Visa and MasterCard instituted new rules in October 2015 that put retailers on the hook for all of the losses associated with counterfeit card fraud tied to breaches if they haven’t implemented chip-based card readers and enforced the dipping of the chip when a customer presents a chip-based card.
Nice job, holding franchisees responsible. Dickey's won't have to answer for the actual breach because the franchisees also had poor security.
Debit cards have PINs; credit cards don’t (edit: or maybe they do, but I don’t know what mine is). For credit cards usually just presenting it physically is enough to authorize anything. Online you usually have to provide the card number, verification code (printed on the back of most cards), and postal code of the billing address.
If someone steals your wallet, or just picks it up off the street after you drop it, what stops them burning through tens of thousands of dollars before anyone notices? I know you can claim it back due to consumer laws... but who's covering the actual goods and services that are consumed until they get to your credit limit?
Right... but someone somewhere must be paying the bill? If I buy a sandwich with a card I found on the ground and get away with it who's paying for that sandwich? The card owner? The store owner? The card provider?
In the UK it's the store... unless they made you use chip and a PIN. Which is why they all use the chip and a PIN. Then it's the card provider, but it's not because the chip and PIN prevents fraud before that point. I think the card provider eats contactless payments because they encourage more of them so it adds up in the end.
In the US, if it was a chip and nothing transaction, the bank probably covers it. If it was a magstripe transaction not at a gas pump, the merchant covers it.
Card holder liability on timely reported loss or stolen card is capped at $50 or something.
Some humans may have a hard time deciphering touch tone by ear, but anyone who can eavesdrop a phone conversation can use a program to do the translation.
In Europe at least the PIN for making payments on your "Chip & PIN" card is to NEVER be given to anyone (or typed on a phone call). Banks will make this very clear.
A security "password" for doing phone banking is different.
They are in the US as well, this thread is just someone demonstrating the reality that very many people don't realize they should be different and make them the same for convenience.
If you care about entropy, don't leave it up to users.
It's very few and far between. I have a US-bank issues commercial card that requires a PIN. At least circa a year ago or so I hadn't found a personal one that did.
PIN isn't really needed. PINs are only more secure than chip in scenarios where the physical card is stolen, which is an extremely small portion of credit card fraud. Most physical fraud was from skimming, which chip blocks equally well as a PIN, but chip is more convenient. Using a chip reader for their point of sale system would have prevented the breach in this article.
Source: used to work adjacent to the fraud analysis group at a large bank.
My MC, issued by a US credit union, does require PINs. Most checkouts in the US or Canada require me to enter a PIN when using this card, though this somewhat seems to also be a function of the purchase amount.
EMV has a negotiation step. As is often the case this step is flawed, but generally the idea is the card (well the chip on the card) and the terminal get to negotiate about what's going to happen next.
So I think it's possible for a card to insist upon doing a PIN transaction if that's possible, while still retaining the ability to authorize a no-PIN transaction if the terminal says it doesn't do PINs.
It's also possible for the card or the terminal to have value-related thresholds, in line with the issuer's appetite for risk so e.g. maybe a bag of chips from a vending machine with no PIN is a risk the bank can live with, but a $3000 diamond engagement ring not so much.
Because the chip has (some) memory it can even have state, maybe one $1.50 bag of popcorn from an offline no-PIN terminal is fine, and so is two, but before you can do a third tiny off-line transaction you'll need to do a real transaction or visit an ATM or other online system with the card so it be reassured everything is on the up-and-up.
I thought (but don’t quote me on this) it was actually Visa and MasterCard that campaigned to keep chip-and-signature over chip-and-pin so that they could charge higher fees for “fraud prevention”. Which I find a bit amusing as I’ve been signing my card transactions with a literal smiley face as of late.
Well, as a guy who spend couple of years actually implementing chip & pin terminal credit card application from scratch, for a Polish acquirer, and a security officer at the same company, who had to read and internalize 17 thousand pages of documentation from Visa, Mastercard, PCI and EMV to do so, I can confidently say this is complete and utter nonsense (and it already was 10 years ago when I have stopped working with credit cards).
At every step Visa and MasterCard promotes highest possible level of security.
To give you an example, when implementing the terminal application you have to be able to support a range of CVMs (Cardholder Verification Methods) that might be presented by the card. The CVM list is a detail personalized on the card by the Bank, issuer of the card.
The algorithm actively promotes selecting the strongest authentication method that is supported by the card and always prefers PIN over signature (ie if PIN CVM is available it should not be possible to normally use signature).
This is verified during certification process and applications that don't meet this requirement fail certification.
There are also rules and internal memos which are sent to both acquirers and issuers, to which I have been privy to, which exert pressure on issuers to improve their security to deal with frauds. We were also regularly notified on new types of frauds detected and how to help preventing them.
The terminal application should also always prefers chip over magnetic stripe up to the point where magnetic stripe transaction is only allowed as a fallback after chip is found to be inoperable. So on a well implemented terminal you have to try chip first and only if it doesn't work the terminal should allow you to try with magstripe, if the magstripe says that the card is chip-capable.
Additionally, Visa and Mastercard both monitor rates of fallbacks (situations where magstripe is used with chip-capable cards) and issues penalties to entities that cross specific thresholds.
> At every step Visa and MasterCard promotes highest possible level of security.
No doubt you've drunk the Kool-Aid but this isn't true. EMV rests heavily upon cryptographic protocols, we know the highest possible level of security is achieved for such protocols by publishing them for evaluation and improvement by independent researchers. EMV didn't do that.
There are many but here's a particularly low hanging piece of fruit that results from not having independent researchers looking over what you've done:
It is critical to the EMV design that the payment terminal picks unpredictable numbers. These aren't just nonces, where it only matters that they're different, they must be random or a relatively cheap (worth doing to forge credit card transactions) attack succeeds. So what do you suppose those standards documents require? You might even have read it.
The certification document says for testing read two of these "unpredictable" values. Ensure they are different.
Guess what lots of real hardware actually deployed in the wild does to achieve that requirement? It uses a counter. Because random numbers might sometimes not be different leading to a tiny chance of failing the mandatory test, but a counter will reliably pass the test even though it's insecure. Genius. So you go from "Hypothetical adversary needs to guess a large random number" to "It's just a counter" and attack cost falls from billions of dollars to a few cents per transaction on top of R&D.
There is one fundamental difference between credit cards in the US vs the rest of the world.
The United States has legislation protecting credit card holders. It limits out-of-pocket expenses for any fraud to $50.
In practical terms, you notify your credit card company and they just remove the charge and there is no cost and very little hassle or drama.
A similar situation is probably car insurance and car theft.
I think because we have car insurance, we probably have higher levels of car theft. It has probably become sort of decriminalized because the harm is likely less and the insurance companies treat it as a cost of doing business.
Meanwhile 200 years ago horse thieves, who were probably not caught, did real damage to people even though the penalties of being caught was probably hanging.
See my other reply, I was actually my job to know this stuff.
As to fraud, you might be misunderstanding this. There are different types of fraud and not all are covered the same.
I don't know US legislation, but what you should know, legislation or not, Visa and Mastercard offer chargeback program (don't mistake with cashback) where you can notify your bank when the transaction was not authorized by you or when you have authorized but not received the service or the goods or services did not agree with the what you agreed with the merchant (ie. when you got blue shirt when ordered green one). This is NO QUESTIONS ASKED, ie. now it is up to the Merchant to prove that they are in the right and if they can't prove it, you are credited with the amount automatically.
Now, this happens when the transaction happened through Visa/Mastercard network.
When you are using the card at ATM this is fundamentally different thing. The ATM is most likely operated by your own bank or through an agreement with some other entity that is not Visa/Mastercard.
You can think of this, that the card functions as an identifier that can be used to run transactions using completely different systems.
Also there are a different kind of card called a debit cards (or an atm card). These are not credit cards and withdraw money from your bank account. They require a pin as well.
You can use a debit card to purchase something at a point of sale - but you must give a pin. The money is taken from your bank account (and visa/mastercard are involved)
However the vast majority of point of sale transactions are credit card transactions and go through the visa/mastercard network.
I used to have a debit card (decades ago) and had one fraudulent transaction. I called my bank, they credited me the money, investigated, and then made it final.
As I said, ATMs and doing shopping at WalMart are completely different things.
When you are shopping your card is used through Visa/Mastercard network.
