US grocer's security breach gets even more alarming

We are not at all that prepared in Europe, Matt Whitfield, and you know it. I suppose your comment is a desperate need of a raise of your stake in some of the security developers here.
You refer to PCI DSS and that's a huge mistake. They can't implement this. They simply don't succeed. Nobody wants it. And as soon as the chip card holder executes a purchase on the Internet his card ID is probably sold out and a counterfeit card will be used. So what's the use of a trillion dollar inventment race in the chip & pin technique when it doesn't work just moves the problem? We are soon 2 billion card holders and multiply them with $15 per chip card plus 28 million vendors expected to invest in new terminals at about $2,000 each. Plus the 3D Security at $50,000 / annum for Level 1 merchants – still not effective to fraudsters. Time for a wake up call to Matt.
It will take at least one decade before the vendors have turned to smart terminals and in the USA and the rest of the world chip & pins wont come as a standard in my life time. It's that costly. Moreover. The codes in the chip are as well printed on the magstripe and more or less everything in the chip can be revere read. And it will take even longer time until the vendors are willing to refuse sales by stopping a magstripe customer's card.
Furthermore the chip & pin system is already compromised at least in two public scenarios.
And the SSL 128 encryption protocol was cracked in China already in 2004, SSL 256 was cracked in 2006 and SSL 512 in 2006. Still they promote SSL 128 to unknowing people.
So the glorified encrypted solution at the swiping till is a commercial security myth aiming to increase sales of the crap as SSL 128. ( A study of the greatest security guru of them all, Bruce Schneier, will for sure open the clouds to reality and turn from the Stock Market Exchange needs to the market needs – not your needs )


There are several standards in Europe which apply to both applications which take payments (PABP) and data centres which contain credit information (PCI-DSS). These standards prescribe that you have to have everything encrypted, you can't store a card number in plain text anywhere, you must have your web servers here, your domain must be secured like this.

In actual fact, it's incredibly poorly written, and some of the prescribed measures actually make systems less secure. But... Guess where the weak link in the chain is? Where do we *have* to store card numbers in plain text? Yes... when it gets sent to the bank. 

Another example is the recent issue of people being to piggy back on the communications to and from chips on chip and pin cards. Why would that be... would it be because the banks decided they couldn't possibly encrypt the data that's stored on the chip? Ahh yes, that would be the one.

The industry are ready for this sort of security, certainly in Europe. Perhaps it's time the banks pulled their fingers out.

Actually, it's very possible the Secret Service is investigating this. They are a part of the U.S. Treasury Department, and while executive protection is their best known function, they also investigate counterfeiting and various other financial frauds, including electronic crimes.

I know it's not a very important detail, but I highly doubt this is being investigated by the Secret Service, as their job is to protect the president and other important federal-government officials.