My debit card was one of the potentially 4.2 million exposed in the recent Hannaford data breach. Here’s part of the letter from my bank, the Savings Bank of Walpole.
I’ve thanked them privately, and want to thank them publicly as well, for being proactive and doing the right thing here. They’re dealing with fallout from a problem they didn’t create.
Details are still emerging but we don’t yet have the full story. As the InfoWorld story notes, Hannaford’s servers might have been compromised by a remote exploit through the network, or a local exploit made possible by unauthorized physical access.
In the aftermath, most of the usual defense-in-depth strategies are being rehashed, and that’s good. But one-time account numbers still aren’t on the radar screen, and I keep on wondering: Why not?
March 31, 2008 at 11:53 am
I was a huge fan of the American Express one-time card numbers, and was disappointed to see them drop that feature several years go. I used them all the time online, and were especially when doing one-off purchases at merchants I didn’t have much history with.
It looks like PayPal is offering a virtual debit card feature that acts as a MasterCard, though I haven’t been able to try it yet.
It’s good to see institutions that are on the ball in these cases, because it still seems to be the exception.
March 31, 2008 at 12:24 pm
One-time credit card numbers are available from some providers. The two issuers that I use, Bank of America and CitiBank, have them, and I use one-time numbers exclusively for online transactions and things I send through the postal service.
March 31, 2008 at 1:11 pm
Even re-issuing a card is not much of a guarantee of security. People don’t even really have know your credit card number. They can guess it given enough chances, and then create a fake credit card to match the numbers:
http://www.oregonlive.com/news/oregonian/index.ssf?/base/news/120676296493670.xml&coll=7&thispage=1
April 1, 2008 at 9:03 am
“I use one-time numbers exclusively for online transactions and things I send through the postal service.”
Yep. So, what would it take to insert that protocol into the retail checkout scenario?
April 1, 2008 at 12:38 pm
Ah, you were speaking of putting the one-time-use numbers into the traditional (physical) retail channel. Hmmm, sorry, no grand thoughts there…
April 12, 2009 at 10:52 pm
Just grabbed the feed… thanks for posting this.