When you are at ATM your card is used in a completely separate way, basically functioning as an identifier. The same way you can use phone number to log in to your google account even though it was not originally meant for it.
Also you mix debit/credit thing with other stuff. Debit and credit cards authorize the same way. The difference is how the transactions are processed at your bank, but this has nothing to do with whether the transaction is pin or signature.
Merchants WANT you to be able to use your card - without thinking, with little friction and often. They make lots more money with this state of affairs than fraud takes away.
The first thing to know is that payment cards have two almost unrelated systems, named Authorization and Settlement. Authorization is about protecting the card company from crooked card holders by validating that the card holder authorized this transaction. It's optional, and it has some modern technologies like EMV (Europay/Mastercard/Visa the joint system known for the presence of a chip on your card) which could enable PIN verification if you wanted.
Settlement is the part that moves money from your account to a merchant's account, it's childishly simple and it is run almost entirely on the honour system like it was when it was invented last century. A merchant says card 1234 5678 9012 3456 was used to pay them $280, the card company either accepts that and moves $280 from the account associated with that card to the account for the merchant, or they refuse. The merchant can provide more information, but they don't have to and will usually get paid regardless.
The fancy modern technology for Authorization makes no difference to Settlement. If the bank receives a Settlement for a transaction supposedly made with a card you actually tossed into the mouth of an active volcano a month earlier, the only thing likely to stop that getting paid is if you call the bank and insist you made no such transaction, confident that the merchant doesn't have evidence to the contrary because duh, that card was destroyed a month ago.
Check your statements. Read every line item, dispute anything you don't recognise. Even if you use (for example) Apple Pay every single time, your bank is under no obligation to treat a $150 payment for scratch offs supposedly made with a mag stripe card on the far side of the country as suspicious and block it. They might, but they might not, that's on you.
The volume of fraud is driven by easy ways to steal a shared "secret" that should never have existed (a card number, the only thing truly needed for Settlement) and then use that to fraudulently obtain things of value. PINs don't really impact that, they're a defence against a much rarer crime - theft of the card. A pickpocket or burglar doesn't know your PIN. But pickpockets do not steal millions of cards at a time.
If you have a card, with a PIN, and you used that card, with a PIN, at Dickey's, there is every chance you're vulnerable as a result of this anyway. Do the crooks get your PIN? Nope. But chances are your priority wasn't keeping a four digit number secret but not losing your money.
Last time I looked at card processor you had to echo back the approval numbers with the other information when you did your batch close transaction, so the card processor should be able to reconcile the batch record with the original approval record and stop arbitrary new data being introduced. Plus not every card processor I looked at used batches.
At one point the card processors had a very nice crypto protocol called SET that kept the card numbers out of everyone’s hands. At the time the crypto was really overwhelming and it would take like twenty seconds to do all the math on a high end (for the time) processor. The other problem was that the reference implementation was done by an absolute c++ zealot who was furious he had to write the code in C so tens of thousands of lines of code was dedicated to implementing all the c++ features in C which pretty much made the reference useless except for interoperability testing.
Unfortunately the standard never took off and you can’t find it anymore.
The card processors have a new standard. Its called Secure Remote Commerce (SRC). Its the same ideas as SET. The card networks hold the card details securely, and issue crypto graphically signed digital tokens. We will see if it works out any better than SET.
I had an issue that sounds like that settlement issue with a card where it would be used at a 7/11 in LA for like $11-15 every week for a few months. (Never been to LA in my life)
The weird thing was that I’d get hit with an anti fraud decline getting gas in NY or Mass 50 miles from home, and it kept happening even after card replacement.
The flip side is if you lost your card AND the thief guessed your PIN, it might be a lot harder to convince the bank you didn't authorize the purchase.
It’s better than most fast food options. I always hit a Dickies off i95 in North Carolina when heading to Florida or South Carolina. It’s better than some awful McDonalds or Arby’s.
My god. You were in North Carolina, a state that invented a type of barbecue, and the best you could find was a Dickeys? There are infinitely many better options.
I didn’t say good bbq, just better than Arby’s. A low bar for sure. My apologies to the good people of North Carolina!
