In light of the biggest identity theft case ever prosecuted in America, the spotlight is being turned on just how secure is our credit and debit card information? The question is a simple one but the answer might appear to be a bit harder to pin down.

VeriSign, a firm that secures websites for e-commerce, told the BBC that credit and debit card information is "vulnerable" but they are working with retailers to change that.

"Credit and debit card information is just not incredibly secure," said Perry Tancredi, VeriSign's senior product manager for fraud detection. "But it is counterbalanced by the amount of fraud losses due to cheque fraud and direct debit fraud which is much greater than credit card fraud."

Mr Tancredi said: "Regardless of how strong the security measures, and how vigilant, the weak part of the chain is there is always a human who is responsible and who has overall control over the information." He suggested the best bet was for all consumers to "assume that there will be some sort of fraud on your account sooner or later" and put in place a plan to deal with it.

Getting safer

Espousing a completely different view is Jerry Tabeling who is the president of IDP, a company that carries out vulnerability assessments of networks and online business applications. "Our information is a lot more secure after all the publicity we have had about attacks," he said. But yes there are still problems that still exist though it is getting safer." These, Mr Tabeling told the BBC, tend to centre around a retailer not doing a good enough job securing its network.

"If the proper encryption is configured on the wireless access point, then an attacker will not be able to get any information. I would have to bet in this case that didn't happen."

At stake for victims of fraud is more than just money The authorities said the details of the 40 million credit and debit card holders was obtained by the hackers "wardriving" past stores to find wireless networks they could hack into. This entailed driving around using a hand-held device to detect a wireless signal much in the same way a radio scanner hunts for a signal.

The US justice department said the hackers then loaded "sniffer" software onto the retailers' networks which captured numbers as well as passwords and account information as it moved through the retailers credit and debit processing networks. That information was then sent to servers that the group controlled in Eastern Europe and the United States.

The justice department said the stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards and then used to withdraw tens of thousands of dollars from ATMs.

Identity loss

The Justice Department is not putting a figure on just how much the fraud has cost, but Mr Tancredi said the money is not the point with most card liability ranging around $50 (£25).

MasterCard says it strives to safeguard account information "If you are a victim of credit card fraud you might get your identity stolen and then you lose more than just money. You lose time, you lose trust and it could take years to fix your credit." MasterCard said preventing fraud and safeguarding financial information is a top priority for the company. Spokesman Chris Monteiro told the BBC: "If a cardholder is concerned at all about the security of their account they should immediately contact their issuing financial institution."

The Payment Card Industry, or PCI, has developed standards for retailers to adopt when handling credit and debit payments. A spokesperson said while it is trying to get merchants to adopt these standards "it is not our job to go around checking who is compliant with this. That is lead by the credit card brands."

Meanwhile Mr Tabeling, an IT security specialist, suggested that all consumers need to play a more proactive part in policing their own transactions and their credit information. "We have no choice but to trust the retailers are doing their bit but we can do more. "We can keep track of our credit report once or twice a year, check our statements and set up a notification so that if there is any suspicious activity on our account we are told about it right away."

Related Stories on the BBC:
Concern over rising fraud cases 28 Jul 08 Scotland
Hi-tech criminals target Twitter 05 Aug 08 Technology
Oyster card hack to be published 21 Jul 08 Technology
Phishing attacks soar in the UK 15 Apr 08 Technology


Related Links: VeriSign PCI IDP MasterCard

Posted by John B. Frank Thursday, August 21, 2008

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers