back to article Security industry too busy improving security to do security right

The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for mandatory migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS). Earlier this year, the council decided the time to make the final cutover was June 2016. Now the council says it's just too hard for …

  1. Captain DaFt

    Bovine effluent

    "Now the Council says it's just too hard for retailers to make the jump."

    I'm sure many wailed about the expense and numbered many, many factors in why they had to postpone such an expense that benefited the consumer more than them.

    But... If it was simply announced that any that hadn't switched by noon tomorrow could no longer accept credit card or debit payments, by opening time tomorrow, the majority would have switched over most systems, and the change over would be complete by the end of the week.

  2. a_yank_lurker

    Too Hard?

    Let's see, the POS terminals are provided by a vendor, the software is provided by a vendor, most likely the install ans set will be done partially using vendors. So the problem is it is too hard to talk to your vendors or is it you are too lazy and cheap to fix your kit.

    To the retailers who are having problems: May you go out of business before destroying innocent customers' finances by your laziness and greed. Better yet, if any hack is traced to you, the owners and CEO's go to prison for aiding and abetting fraud.

    1. Charles 9

      Re: Too Hard?

      Then kiss your mom-and-pop businesses goodbye because most of the problem lies with them. They typically run on razor-thin margins which is why they're notorious for cheaping out and delaying things out of necessity, yet without them the only retailers left would be the juggernauts. So what'll it be? Slow-to-act but personal attention or the cold, emotionless juggernauts?

      1. Mark 85

        Re: Too Hard?

        I've been to 2 Mom and Pop type businesses recently that didn't take credit card or debit cards. A small sign explained "cash or check only for your safety". The person in front of me asked and they simply said, "there's been too many retailers that have had their systems compromised and we don't want to be one of them, and the banks/cc companies have increased what they charge us.". This might just be the wave of the future...

        1. Anonymous Coward
          Anonymous Coward

          Re: Too Hard?

          "I prefer hard cash. If you can’t scratch a window with it I don’t accept it." -- Roosta

        2. Charles 9

          Re: Too Hard?

          Until customers walk away because they ONLY have plastic (yes, I've seen it happen lots of times). Many people are going increasingly cashless due to muggers and pickpockets. At least with plastic, you can call the bank and have your cards cancelled and flagged. So the mom-and-pop faces a dilemma: take plastic and you risk safety, refuse and you risk customers.

          1. choleric

            Re: Too Hard?

            "Many people are going increasingly cashless due to muggers and pickpockets. At least with plastic, you can call the bank and have your cards cancelled and flagged."

            Though with contactless you can have your cards cancelled and the crooks can still buy stuff because some POS terminals don't actually check in with the bank before authorising transactions. Cards don't keep your money safer, they just make it easier to track.

            1. Charles 9

              Re: Too Hard?

              "Though with contactless you can have your cards cancelled and the crooks can still buy stuff because some POS terminals don't actually check in with the bank before authorising transactions. Cards don't keep your money safer, they just make it easier to track."

              Only the first generation of contactless cards do that, plus if you've already cancelled the card, that trick supports your claim, meaning any dispute over the charge would fall in your favor (it would fall to somewhere else along the chain for failing to check). That's why they're being dropped (and why Google dropped its original contactless Wallet) for the second-generation contactless cards that use the EMV system (which Android Pay and Apple Pay now use as well).

              1. choleric

                Re: Too Hard?

                @Charles 9: that's good knowledge, thank you. Is it possible to determine, in a nondestructive fashion, which type of contactless card is which?

                1. Charles 9

                  Re: Too Hard?

                  "Is it possible to determine, in a nondestructive fashion, which type of contactless card is which?"

                  A general rule of thumb is that 2nd-Generation contactless cards are also Chip cards since both use the EMV system.

            2. streaky

              Re: Too Hard?