When you’re on a 14-24 hour drive, your options within 5 minutes of I95 are limited. There are some awesome options that need that criteria as well, but their hours often don’t match my travel schedule on that trip!
I find it weird you specifically called out Arbys since it seems like the closer you are to Richmond the better it becomes, with Richmond Arbys seemingly from a different planet compared to the rest of the country. There's rotisserie chickens, they seem free to experiment with the menu, some locations have beer, and it easily still competes and is often times better than the rise of "fast casual" places like five guys.
I was genuinely surprised when I went to college further up the east coast and found out the hate on tv shows was a real opinion. It definitely wasn't as good up north but not that bad. I'd heard the further from the east coast, and for some reason Richmond, the worse it gets, with California friends despising it.
I’ll admit to bias. My foundational experience was eating at one on the way back from a track meet in high school. It was the only option available in a small town. The curly fries were good; the sandwich... let’s just say it was a long ride home on the bus.
In the pantheon of fast food as defined by me, only a New Jersey Turnpike Roy Rogers (may no longer exist) rates lower!
> Nice job, holding franchisees responsible. Dickey's won't have to answer for the actual breach because the franchisees also had poor security.
I think this is blaming the wrong people. I mean, do we really think some small fry BBQ restaurant franchisee can do adequate IT security now?
The issue is that credit card numbers are fundamentally insecure. We must move financial systems to a signed transactions model where private keys only live on secure hardware modules. This idea that we can have credit card numbers floating between consumers and merchants and payment processors and banks is nonsense.
In that case, you wouldn't sign a single transaction, you would sign a subscription plan, e.g. "I authorize merchant X to debit my account Y dollars every month."
In this case, they would have had to buy new, chip-compatible card readers. In that case the breach wouldn't have produced anything usable. Security costs money. If not now, then later.
However, it seems that Dickey's corporate must also be to blame. Lots of small businesses in USA have old swipe-style readers, but rarely are they lumped together in a single giant hack like this.
You'll note this is noted as happening a year + ago, when I had a credit card, yes, copied from the dickies online ordering system for a local franchise. Blaming the franchises and treating them terribly is why my local bbq place dropped their franchise and now is just their own shop.
Either we live in the same area (unlikely, given your employer in your profile), or our local Dickey's did the same thing as yours, rebranding locally.
Indeed. While Dickey's was originally a Texas restaurant, most Texas BBQ aficionados would never eat there, because they wouldn't consider Dickey's product BBQ.
As an Austinite it’s true. Dickey’s is pretty frowned upon here to the point that most locals refuse to eat there. Though we do have a different BBQ chain in the South called Rudy’s which is surprisingly good for being a chain restaurant and normally is considered acceptable to even the snobbiest of BBQ sommeliers.
Rudy's is my goto for edible BBQ when I'm outside Texas, although the quality varies from location to location (the one in Manitou Springs, Colorado is much better than the one in Albuquerque IMO. Go figure.)
It's good that I don't live in Austin any more because I'd probably camp at Franklin's 24/7 and never leave. Although I don't know if or how Franklin works during COVID.
I got Franklin’s a couple of weeks ago. It’s a pretty standard curbside system: you book a slot online and go pick it up at that slot. Only thing that has changed is that you now only need 3 lb minimum of meat instead of the previous 5 lb. It’s also even more eye-wateringly expensive (but of course I happily pay it anyway, because it’s Franklin’s).
Unfortunate title. I thought it was about 3M, the Minnesota materials science company. They're in all kinds of areas, so why not access cards or something similar. They're doing NFC tags, at least.
I’m talking about common parlance, that would make sense to people across all disciplines, finance, software, or otherwise. If you wrote $10B, people will know it’s billion just because you’re talking about currency. If you write $10G, people will not since very few people will connect G to billion.
Where are you getting these prefixes? It’s M, not m. 3M = 3,000,000. 3MM means the same thing, but it’s usually only seen in finance, and it’s not an SI prefix. 4MMM is meaningless.
m (lowercase) means “milli-,” which certainly isn’t what you want.
There is a somewhat dated system of abbreviations that used be (and occasionally still is) used in finance-related matters inspired by the use of M in Roman numerals where M or m is thousands and MM or mm is millions; different sources disagree on whether MMM/mmm can also be used for billions in that system.
