A new report details the issues involved in the recent security breaches that caused millions of TJX and OfficeMax customers' credit card data to be exposed. The News.com article points out that while your credit card data is safe enough when you swipe it in a store, that data may be sent "upstream" to regional data centers known as "branch servers" that large companies operate and that hackers know to look for. It is these centers that have the highest risk as they can store data about millions of people. A researcher known for his digital forensics work was interviewed by News.com last week regarding a paper he put out detailing the weaknesses of the current system.
No companies seem immune to the recent wave of data thefts, with TD Waterhouse announcing that millions of customers' contact information was compromised in a recent incident. There are some bright spots on the horizon, as companies scramble to try to reduce their risks. There are a number of potential solutions, including disposable credit card numbers that are only used once as well as "tokenization" of the credit card data. Unfortunately, crime does sometimes pay as the hackers in the TJX incident sold the credit card information to a crime ring that has since been caught for using the data to make bogus credit cards, while the hackers are still at large.
TD Ameritrade Says Contact Info Stolen (Associated Press)
Leader of Florida crime ring tied to TJX data theft sentenced (International Herald Tribune)
I have long been a believer in e-commerce, to the point that nearly 95% of my Christmas shopping has been done online since 1997. A big part of the reason I haven't been to a mall in that time frame is the fact that I can get it (whatever "it" is at the time) cheaper, easier, and sometimes even faster on the Internet. I'm confident that the data traveling between my computer and the server on an SSL connection is pretty darned secure. Unfortunately, companies generally store those credit card numbers for a period of time, and that is where the major risk pops up.
Do you think companies should be forced to purge credit card data or use tokenized credit card data? Should consumers start using disposable credit card numbers to reduce the risk that their data will be stolen? I personally believe that if a company chooses to save credit card data, the onus should be on them to adequately protect it, but who do you think should have more responsibility for protecting credit card information?