Securing SQL Server

Preventing Problems Like The Target Card Breach Are Easy

Unless you live under a rock you heard about the Target credit card breach that happened between November 27th and December 15th 2013. What really pisses me off about this sort of thing is that it never should have been possible for this to happen.

Our current concept of credit cards and hotargetw they work was designed decades ago when data encryption was basically non-existent outside of government work. Because of this all the data that is needed to steal every penny in your checking account is carried around in plain text in your wallet in the form of your debit card (which if you are in the US probably also functions as a credit card as well). I’ll say it again everything is stored in plain text so that anyone with a magnetic strip reader can simply read the information from the card and use it. This information includes your credit card number, bank information, expiration date, and any other information about you and your account that the bank has decided to put onto the card.

The banking industry has come up with all sorts of security safeguards that they put in place to try and ensure that your credit card information is safe, except encrypt the data on the card so that a thief can’t read it. The rest of the world has evolved their banking and credit card systems, but not the US because we don’t like change. And most importantly the banks like being able to charge merchants extra swipe fees for different kinds of transactions.

 

What we should be using here in the US is a system called chip and pin. The credit card looks exactly like it does today, but instead of swiping your credit card like we do today, instead you insert the card into the reader. The reader prompts you for your pin number, much like when you use your card as a debit card. If the pin that you enter matches the pin which is stored in the chip, then the data is decrypted and the machine charges your card directly, then it simply tells the cash register that the charge was accepted or declined. The credit card information never goes to the stores cash register so the problem that Target had simply wouldn’t have happened. The credit card information is sent to the bank via either a phone line or via the network, but the data is encrypted before it leaves the credit card machine so there is no risk of it being intercepted between the credit card machine and the bank.

One of the big reasons that banks don’t want this to happen is that every transactions now becomes a pin transaction. Banks charge fees for pin card transactions, as do some stores. If every transaction is a pin based transaction the banks (and the stores) will have to stop charging these fees which means that they will loose profit (which is all these fees are, pure profit). So instead of loosing out of some profit the banks instead put our time, and sanity at risk as now about 40,000,000 people will either need to watch their bank accounts daily to ensure that there’s no fraud on their account, or cancel their card (like I did) and not have a debit or credit card for 2-7 days (depending on how long it takes your bank to send you a new card). And don’t forget that this is all happening over Christmas and New Years holidays so having working credit cards is kind of important.

It should be obvious by now that the banks aren’t going to give us a more secure banking system to use. The government needs to step in and mandate that the banks and credit card companies move us to a more secure system and that system should be the same system that the rest of the world is using. The chip and pin system which the rest of the world uses is a well used system that everyone has gotten used to using. Staying with the existing system just isn’t a realistic plan. This breach is going to cost target a small fortune in fines, fees, consulting dollars, etc. as they try and deal with it. Wouldn’t it be nice if it simply wasn’t possible.

Many stores are actually getting ready for these new cards already. You may have seen the new card readers which have a swipe on the side and a slot in the bottom to insert your card. These consoles are the ones that we should be using, just with the swipe option disabled.

There will be some pushback I’m sure because this means change. Yes you will need to remember your pin number. But you probably already have one for your debit cards, and it’s really not that hard for you to remember that pin number. People will need to get used to inserting the card instead of swiping it. You’ll get used to it. The biggest change will be when you go out to eat as the server will now bring the credit card machine to do instead of disappearing with your card as you’ll need to enter your pin on the portable keypad. I admit it takes a little getting used to, but it isn’t that big of a deal. I promise.

The only way this is going to happen is if the federal government requires it. And I really hope that they don’t mandate something different from the rest of the world because that would be the only mistake that’s a bigger one than keeping what we have today.

Denny