Security Review: credit cards stored in company databases

By Justin McOmie at 11:01 pm on March 16, 2008 | 6 Comments

Summary:

It is now very common to do business with companies that will by default (or even as a requirement to patronize) permanently store credit card and associated personal information in a database to help speed up future transactions or insure them against liability. While this action can sometimes be a convenience to consumers it is worth exploring how it is a general security risk.

Assets:

  • The confidentiality of credit card and personal information within the database. Only authorized individuals should be able to access it and it should be stored in a secure manner on disk.
  • The availability of the credit card number if it is is needed or depended on by a patron (say for something like Amazon’s One Click service)

Adversaries:

  • Employees of a company who may use your personal information for their own gains. At a video store, they may do something like shift their own late fees onto your credit card.
  • Outsiders who would try to retrieve your credit card or personal information. This might include people who would physically steal machines or people who would use social engineering techniques to retrieve your credit card from an unsuspecting employee.

Weaknesses:

  • The employee who is the gatekeeper of the personal information is most likely not trained with security in mind and might therefore be likely to give up your personal information without proper verification.
  • The information will most likely be viewable by more than just the person who has to access it.

Defenses:

  • The ultimate defense to protect ones self would be to stay “off the grid” so that there wouldn’t be any concerns of private data getting in the wrong hands. Doing this, however, is becoming increasingly difficult and impractical for most people.
  • Being vigilant about credit card information. This involves auditing ones credit card bill each month to make sure that no unauthorized charges were made.
  • Being mindful of anything that may suggest someone is trying to use your personal information or impersonate you. It’s possible that what looks something like a phishing attack (mail from the bank) is actually an indication that someone has acquired personal information and is trying to use it.

Risk Analysis:

There is a very real risk that personal information will be compromised when stored in company’s databases. Perhaps the most interesting threats are those waged by adversaries who pursue a social engineering route. There is an interesting incident recounted in Kevin Mitnick’s book “The Art of Deception” (google “art deception filetype:pdf” p. 47) where a son is able to get his father’s credit card number from a videostore in a matter of minutes without leveraging his relationship or anything personal about his father.

Conclusion:

The only practical approach consumers can take to limiting the risks that go with having credit card information in company databases (other than opting out altogether) is to be vigilant in recognizing when information might have been compromised. As consumers we have a broad range of choices to make when patronizing businesses, and ultimately the most important thing to do is to recognize one’s own habits and assess the threats accordingly.

Filed under: Security Reviews6 Comments »

6 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Alton J. Jones

    March 19, 2008 @ 11:44 am

    My blog, How To Get Good Credit Gab, provides the opportunity to share thoughts, ideas and experiences about obtaining good credit and emphasizes the importance of building and maintaining good credit and the perils of personal financial mismanagement.

    Please consider adding this video you your site:
    http://www.youtube.com/watch?v=2fi0okku_X4

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Rosie

    March 20, 2008 @ 4:14 am

    I used to run a small (36 room) independent hotel in Brighton, England, next to a large conference centre. After about a month in the job I was writing a new training manual and started to think about the info we collected on our customers. I rapidly realised that the set up in a small hotel like mine was almost perfect for committing various types of fraud. Here was what we collected on our customers. Name, address, date of birth, company, type of employment, credit / debit card number, drivers licence or passport, which was held until guest checked out. Records were in dead tree format (kept for five years in a box in the basement, onto which all info above was written) and entered into a database (can’t remember which one, this was five years ago)and never deleted. Worse we also had six internet enabled pc’s which the guests were free to use, onto which my delightful bosses had installed keyloggers to monitor what the staff were up to on their breaks. Oh yeah and there was a security camera positioned above the reception desk that could quite easily have been aimed so as to record peoples pins as they entered them. This was not an unusual set up for a small hotel, most of the ones I’ve worked in have had very similar procedures. Staff turnover was high, as is usual for the hospitality industry (the pay sucks), and it wouldn’t be difficult for a larcenously minded individual to get a job in such a place, especially as night porter / receptionist.
    So fun student project, get job in small, independently run hotel / motel and see how many people’s identities you can (theoretically) steal.

  • 3
    Get your own gravatar for comments by visiting gravatar.com

    Comment by rybolov

    March 20, 2008 @ 8:55 am

    Wow, a discussion of stored credit cards that doesn’t mention PCI-DSS? It’s an attempt by the credit card companies (Visa, Mastercard, etc) to reduce their risk by getting vendors and card processors to comply with a security standard.

    I’m not sold on the idea yet (for political reasons, not for security reasons), as is most of the industry, but check out the card-storage requirements inside the standard.

  • 4
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Mark Jonson

    April 14, 2008 @ 11:45 pm

    MBNA (now owned by Bank of America) solved this problem 8 years ago with a tool called Shop Safe. Granted, you have to access the tool online and it is not simple enough for very basic users like my Grandma but it works for both online and phone transactions where you don’t need to show a physical card. They allow you to create virtual credit cards with fixed credit limits and expiry dates to use. If everyone insisted on this, the technology would be standard practice for all credit card companies.

  • 5
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Best Cash Back Credit Cards

    September 17, 2008 @ 2:03 am

    It’s worth noting that under federal law, the maximum liability for a consumer on a stolen credit card is $50. That’s not to say we shouldn’t be vigilant in protecting our personal information, but the potential liability from a stolen credit card number is small.

  • 6
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Joseph Archibald

    January 10, 2009 @ 1:01 pm

    Capitalist society is more and more credit card dependent and as such perhaps it is wise to be more aware about the transactions that show up on your bill at the end of the month.

    I hear about this very often and have had personal experience too – credit card details being swiped and fraudulently used, or card details being provided en-masse due to some error with a computer database somewhere. Makes you wonder really, is enough being done for our (the consumer’s) protection, regardless that a consumer’s personal liability in the US is only $50?
    What did happen to Kevin Mitnick? Fascinating story!

RSS feed for comments on this post