More on Credit Card data breaches

This is an unfortunate follow-up to my posting a few days ago.  This morning one of my credit card providers called because there had been a compromise of my credit card information by a third-party.  This can’t be Target, because (a) it was for a card I haven’t used in a few months and (b) I didn’t shop at Target during the period that has been publicly claimed as when they were breached.  In fact, this is a card that (a) I phased out of usage about 6 months ago and (b) had been replaced because of a previous breach not long before that.  Frustrating to say the least.

Of course I now have to contact the few parties who were still using that card for a recurring charge.  I wasted a half-hour on the phone with the bank and I still have more time to waste cleaning things up.  And they aren’t all websites, so phone calls will be required Monday morning.  This one won’t be a biggie because of my previous phaseout, but it still will cost me an hour or two of time.

There are two things that would really help make this situation better, and neither necessarily involve “chip and pin” cards.  The first is to give me a way to provide anyone with a unique (though potentially recurring for that specific merchant) credit card number tied to my account.  Then an individual breach doesn’t have to impact any other merchant.

Note that single use credit card numbers has been tried before with little success, but that was before the age of smartphones.  And they literally were single use, rather than single merchant, making them unattractive for typical web usage scenarios.  Now I could just have an app on my smartphone that gives me a unique credit card number.  I could request it for Single Use or Single Merchant (Recurring Use) and then hand it out appropriately.

For physical card use there is an alternate solution which is to use 2FA.  You’d enable the feature with your bank in which case they wouldn’t approve the charge until you accepted it on your smartphone (via either an app or SMS).  If this feature were enabled then they wouldn’t automatically force you to cancel and replace a card in case of a data breach.

There you have it.  The current system is broken.  Totally broken.

About these ads
This entry was posted in Computer and Internet, Privacy, Security and tagged , . Bookmark the permalink.

15 Responses to More on Credit Card data breaches

  1. In theory you could use PayPal accounts for the single merchant card idea.

  2. codekaizen says:

    Bitcoin addresses are nice this way: a different address for every merchant and/or transaction.

  3. jwales@wales.com says:

    >>> For physical card use there is an alternate solution which is to use 2FA. You’d enable the feature with your bank in which case they wouldn’t approve the charge until you accepted it on your smartphone (via either an app or SMS). <<<

    2FA won't solve it, either. Thousands of phones are lost and stolen every day. I've even had my POBox robbed before — and it was done by "insiders" at the USPS (they hit 20+ mailboxes at one station — and they knew which ones to hit.)

    Plus, your phone probably has a military IP address. The government wanted to use your credit card; and, make you pay for it like a good little slave.

    SOLUTION: What ever happened to "signatures?" Forgery is a felony. Today… not anymore. Why do you have a signature card at a bank? Is it an agreement to be a slave? Or, is it supposed to be used as a model signature for verification?

    I know what it used to be for. People, today, are clueless.

    • halberenson says:

      Signatures are stolen every day as well.

      Phones are fine for 2FA under a set of conditions, such as requiring an unlock code (or fingerprint) and wiping the phone when it is not entered properly.

      Signatures are meaningless and can be forged just as easily, if not more easily, than any other option. I know someone who bought a house by cutting and pasting his wife’s signature on documents, with her permission of course.

      • jwales@wales.com says:

        Signatures used to be in ink.

        30+ years ago, my grandfather was right when he told me, “Your signature is the most valuable asset you will ever have in this world.”

        He was right. You can enslave yourself with your signature. Or, you could even sell your children and disown your inheritance.

        That’s why I *laugh* every time someone wants me to sign one of those electronic signature gadgets. Being a software developer makes me an ‘elitist’ because I know those ‘signatures’ are stored on disk somewhere. I watch all those ‘clueless’ people diligently signing those things with their best handwriting with such diligence that all I can do is — SMILE.

        How do I sign those things? SCRIBBLE. My “real signature” is only in ink.

        Anyone walks into a courtroom and wants to ‘push’ some BS signature to a judge… All you gotta do is claim forgery.

        The situation is of ‘our’ own making — as software developers. Banks got what they deserved. Software developers substantially caused it. We “sold” them on computer security — fraudulently.

        I can even remember arguing with chief counsel (and winning the argument) of a company I worked for (a Fortune company) first used SSNs as identifiers for enrollment in the new company health plan back in about 1990 for the very reason(s) we are having this discussion here on your board.

        Call me a prophet.

        • halberenson says:

          Oh, I refused to give my college my SSN in 1974 because I didn’t want it as my SSN. But forgery was big in 1974, 1874, 1774,….

          • jwales@wales.com says:

            Again, repeating myself, “forgery” today is virtually non-existant.

            However, an “unauthorized use” of a credit card or even SSN ***may*** be a misdemeanor.

            ID Theft happens by the millions now. That ONE (1) Heartland Payment Systems heist by Arthur Gonzales was over 20 million IDs/CCs/SSNs. HE WAS ON SECRET SERVICE PAYROLL WHEN HE DID IT. He got 20 years… but, he still claimed sovereign immunity. How many SS officers also profited; but, threw Arthur under the bus?

            Now, look at Microsoft Outlook.Com… and how it can “scan” your emails for things like CCs and SSNs. How many closet criminals work in the server rooms at MS? (This is one of many example. What about MS or Google employees in China or India?)

            Food for thought.

  4. jwales@wales.com says:

    Correction: Albert Gonzalez.

  5. jwales@wales.com says:

    >>> Phones are fine for 2FA under a set of conditions, such as requiring an unlock code (or fingerprint) and wiping the phone when it is not entered properly. <<<

    Watch the movie, "Gattaca." Fingerprints don't work, either. The ONLY thing that is uniquely yours is your signature [it can't be stolen; but, a REALLY GOOD forger can forge it]; and, blood DNA [can be stolen every time you donate blood].

    Wanna sign everything in blood? How about a phone that pricks your finger and extracts blood and performs DNA analysis? A "card" is state-owned property [containing a serial number] that can be stolen. Hence, "ID Theft" means that someone stole your ID card… or your bloodbag from United Way.

    Or, we can tatoo everyone like Adolf Hitler did to the Jews. Your skin can't be stolen. [Chips can be copied just like a credit card magnetic strip.]

    • jwales@wales.com says:

      I think that was the purpose of the XBOX One. Shall we play Tic-Tac-Toe? Or Call of Duty? Ballmer tried to turn Windows into an XBOX.

      I wonder how many companies want to turn their number-crunching business systems into entertainment devices? We already know the average consumer wants an entertainment device; not a computer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s