IBM, HP, and others have been offshoring work for years and for the most part it has caused everyone involved countless problems. This is not in indictment of the people doing the actual work. It is management that is at fault. IT is a critical part of many businesses. Is it wise to compromise the critical services your firm needs to operate?
.
When you put 8,400 miles and 11.5 time zones between you and your IT team, you provide countless ways for your security to be compromised. Let me give you an example…
.
Many of my coworkers in India take a scheduled cab to and from work. They work during the USA business hours, so it is in the middle of the night in India. It is very important that they leave work ON TIME to get their ride home. The cab won’t wait for them. If there is still work to be done, my Indian coworkers will continue it from home. Instead of working on a secured network in the office, at home they use public services to connect to the Internet and our customers services. While we provide them with a very secure VPN service, the opportunities are greater for problems. We are very security conscious, some of our competitors are not. When you think through how support is being provided you will quickly realize there is a lot more risk for problems. Those risks have nothing to do with India or its society. The risks are due to the environment where people are asked to work terrible hours, work in poor working conditions, … A “good” salary for our India teammates is $7 USD an hour. That is $14,000 a year. Can you live on $14,000 a year? You don’t have a car — you’re dependent on getting transportation from others. You don’t have a PC of your own — you’re work laptop is probably your personal laptop too. You probably have to share a wifi connection with others.
.
Back in the HQ of many USA businesses, they have saved a lot of money. IT is now out of mind, out of sight, and 8,400 miles and 11.5 time zones away. The only time when they take an active interest in IT is when something bad happens. Target — guess what? Something bad just happened. Because you chose to run your IT cheap instead of well, you have put 10,000,000’s bank accounts at risk. When you add up all the business losses from this debacle — how much will you have really saved?
.
If you need to offshore your IT, please do it well! Don’t go cheap. Hire good people. Pay them well. Take care of them. Invest in good tools and processes that insure a quality service. Target has behaved like Ebenezer Scrooge. Isn’t it about time large companies rethink how they’re doing IT?
.
If you want someone to blame, someone to be mad at I’d suggest the Ebenezer Scrooge’s that occupy the upper management of many large companies. India is as much a victim in this mess as anyone. Let’s blame the right people.
“Don’t go cheap. Hire good people. Pay them well. Take care of them. Invest in good tools and processes that insure a quality service. Target has behaved like Ebenezer Scrooge. Isn’t it about time large companies rethink how they’re doing IT?”
.
Excellent reasoning there for bringing things back on-shore and in-house, don’t you think?
The problem is if you want to “Pay them well” it’s cheaper to do that by off-shoring.
Maybe you missed this part: “Don’t go cheap.”
Didn’t miss that or the part about “Hire good people.” What I meant to say is given that you “Hire good people”, it’s easier to pay them well by off-shoring, which is the conundrum faced by many companies. Whether or not there are good people available off shore, depends on the specific needs of the hiring company. Of course one could argue that as soon as an off-shore “good person” realizes he’s good, he moves to the US for a more expensive higher standard of living.
Celso December 23, 2013 at 12:22 am – Reply
” … Having the highest prison population in the world (more than 1 in 100) ”
Two different animals there Celso: The first you have pointed out is an absolute number, the second is (I am assuming) is the presumed ratio of prison population to general (or ‘free’) un-imprisoned population. In any case, the USA seems to be a highly desirous destination to emigrate to.
Back to the Target Fiasco-
Wife just got a call from USAA about her credit card & unauthorized transaction- offending party attempting online purchase could not provide answers to basic question security questions.
WIFE A BIG TARGET SHOPPER and has used card there at least three times during Thanksgiving/X-mas Day period. USAA wouldn’t say where breach occurred but pretty obvious. USAA tool (I mean representative) took the opportunity to make an unsolicited pitch to sign her “spouse” up for a USAA card.
Come to think of it this the fourth time in past 15 months USAA has changed her card (number & all) due to security breeches. (I have to up another account on my financial software to track expenditures)
Don’t know if this reflective of USAA or her shopping habits.
I have Amex personal & business cards and have not had security notification in 18 years- I make online purchases and shop Target once in a while too.
There’s no inventive to change the system, as banks who issue the cards can simply force merchants to eat any transaction the bank deems fraudulent.
On the consumer side, as long as that consumer is using a credit (not debit) card there’s also zero liability.
Most banks also now guarantee replacement funds within 24 hours for debit card transactions.
So why switch to chips from the cheaper magnetic stripes?
Perhaps part of the problem is the fact that using stolen credit card number is not punishable. We actually had this experience: couple of years ago someone used my amex card number and placed several online orders with delivery to non-billing address. The address was known, the IP address the order was placed from was known, and we filed police report. The police refused to investigate with the explanation “It’s not our jurisdiction, there’s nothing we can do with the current laws. Talk to your representative” (I actually spoke with PD Chief).
I can imagine that when someone runs an operation like this and steals c.c. numbers by thousands, perhaps FBI might investigate, but even then the perpetrators will be charged with tampering with protected computer, i.e. with breaking Target’s network. But the fraud itself, i.e. using stolen credit cards, will go unpunished.
When you’re a temporary worker held to strict deadlines, there is no pride of ownership, nor incentive to spend the extra time and effort to do things that have little to no visibility with the long term big picture in mind.