Recently, it's been displaced by a probably-SI-inspired (but not SI-correct, particularly as regards capitalization which remains optional) system of K/k and M/m thousands and millions (but billions are usually not G/g, I've seen B/b more frequently, with T/t for trillions.)
I thought it was a material measure of some form of cards being literally smoked in some form of industrial factory, and figured this was strange news to appear on HN.
IMO the title could be less dense: "Data breach of 3 million cards at Dickey's BBQ"
So? If I see a charge on my card that I don't recognize I get online and dispute it, close the card, and have a new one sent to me in days... it doesn't cost me a thing.
85 comments
[ 3.5 ms ] story [ 165 ms ] threadNice job, holding franchisees responsible. Dickey's won't have to answer for the actual breach because the franchisees also had poor security.
That's it. Occasionally they ask you to sign on the past or hit the ok button but usually not even that.
I've had a card number ripped off via an online retailer and Visa figured it out on the first fraudulent charge.
In the UK it's the store... unless they made you use chip and a PIN. Which is why they all use the chip and a PIN. Then it's the card provider, but it's not because the chip and PIN prevents fraud before that point. I think the card provider eats contactless payments because they encourage more of them so it adds up in the end.
Card holder liability on timely reported loss or stolen card is capped at $50 or something.
There is generally no chip and pin. Some older terminals hard crash on PINs on credit. Some older terminals hard crash on PINs exceeding 4 chars
Go on your Credit Card website and there will be a place to request that they send you the number.
I'm not 100% sure about the ATM though, I've never tried to use it, plus the interest rate for a cash advance is nuts.
Really? You say your pin code over the phone?
A security "password" for doing phone banking is different.
If you care about entropy, don't leave it up to users.
The automated phone system accepts number input, but the resulting rep may ask to verify.
My bank claims to not know the card pin(my dad forgot, he had to go to the bank and set a new pin after verifying it's him)
Not sure op meant the same thing or they literally providing their card pin over the phone which is a bit crazy
Debit Card, yes
Source: used to work adjacent to the fraud analysis group at a large bank.
If you can checkout some places without it, the card does not require a PIN, it provides it as an option.
So I think it's possible for a card to insist upon doing a PIN transaction if that's possible, while still retaining the ability to authorize a no-PIN transaction if the terminal says it doesn't do PINs.
It's also possible for the card or the terminal to have value-related thresholds, in line with the issuer's appetite for risk so e.g. maybe a bag of chips from a vending machine with no PIN is a risk the bank can live with, but a $3000 diamond engagement ring not so much.
Because the chip has (some) memory it can even have state, maybe one $1.50 bag of popcorn from an offline no-PIN terminal is fine, and so is two, but before you can do a third tiny off-line transaction you'll need to do a real transaction or visit an ATM or other online system with the card so it be reassured everything is on the up-and-up.
It's just American banks pressure Visa and Mastercard not to implement and so they get waivers after waivers to postpone implementation.
Here in Poland and everywhere else in the world PINs have been absolutely required on new cards for over a decade.
At every step Visa and MasterCard promotes highest possible level of security.
To give you an example, when implementing the terminal application you have to be able to support a range of CVMs (Cardholder Verification Methods) that might be presented by the card. The CVM list is a detail personalized on the card by the Bank, issuer of the card.
The algorithm actively promotes selecting the strongest authentication method that is supported by the card and always prefers PIN over signature (ie if PIN CVM is available it should not be possible to normally use signature).
This is verified during certification process and applications that don't meet this requirement fail certification.
There are also rules and internal memos which are sent to both acquirers and issuers, to which I have been privy to, which exert pressure on issuers to improve their security to deal with frauds. We were also regularly notified on new types of frauds detected and how to help preventing them.
The terminal application should also always prefers chip over magnetic stripe up to the point where magnetic stripe transaction is only allowed as a fallback after chip is found to be inoperable. So on a well implemented terminal you have to try chip first and only if it doesn't work the terminal should allow you to try with magstripe, if the magstripe says that the card is chip-capable.
Additionally, Visa and Mastercard both monitor rates of fallbacks (situations where magstripe is used with chip-capable cards) and issues penalties to entities that cross specific thresholds.
