12/16/2009

Cash Is Safer...Sort Of

If the following story doesn't make you think twice about swiping your debit or credit card, I don't know what will. But it certainly has made me think of using cash or one of the pre-paid debit cards instead. From an Information Week newsletter (no link available):

The enjoyment (and despair) of working with security experts like Greg Shipley is the heightened awareness I get of just how vulnerable my personal information is.

As we put the finishing touches on [Shipley's] Security Brief about how retailers can manage the risks to Point of Sale systems—the card-swipe devices used at malls, grocery stores, gas stations and more—a story broke that data thieves had stolen debit and credit card numbers from several restaurants in the South.

Breach stories are all too common, but this one comes with a twist: the restaurants have filed a class-action lawsuit against two companies that produced and maintained the restaurants' POS systems. The suit contends that Radiant Systems and Computer World are responsible for the theft because they failed to protect the POS systems in two critical ways.

First, the suit says Radiant provided the restaurants with POS devices that stored card data after the transaction was complete. That's a big no-no under PCI, the industry rules that govern card data security.

What really makes me want to cut up my cards and go back to the barter system is the second allegation: that Computer World administrators who maintained the POS devices installed PCAnywhere and then used the same login and password combination at 200 locations. According to a report in Wired, the login/password combo was "administrator" and "computer."

You can guess what happened next: an attacker gained remote access to multiple systems, and then installed malware that copied card data as it was swiped through the POS devices.

The login/password blunder frustrates me because you don't need a computer science degree to know how bad an idea that was. Even more frustrating is the entire world knows bad guys are hitting card processing systems as hard as they can. Do we really need to make it this easy for them?

Having been a victim (twice!) of computer crackers stealing debit/credit card information from a local supermarket chain, I know what a pain in the butt such problems can be. In a period of less than a month our debit card information was stolen twice. We had to replace our debit cards twice. We did end up with some suspicious charges against our debit cards after the first breach (which our bank voided). It was an inconvenience not being able to access our accounts via an ATM, meaning we had to go to our bank and cash checks to get money until we received our new cards.

As convenient as it is to have ATM/debit/check cards, the breaches of electronic transactions systems have made me rethink using them for everyday purchases. At one point I carried very little cash (between 5 and 10 dollars), using the debit card for any purchase larger than $10. Those days have ended. Instead I'll carry a bit more cash and use the ATM/debit card for very specific purchases (and never for online buys). These actions have two benefits: I'm less likely to spend frivolously because of the limited cash I carry and I'm less likely to spend more than I can really afford. One other advantage of cash purchases: anonymity. For all intents and purposes cash is untraceable (at least by computer crackers).

The same can be said about pre-paid debits cards, which are as good as cash. They're anonymous and they're covered just like debit or credit cards if they are stolen or lost.

Am I being paranoid? Maybe. But on the other hand I might pose the question “Am I being paranoid enough?”

No comments:

Post a Comment

Comments are welcome. However personal attacks, legally actionable accusations,or threats made to post authors or those commenting upon posts will get those committing such acts banned from commenting.