              Though with contactless you can have your cards cancelled and the crooks can still buy stuff because some POS terminals don't actually check in with the bank before authorising transactions. Cards don't keep your money safer, they just make it easier to track.

              But the liability shifts back so who cares. It's a cheaper system to operate even with those losses.

              1. choleric

                Re: Too Hard?

                Liability shifts back to the bank? This article here [Torygraph] begs to differ.

                1. Charles 9

                  Re: Too Hard?

                  Point is, they usually can't deny a chargeback in this case since you already reported the card stolen. And this also falls into the "small ticket" exception the card companies instituted because it's usually not worth it for them to pursue frauds for transactions that small. They'll either pin it on the retailers for not checking or just eat the costs to get on with business.

        3. Lee D Silver badge

          Re: Too Hard?

          Sorry, but it's time to get with the times.

          Companies like iZettle will sell you a black-box solution for a hundred-or-so pounds. You can get a smartphone-connected thing that will set you back £70 but relies on the security/compatibility/availability of a smartphone. The rates are quite low, the gadget is one-off, it's Chip&PIN-capable (and also magstripe if you deal with foreigners) and can tie into accounting apps for you.

          Last time I went to an antiques / bric-a-brac sale, most stalls took cards using things like iZettle and clearly advertised so. Sure, you may have needed to spend £10 to make it worth their while, but rather £9 from a transaction than nothing because you didn't have the cash. If your profit margins aren't already taking account of such things then you aren't going to be in business long, mom'n'pop or not.

          Cheque fraud went through the roof in recent years - cheques nearly aren't accepted by BANKS any more, and the fallback when they bounce costs the retailer a lot more - why do you think they charge for that? Cash is expensive and risky to handle. It's much more likely those using those methods are actually able to not declare that income, in fact! Card payments? A cheap one-off purchase of a black box from a website, swipe the card and it pops into your bank account - with accountability, complete records, instantly revoked if stolen, you know they have the funds available, and a charge of fraud if it's misused by the owner.

          Hell, I bought an iZettle for my girlfriend for Christmas so she can sell her pottery. She fires up the kiln maybe twice a year. Mom'n'pops have no excuse and shouldn't be handling cash or cheques nowadays.

          1. Charles 9

            Re: Too Hard?

            Thing is, you have to trust iZettle, plus I'd like to know the terms and conditions in case there's an assumption of liability (for example, what if someone hacks or switches the pads). Plus, this doesn't appear to be available in America just yet.

          2. Adam 52 Silver badge

            Re: Too Hard?

            iZettle - requires access to your contacts, identity, camera, microphone, photos and media and location.

            I think I'll pass on that one then. And any retailer stupid enough to install it won't be getting any personal information either.

        4. nilfs2
          Holmes

          Re: Too Hard?

          @Mark 85

          Yep, many businesses here give you a better price if you pay cash, the bank charges the business every time they use the card machine, also, it leaves trace of the business receiving money so the taxman can catch the tax dodgers.

          1. Anonymous Coward
            Thumb Down

            Re: Too Hard?

            - Yep, many businesses here give you a better price if you pay cash

            Which is complete BULLSHIT! I assume total risk of being mugged (go ahead and walk around Oakland or Baltimore with a wad of cash in your pocket).

            These fucking businesses allow themselves to be slaves for outrageously priced machines (vice Square), then mark up product 20% and then discount it 20% if they can force you to give them your Name, Address, Phone# and Email Address for their piece of plastic, then complain about needing to keep up with tech. FUCK THEM! If their shit isn't up to standards, they can keep their card and lose my business.

            Lastly: EVERYBODY FRAUDULENTLY FILES PCI RESULTS/FINDINGS!! And the dumb fuck auditors don't know the difference.

      2. streaky

        Re: Too Hard?

        They typically run on razor-thin margins which is why they're notorious for cheaping out and delaying things out of necessity, yet without them the only retailers left would be the juggernauts. So what'll it be? Slow-to-act but personal attention or the cold, emotionless juggernauts?