No doubt you've drunk the Kool-Aid but this isn't true. EMV rests heavily upon cryptographic protocols, we know the highest possible level of security is achieved for such protocols by publishing them for evaluation and improvement by independent researchers. EMV didn't do that.
There are many but here's a particularly low hanging piece of fruit that results from not having independent researchers looking over what you've done:
It is critical to the EMV design that the payment terminal picks unpredictable numbers. These aren't just nonces, where it only matters that they're different, they must be random or a relatively cheap (worth doing to forge credit card transactions) attack succeeds. So what do you suppose those standards documents require? You might even have read it.
The certification document says for testing read two of these "unpredictable" values. Ensure they are different.
Guess what lots of real hardware actually deployed in the wild does to achieve that requirement? It uses a counter. Because random numbers might sometimes not be different leading to a tiny chance of failing the mandatory test, but a counter will reliably pass the test even though it's insecure. Genius. So you go from "Hypothetical adversary needs to guess a large random number" to "It's just a counter" and attack cost falls from billions of dollars to a few cents per transaction on top of R&D.
The United States has legislation protecting credit card holders. It limits out-of-pocket expenses for any fraud to $50.
In practical terms, you notify your credit card company and they just remove the charge and there is no cost and very little hassle or drama.
A similar situation is probably car insurance and car theft.
I think because we have car insurance, we probably have higher levels of car theft. It has probably become sort of decriminalized because the harm is likely less and the insurance companies treat it as a cost of doing business.
Meanwhile 200 years ago horse thieves, who were probably not caught, did real damage to people even though the penalties of being caught was probably hanging.
As to fraud, you might be misunderstanding this. There are different types of fraud and not all are covered the same.
I don't know US legislation, but what you should know, legislation or not, Visa and Mastercard offer chargeback program (don't mistake with cashback) where you can notify your bank when the transaction was not authorized by you or when you have authorized but not received the service or the goods or services did not agree with the what you agreed with the merchant (ie. when you got blue shirt when ordered green one). This is NO QUESTIONS ASKED, ie. now it is up to the Merchant to prove that they are in the right and if they can't prove it, you are credited with the amount automatically.
Now, this happens when the transaction happened through Visa/Mastercard network.
When you are using the card at ATM this is fundamentally different thing. The ATM is most likely operated by your own bank or through an agreement with some other entity that is not Visa/Mastercard.
You can think of this, that the card functions as an identifier that can be used to run transactions using completely different systems.
Also there are a different kind of card called a debit cards (or an atm card). These are not credit cards and withdraw money from your bank account. They require a pin as well.
You can use a debit card to purchase something at a point of sale - but you must give a pin. The money is taken from your bank account (and visa/mastercard are involved)
However the vast majority of point of sale transactions are credit card transactions and go through the visa/mastercard network.
I used to have a debit card (decades ago) and had one fraudulent transaction. I called my bank, they credited me the money, investigated, and then made it final.
When you are shopping your card is used through Visa/Mastercard network.
When you are at ATM your card is used in a completely separate way, basically functioning as an identifier. The same way you can use phone number to log in to your google account even though it was not originally meant for it.
Also you mix debit/credit thing with other stuff. Debit and credit cards authorize the same way. The difference is how the transactions are processed at your bank, but this has nothing to do with whether the transaction is pin or signature.
The only time a pin is NOT required is if it goes through visa/mc. And you have protections.
Please read this:
https://www.daveramsey.com/blog/debit-card-fraud
The truth is this:
Merchants WANT you to be able to use your card - without thinking, with little friction and often. They make lots more money with this state of affairs than fraud takes away.
The first thing to know is that payment cards have two almost unrelated systems, named Authorization and Settlement. Authorization is about protecting the card company from crooked card holders by validating that the card holder authorized this transaction. It's optional, and it has some modern technologies like EMV (Europay/Mastercard/Visa the joint system known for the presence of a chip on your card) which could enable PIN verification if you wanted.
Settlement is the part that moves money from your account to a merchant's account, it's childishly simple and it is run almost entirely on the honour system like it was when it was invented last century. A merchant says card 1234 5678 9012 3456 was used to pay them $280, the card company either accepts that and moves $280 from the account associated with that card to the account for the merchant, or they refuse. The merchant can provide more information, but they don't have to and will usually get paid regardless.
