The hackers seem to be winning.
One solution I have advocated for over the last many years to reduce credit card fraud is a technique called credit card tokenization. When a merchant accepts a credit card, that card information is immediately tokenized and that token is all that the merchant keeps. If they need to rerun the credit card, say for a monthly recurring charge, they present that token to their payment processor and they get paid. If hackers steal the tokens, it does them no good because those tokens can be locked down to that merchant or even to that server.
So the hackers innovate, even though the vast majority of merchants don’t tokenize.
They slip a tiny bit of code (15 lines) into a library that MANY merchants use and it watches for a credit card passing through. They grab the card info before it is encrypted and before it is tokenized.
Since online transactions do not take advantage of chip technologu (yet), this card information can be used in other online environments.
This week’s announcement is NewEgg.Com, a computer hardware and software seller. The hackers ran wild from mid August to mid September. The malware is called MageCart.
This is the same malware that attacked Ticketmaster and also British Airways.
Along with thousands of other sites.
So What do you do?
If you are a merchant, you have to deal with the lack of security on your web server that could allow a bad guy to install MageCart. Since this is buried inside some other software that you use as part of the your development. Eliminating this is part of what the DoD calls SCRM or Supply Chain Risk Management. Not easy, but absolutely required.
If you buy things online, you can protect yourself by shopping locally. 🙂
Sure. That is not gonna happen.
But there are a couple of things you can do.
Sign up for text alerts from your bank or credit card company so that you get notified EVERY time you card gets used. In real time. That way, at least, you can kill the card before even the first transaction clears.
Second, you can use one of the vendors that single use credit card numbers. The biggest issuer that does this that I am aware of is Capital One. Their service, called ENO (one spelled backwards), includes a browser plugin that automatically issues disposable card numbers that are uniquely tied to a single merchant. If the number is stolen, it can’t be used at a different merchant and while that card number is tied to your actual card, the actual card number is never exposed so that if that one site is hacked, only that card number has to be replaced, not every one. And, since they have a browser plugin, the process is pretty simple to use.
The last option I have is to use prepaid cards. Most banks offer them. Chase calls theirs Chase Liquid, for example. Sometimes the bank charges a few bucks a month for the service, but often you can get them to waive that. That card is tied to your online userid but the account does not draw from any other account. If you, for example, leave $100 in that account, that is the max the bad guys will get and you will be reimbursed by the bank if the charge is unauthorized. The challenge is that you have to manage having exactly the right amount of money in that account, so the Capital One strategy is a lot easier.
Information for this post came from The Hacker News.