Big-box retailers and electronic funds transfer service companies in the U.S. recoiled in terror when the massive Target hack was announced in December of 2013.  A team of crooks, allegedly from Eastern Europe, infiltrated over 40,000 POS terminals in every Target store in America and skimmed off the personal data of more than 100 million consumers who were flooding the stores during the holiday shopping frenzy.

inherent-flawsNow it is being noised about that the malware used in the attack, known as BlackPOS, was developed by a seventeen-year-old Russian programmer, who put it on the Internet for general consumption.  From there it was downloaded at least sixty times and eventually ended up in the hands of a shadowy gang of thieves who put it to bad use; walking away with a treasure trove of data.  Target will be forced to pay millions in fines, consumers are launching class action suits, and U.S. lawmakers are making threatening noises from D.C.

Underneath all the reactive commotion, a little known fact keeps trying to surface.  This is not the first time Target has been hacked.  In 2005, a man named Albert Gonzales rampaged through Target, TJ Maxx, and about a dozen other companies, making off with data from 120 million credit and debit card accounts.  Gonzales is now in jail for twenty years, but the big box stores made little or no effort to correct the vulnerability and threfore little has changed in the realm of bankcard data protection.

How can this be?  That’s easy to answer.  There’s an inherent flaw in both the standards and the auditing process that are supposed to keep card data secure.  When the PCI-DSS standards were first put in place, it birthed a whole new industry called PCI Compliance Auditing.  Audit companies scan processing companies to check their security, but the audit is only germane at the time it is performed.  PCI audits are a real pain.  Having an outside source scanning your system can greatly affect the processing performance.  And a company can change their system and introduce new and unsuspected vulnerabilities the next day, leaving them as vulnerable as if they had never been audited.

The main problem is the standard itself.  PCI standards don’t require companies to encrypt card data while in transit on an internal network or on it’s way to a processor as long as the transmission is over a private network.  Target was probably using a secure channel but the data was not encrypted.  So the thieves put a little piece of software called a RAM scraper in the memory of Target’s terminals, which were not secure.  Voila!  one hundred million consumers had their personal data vacuumed up and sent right to the Internet in Europe where it was being sold within days of the hack.

There’s a simple solution.  Encrypt data at the POS keypad in the same way that PINS are required to be encrypted.  This would render RAM scrapers and BlackPOS useless.  But this would require card processors to write new protocols, since most of them are not set up to decrypt card data.  The large retailers and processors have resisted tougher standards because they would be costly to implement and result in slower transaction times.  So what’s to be done?  If the big retailers have their way – nothing!

Cash anyone?

Inherent flaws in the Credit Card Payment Processing System may encourage future hacks… – ©2014 Moneymovers, Inc.

More ACH Review Posts

Does your Firewall really protect your vital information?

Parallax – Monetizing the Internet Walk-in, Part Two

Monetizing The Internet Walk-In

The New Website Paradigm – Involvement vs. Observation

The Bizarre and Somewhat Inexplicable World of Bitcoin

Innovative Smartphone Technology Opens New Vistas in Cash Transfer

Data Breaches, Lax Security, Pervasive Malware – What’s Next?

Is the Cashless Society upon us? Maybe not…

Sigh… Now The Hackers Can Play Tetris With Your PED

Online Sales Pushing Retailers Into Re-thinking Their Marketing Strategy.

Major Players Form Cross-Industry Group to Implement EMV PIN and Chip in U.S.

2015 May Reduce In-Store Fraud, But Hackers Most Likely Will Move Online.

EMV Implementation Means Big Changes…

Credit and Debit Card info MIGHT get harder to steal in the wake of Target Hack

Target Hack Reveals Major Issues in the U.S. Payment Card Processing System

Mobile Devices Drive Cyber-Monday Online Cash Transactions Through The Roof!