Saturday, May 30, 2009

Hole in the Whole Card Security System

Credit Cards' Unintended Security Hole - CBS News
Credit Cards' Unintended Security Hole
Retail Realities: Why Zero Liability Programs Are a Wonderfully Early Holiday Gift to Cyber Thieves Everywhere

Editor's Note:  First of all, I call it "Zero Lie Ability." because the truth is that signature debit vs. pin debit brings "nothing to the table, yet Visa pushes it over the more secure 2FA PIN debit system.  Lie Ability also has the dual meaning that the banks have "no clue" (zero) on how Visa fooled them into agreeing to partake in this so-called "zero liability" program...the one that pushes the "LIE" in order to provide Visa with the "ABILITY" to make more profits.  It doesn't take a rocket scientist to PIN down the fact that Visa's "Signature" product, given the two choices (PIN or SIG) is the less secure of the two. 

I'll expand further on Tuesday.  For now, here's Evan Schuman's rant...which by the way...contains zero lies!

(CBS) This column was written by Evan Schuman, the editor of StorefrontBacktalk.com, a site that tracks retail technology, e-Commerce and security issues. He can be reached by e-mail and on Twitter.

In one of the most delicious ironies in retail today, the single most significant element that makes it easier for cyber thieves to steal consumer credit and debit card information from retailers is something the credit card companies themselves cooked up.

To be fair, this unintended consequence is a domino effect, where the innocuous-seeming program has set off a series of chain reactions that, today, makes credit and debit card breaches a lot more likely and more lucrative for the thieves. The program is called zero liability and it was initiated by some of the major credit card players many years ago to try and make consumers more comfortable making purchases online. The premise is that any fraudulent purchases will not have to be paid for by the consumer. Some banks have spoken of no liability beyond $50, but in operation, almost all banks cover all of the charges.

The program worked wonderfully and consumers quickly did become comfortable making E-Commerce purchases. But as identity theft and straight-out stealing from credit cards became much more common, large retailers became popular targets. The onus was on the retailers-not the banks-to pay millions of dollars to install and manage sophisticated security programs. But these costs were almost impossible to justify. After all, no chain was going to advertise: "We just installed state-of-the-art firewalls and encryption systems. Come shop with us." And the risk of being breached seemed too remote to make a compelling argument to a board of directors.

Then came the retail world's wakeup moment.  (Continue Reading...but first...an Editor's Note)

Editor's Note:  When will the e-tail world "wakeup?"  AFTER or BEFORE the next big breach?  Look for Tuesday's PIN Payments News Blog for an analysis of why an e-Breach is inevitable...unless online shoppers swipe instead of type.  I've long said, that if cardholders data is going to be swiped, should it not be the cardholder doing the SwipePIN? 

BTW: It's ironic that this story was run on CBS, because there's a lot of BS that I C. involving e-payment security on the web.  (includinig BSMS)  When it comes to asking who "nose" this more than anyone, the engineering team at HomeATM has been conscious of this fact for years.  So what is Visa doing?  Jiminy Cricket!  Where's the conscience? 

Disqus for ePayment News