The fancy modern technology for Authorization makes no difference to Settlement. If the bank receives a Settlement for a transaction supposedly made with a card you actually tossed into the mouth of an active volcano a month earlier, the only thing likely to stop that getting paid is if you call the bank and insist you made no such transaction, confident that the merchant doesn't have evidence to the contrary because duh, that card was destroyed a month ago.
Check your statements. Read every line item, dispute anything you don't recognise. Even if you use (for example) Apple Pay every single time, your bank is under no obligation to treat a $150 payment for scratch offs supposedly made with a mag stripe card on the far side of the country as suspicious and block it. They might, but they might not, that's on you.
The volume of fraud is driven by easy ways to steal a shared "secret" that should never have existed (a card number, the only thing truly needed for Settlement) and then use that to fraudulently obtain things of value. PINs don't really impact that, they're a defence against a much rarer crime - theft of the card. A pickpocket or burglar doesn't know your PIN. But pickpockets do not steal millions of cards at a time.
If you have a card, with a PIN, and you used that card, with a PIN, at Dickey's, there is every chance you're vulnerable as a result of this anyway. Do the crooks get your PIN? Nope. But chances are your priority wasn't keeping a four digit number secret but not losing your money.
At one point the card processors had a very nice crypto protocol called SET that kept the card numbers out of everyone’s hands. At the time the crypto was really overwhelming and it would take like twenty seconds to do all the math on a high end (for the time) processor. The other problem was that the reference implementation was done by an absolute c++ zealot who was furious he had to write the code in C so tens of thousands of lines of code was dedicated to implementing all the c++ features in C which pretty much made the reference useless except for interoperability testing.
Unfortunately the standard never took off and you can’t find it anymore.
The weird thing was that I’d get hit with an anti fraud decline getting gas in NY or Mass 50 miles from home, and it kept happening even after card replacement.
When you’re on a 14-24 hour drive, your options within 5 minutes of I95 are limited. There are some awesome options that need that criteria as well, but their hours often don’t match my travel schedule on that trip!
I was genuinely surprised when I went to college further up the east coast and found out the hate on tv shows was a real opinion. It definitely wasn't as good up north but not that bad. I'd heard the further from the east coast, and for some reason Richmond, the worse it gets, with California friends despising it.
In the pantheon of fast food as defined by me, only a New Jersey Turnpike Roy Rogers (may no longer exist) rates lower!
I think this is blaming the wrong people. I mean, do we really think some small fry BBQ restaurant franchisee can do adequate IT security now?
The issue is that credit card numbers are fundamentally insecure. We must move financial systems to a signed transactions model where private keys only live on secure hardware modules. This idea that we can have credit card numbers floating between consumers and merchants and payment processors and banks is nonsense.
I had to cancel my bank account to stop payments.
They can certainly follow instructions from their payment processor.
However, it seems that Dickey's corporate must also be to blame. Lots of small businesses in USA have old swipe-style readers, but rarely are they lumped together in a single giant hack like this.
Makes me glad I never went there.
See: Starbucks and Seattle residents.
It's good that I don't live in Austin any more because I'd probably camp at Franklin's 24/7 and never leave. Although I don't know if or how Franklin works during COVID.
https://corporatefinanceinstitute.com/resources/knowledge/ot....
Here: better to just spell out "3 million", I reckon.
Is more universally understood I think. Also, seems like more work to write out 4MMM rather than 4b.
https://en.wikipedia.org/wiki/Metric_prefix
https://www.nist.gov/pml/weights-and-measures/metric-si-pref...
I also meant q for quadrillions, not a.
m (lowercase) means “milli-,” which certainly isn’t what you want.
There is a somewhat dated system of abbreviations that used be (and occasionally still is) used in finance-related matters inspired by the use of M in Roman numerals where M or m is thousands and MM or mm is millions; different sources disagree on whether MMM/mmm can also be used for billions in that system.
Recently, it's been displaced by a probably-SI-inspired (but not SI-correct, particularly as regards capitalization which remains optional) system of K/k and M/m thousands and millions (but billions are usually not G/g, I've seen B/b more frequently, with T/t for trillions.)
IMO the title could be less dense: "Data breach of 3 million cards at Dickey's BBQ"