So there was this article in the New York Times today, about successful attacks to credit card databases. In particular about a ring that is responsible for stealing 130 million credit card numbers. I wonder if it is these guys who are responsible for my credit card sending me a new car5d number recently, and causing a lot of hassle with me trying to fix all the automated bill payment I have. In any case, in the article it explains that credit card companies don’t encrypt the credit card information when they are communicating with the machines.
What? How can that be?
Does technology really lag so much?
In the US alone, I would expect that there are more than a few billion dollars lost each year on credit card fraud and stolen identities. I would also assume that there are less than 100 million credit card reading machines and ATM’s (1 per about 5 people). The cost of replacing these machines so that they encrypt the data should be less than 100 per machine. These machines are not as expensive as computers, and many of them could get a quick fix with a software update. This is doable within a few years (two years should be enough for even the most backward shop to get a new machine).
This puts the cost of encrypting the system at about 10-20 Billion (in the US). There are standard encryption technologies and commercial protocols that are well tested and secure. How hard can it be to implement, seriously?
The rest of the world would follow soon. If credit card fraud is bad in the US, as far as I konw it is even worse in Europe. I expect this cost of encrypting to be much less in the long term than the cost of issuing new credit card numbers to all of their costumers, plus picking up the bills on credit card fraud would entail.
There’s not much on my computers, but I’m extremely paranoid about logging in and out of them. I don’t trust internet cafe computers: there is key-logging software in a lot of them and I only use ssh-encrypted channels to do various things. So how can people who care about money be so careless?
The easiest way out of this is to require the government to mandate cryptographic standards for communicating between machines and banks, so that even if people get access to the data stream, there is very little information that can be pulled out of it. Seeing as how banks have lost a lot of clout recently, this is probably a good time to implement this.
In the meantime, here is something from XKCD regarding man in the middle attacks that should make you all laugh for a while.