        I'm not sure that there's a good answer to this question, but I know that taking the hammer to people's security with known broken protocols isn't the solution.

        But to be honest it appears that PCI SSC's problem is consumer browser related and that being the case there's no excuse here.

      3. Anonymous Coward
        FAIL

        Re: Too Hard?

        Apparently it is too hard for El Reg to implement @ all!!

    2. leon clarke

      Too lazy and cheap to fix your kit

      No, the problem is that the vendors who provide all this stuff that needs upgrading have a business model in which change requests for 'new requirements' are an important element.

  3. rybolov

    "migration from Secure Sockets Layer (SSL) to Transport Layer Security (SSL)."

    Typo. Should be:

    The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS).

    "SSL gave the world the Heartbleed, Shellshock and Poodle vulnerabilities."

    Huh? Shellshock was a vulnerability in BASH. Had nothing to do with SSL or TLS. Heartbleed was a specific implementation inside OpenSSL, not the SSL or TLS protocols themselves. However, Poodle was a protocol vulnerability specific to SSL V3 with CBC ciphers so you're correct there. Just stop with the hyperbolic statements without fact-checking first because it makes you look like a ninny. Kthnx.

    1. dajames

      Typo ...

      "migration from Secure Sockets Layer (SSL) to Transport Layer Security (SSL)"

      I was going to make much the same comment ... but (almost) everyone in the world who isn't a security practitioner seems to think that "SSL" (sometimes spelt "SSL/TLS") is a cover-all term meaning "encryption is involved", rather than the name of a specific protocol.

      ... and really the call should be to move away from TLS v1.0 and v1.1 onto the more secure TLS v1.2 (but don't hold your breath).

      1. Patrick Evans

        Re: Typo ...

        That was the call. SSL has been verboten for a while. What the latest standard did was ban TLS 1.0, in favour of TLS 1.1 and above. It seems they''ve now backtracked on that, as support for TLS > 1.0 isn't quite as strong in the wild as it should be.

        1. Roo
          FAIL

          Re: Typo ...

          "It seems they''ve now backtracked on that, as support for TLS > 1.0 isn't quite as strong in the wild as it should be."

          So essentially the standard(s) they produce are merely documenting what's out there rather than establishing best practice. Presumably the insurers will upping their premiums accordingly now that they can see that the industry standard is in fact bad practice. Smells like a Fail of the Epic variety.

    2. Intractable Potsherd

      ""SSL gave the world the Heartbleed, Shellshock and Poodle vulnerabilities. ... Huh? ... Just stop with the hyperbolic statements without fact-checking first because it makes you look like a ninny."

      Ummm - I don't know if there has been an edit since you wrote, but my version says only "a reasonable idea given that SSL gave the world the Poodle vulnerability."

      1. choleric

        Given that there is now no mention of Poodle I think its safe to say that invisible edits have been occurring. Nothing new to see here!

  4. sysconfig

    Great

    Security standard determined by lowest common demoninator rather than what's necessary to be a useful and reasonably secure standard.

    PCI wasn't a particularly strong standard to begin with. Now they're weakening themselves.

    It takes about 15 minutes to get a replacement certificate and swap it out. As somebody else suggested above: if they had an incentive, they could do it.

    So bottom line is: PCI is weak and has no teeth.

    1. Charles 9

      Re: Great

      Oh, PCI has teeth. Trouble is that a good chunk of their customer base are gazelles: prone to running, and teeth are no good without something to bite down on. For many of these small businesses, they have to weigh the costs of using the equipment vs. the additional customers who appreciate being able to use plastic. If the numbers don't add up, they don't fall under PCI's umbrella.

      It's a lot like odious office password policy that makes passwords so hard to remember that everyone resorts to Post-It notes. You try and make things too tough and your clients defy you, leaving your overall picture weaker.

