No one around me batted an eye as the well-dressed woman dug through the airport cafe waste container, pulling out shopping bags, lunch trays and paper — credit card receipts, to be specific. At first I thought she was looking for one she had accidentally discarded, but I doubt she’d done that much shopping between flights.
The woman assembled a neat little stack of 50 or more slips before noticing me, then tucked them away in her purse with a few other little bundles. As I installed my newly purchased privacy screen on my ancient ThinkPad, she eyed me, came to an unspoken understanding of where we each stood and moved along.
Most people are socially conditioned to look away from someone rummaging in the trash, but she was clean and meticulous, avoiding both making a mess and raising any questions. Credit card fraud is a lucrative business in any case, and this particular method of gathering the requisite data is relatively low-risk.
One hundred twenty years ago, when Edward Bellamy first coined the term “credit card” in Looking Backward, I doubt this is what he had in mind. Then again, the original notion of the credit card was to ease the exchange of goods in a cooperative quasi-socialist society “in which war, poverty and malice do not exist.”
Instead, today almost a trillion dollars in unsecured debt is riding on Americans’ credit card accounts, rising at a rate of more than 11 per cent and worrying more than a few analysts. The last thing the current economy needs is an increasing tide of fraud as a result of weak security controls.
Discredited
Why is a handful of credit receipts a problem? In my wallet full of receipts from U.S. merchants, almost all redact the first 12 digits of the 16-digit credit card number on a receipt. However, in this European airport, some masked the first four and the last single digit.
Now the first digit specifies the type of card, and the following five the bank ID. The last digit is a checksum, computed from the preceding nine. Visa Inc. and MasterCard Inc.’s cards are by far the most common, so the first digit is probably “4” or “5,” and the last two digits of the bank ID have been given away. A major bank — the most likely issuer of a credit card — probably has a low bank ID number, so it’s a good bet the second digit is a zero. That leaves just two digits unknown.
Statistically, my delicate dumpster-diving friend only needs to collect 50 receipts for a random guess to produce a usable number. Anyone who has compared birthdays in a classroom knows that it often takes surprisingly few tries to find a valid match in a group. All this was from a physical collection scheme without resorting to credit card number generation or validation methods. There is little trace of her actions; just a handful of easily discarded evidence. If I had to venture a guess, I’d say she gathered two to four valid numbers an hour.
Those valid credit card numbers are of limited value without the security code on the back, but not worthless. Keeping an eye out this holiday season, I saw numerous merchants who hadn’t secured their part of the transaction keys. An uncomfortable number of brick-and-mortar retail shops had one or more registers with stickers with the 800 number for their merchant banks posted near their credit card swipe device, and — like the proverbial password on a Post-it — their merchant IDs or account numbers written on them.
Combining a wad of receipts, merchant identities in a non-suspicious locale (i.e., where legitimate transactions have been processed) and a little creativity is enough to process bogus “card-present” transactions, generate receipts for stolen merchandise or cause thousands of dollars of some other kind of havoc.
Aggregating trouble
Why worry? This only applies to sloppy people and careless businesses that earn a breach from their lax handling of account numbers, right? Wrong — in business as well as personal life, aggregation of any valuable data will lead to trouble if it’s mishandled.
For example, a local alternative weekly recently printed a sobering bit of humor — a woman tires of protecting her ex-boyfriend from his own carelessness and willful ignorance, which leads to a jackpot for someone like my acquaintance in the airport. The worst case comes when there isn’t even a way to know if the data has been mishandled, lost or stolen. This applies to more than account numbers, and more than just individuals.
As I look around me in a client’s dusty office where it has parked every other consultant to pass through for the past 10 years, I see a box of tapes totaling two or three terabytes of e-mail, payroll, purchasing, insurance and other data. Were I inclined, I would surely nab the tapes labeled “all server registry” and “IT workgroup,” but it’s the collection en masse that’s really worrisome. Worse, there’s no one responsible for them, nor any policy to guide their retention.
Tales are legion of such backup tapes stolen from a hapless administrator’s car, boxes of papers with personally identifiable information thrown in the Dumpster, or even wads of receipts and invoices left for others to peruse. In each of these, however, the facilitating mistake — the one that really led to the breach — is not the last one, but rather the unnoticed accumulation of valuable data. Just a few simple mistakes can lead from exposure of a single piece of data (and the personal damage or fraud it may facilitate) to exposure of enough data for a massive privacy breach, or fraud and identity theft on an enterprise scale.
Clean living
Just don’t do it. The lesson at every level is not to gather data unless it can be protected. This doesn’t mean that business processes should halt until security tasks are complete — that argument is rightly unwinnable — but data from those processes shouldn’t be gathered, stored or made available online unless there’s some way to protect the aggregate.
Run backups, but don’t accumulate tapes unless there’s a policy for their handling and a person responsible. Don’t replicate data across multiple systems unless there are permissions to control the access. Don’t allow people to print reams of sensitive database records unless there’s a rule to protect the data in physical form. Don’t implement an intranet until authentication and network borders are controlled.
In the personal realm, the trail of data ought to be kept to a minimum. Don’t save files unless there’s a way to manage them. Don’t leave valuable or sensitive pictures on a digital camera. Don’t pull the receipt from the gas pump if it’s just going to be thrown away. Until sophisticated systems such as VaultID — using strong authentication and controlled payment numbers — become the norm for controlling credit transactions without leaving a trail of collectible data, compulsive receipt-keepers ought to use a scanner or a filing system to keep things under control. Bills, tax records, medical papers and letters, whether they arrive by post, e-mail or are saved from online applications, ought to be kept for their useful life and then (gasp) deleted.
Think of it as a clean conscience policy in the manner of a clean-desk policy. Don’t create a problem if it’s not going to be used, aggregate a problem if there’s no management, or let it linger if there’s no end in sight.
Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a major refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.