In case you missed it, Home Depot has been in the news lately, the latest victim of an attack aimed squarely at their point of sale (POS) systems, looking to steal the credit card data of its customers. We don’t have much in the way of details at the moment, and it took Home Depot a little over two weeks to respond publicly (see why covering up a breach typically backfires). To their credit though, they do provide an update (actually an easy to find one on their front page).
Home Depot surely wasn’t the only major retailer to experience these attacks this year, and they (sadly) won’t be the last either. So what can we do to stop these thieves?
On the merchant side, the latest version of the Payment Card Industry’s Data Security Standards (PCI DSS) go into effect on January 1, 2015. The Payment Card Industry (PCI) Security Standards Council, a joint endeavor of the major credit cards brands in the world (Visa, MasterCard, American Express, JCB, and Discover), publishes these security standards for merchants processing credit card transactions. While some have derided the PCI DSS as not going far enough, the purpose of these requirements is to create a minimum baseline for a security program, not the ideal end-state ceiling of total defense.
In version 3.0 of the PCI DSS, a few new items go into effect that should improve the overall security at these organizations. Previous versions of the PCI DSS only required vulnerability assessments to be conducted internally. Now organizations will be required to perform penetration testing both internally and externally. The difference between a vulnerability assessment and a penetration test is vast: A vulnerability assessment is the equivalent of looking at a locked door to see if it’s locked, where in a penetration test we open the door and steal your XBox One.
In addition to providing detailed feedback on the methods an attacker would use, organizations will also get the benefit of a live training exercise to see how their own security teams can identify and stop these types of attacks in action. A good step in the right direction indeed.
Personally, the best defense you can have to protect yourself is awareness. Always check your credit and debit card statements. If you didn’t make a purchase, you need to let your card issuer know immediately. If they hassle you about returning the funds, perhaps it’s time to switch banks. For every Home Depot and Target known breach, there are no doubt plenty of unknown breaches. Don’t wait on external notifications to start looking.
If your information is compromised and you are offered free credit monitoring, take advantage of it! Beware any emails you may recieve, as they may be scams. Always check by going directly to the merchants website or calling their customer service numbers to confirm what monitoring programs they have for you first.
Some new technologies on the horizon may provide some relief too. The credit card brands themselves are requiring breached merchants to implement the “chip-and-pin” system, or assume liability for future data breaches themselves.
The “chip-and-pin” system includes an embedded chip in the card that interacts with the payment terminal to create a unique code for each transaction. It requires the card holder to use their PIN in order to activate the function, and provides additional security beyond the data stored in the standard magnetic strip that most cards in the US use today.
Electronic wallet technology has been advancing, and received a big boost yesterday when Apple announced their new offering in that space, dubbed Apple Pay. The Apple Pay system eschews traditional passing of credit card numbers to merchants in exchange for one-time use tokens that authorize an individual purpose. Stealing one of these tokens won’t provide any value to a thief.
Similar approaches by Google, Square, and others may provide the relief we (and companies like Home Depot) are hoping for!
Thanks for reading, and stay safe out there!