      It's actually something of a hard problem in security vs. economics. What happens when the least acceptable standard is so odious to implement few are willing to put up with it?

  5. phil dude
    Linux

    square (and equivalents?)

    I was under the impression that "mom and pop" stores could just get a $TABLET and plugin one of these readers?

    I have seen it in a number of small (market!) venues, and they have the nice feature of emailing or texting your receipt...

    Perhaps this is the future of POS, commodity devices?

    P.

    1. Charles 9

      Re: square (and equivalents?)

      Unless Square updates their readers to Chip readers, they'll become liabilities come next year. Furthermore, they're reliant on Apple or Android devices, the latter in particular has been shown to have lots of vulnerabilities. Plus we don't know the security reputation of guys like Square. What if they get hacked?

  6. HereIAmJH

    maybe not too hard, but no necessarily easy either

    If only it was just about POS devices. We started with scans of servers that processed CC transactions. Then it was every server of an app that processed transactions. Then it was every server on the vlan with an application that processed transactions. Now if feels like every server for every app that is used by a user that has thought about processing a CC transactions.

    Turning off SSLv3 and TLS1.0 seems easy, after all it's just a couple registry settings and a reboot on Windows, right? Except if you're a .NET web service then you need to be 4.5+ as well as all of your clients. .NET 4.0 only supports up to SSLv3 and TLS1.0. And if your newly secure TLS1.2 server needs to talk to an older server running Win2003, then you're going to have to back off on your server's client settings because it also only supports SSLv3/TLS1.0. And it's not until you start rolling out enterprise wide that you realize you have a critical piece of infrastructure that hasn't been upgraded, for some reason. (hint: the guy that built the server is no longer around, and everyone is afraid to touch it because it's mission critical. Scary, huh?)

    And then of course there is the gov't. I managed to knock two very important gov't agencies off of our app when I installed POODLE fixes. One it still using .NET 4.0 and the other is using a Java library that they have only been able to get to talk to our SOAP at TLS1.0. I have no idea why the transport protocol affects the message protocol, but it's their code and I don't have the details.

    I might be able to get SSLv3 turned off 1Q16, but two painful outages while trying to get two outdated protocols turned off means that we have a lot of management visibility and will be looking at extended testing before attempting again. We're not even considering turning off TLS1.0 any time soon, simply because we can't dictate what our external clients use.

  7. Anonymous Coward
    Anonymous Coward

    Not so much the retailers...

    ...more the clients. Turn off TLSv1.1 and you're going to start losing clients if you're an online store, and turning off 1.1 is what some ASVs are already telling clients they need to do before they will give them a pass. 1.1 didn't appear enabled by default in IE until v11 - that's a lot of customers to lose, not to mention all the problems with smartphones that have never been updated since they were bought.

  8. Michael Wojcik Silver badge

    Will no one think of the terrorists^Whackers?

    a period during which The Register imagines "the bad guys" will do their very best take advantage of weak encryption

    Fear: consider it mongered!

    Anyone breaking SSLv3 or TLSv1.0 encryption in order to steal credit card details is Doing It Wrong. That information is widely available at far less cost, thanks to data theft and PoS malware.

    "Weak" encryption1 is not the problem. It's almost never been the problem, except when both laughably broken and with widely-available, cheap, automated exploits (e.g. WEP). Encryption, for all but the most valuable data, is just a way of pruning the low-hanging branches of the attack tree.

    Extending the SSLv3 / TLSv1.0 deadline for PCI-DSS is unlikely to significantly increase the number of credit-card-data thefts over the next couple of years. That number is going to be large regardless.

    1Or more accurately, cryptographic protocols with exploitable weaknesses.

    1. Charles 9

      Re: Will no one think of the terrorists^Whackers?

      POS/PIN Pad Malware is being neutered with the move to Chips since the chips are supposed to produce one-time-use tokens which are useless even if stolen. Plus there are additional motivations to break SSL/TLS beyond PCI.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like