My debit card was one of the potentially 4.2 million exposed in the recent Hannaford data breach. Here’s part of the letter from my bank, the Savings Bank of Walpole.
I’ve thanked them privately, and want to thank them publicly as well, for being proactive and doing the right thing here. They’re dealing with fallout from a problem they didn’t create.
Details are still emerging but we don’t yet have the full story. As the InfoWorld story notes, Hannaford’s servers might have been compromised by a remote exploit through the network, or a local exploit made possible by unauthorized physical access.
In the aftermath, most of the usual defense-in-depth strategies are being rehashed, and that’s good. But one-time account numbers still aren’t on the radar screen, and I keep on wondering: Why not?
I was a huge fan of the American Express one-time card numbers, and was disappointed to see them drop that feature several years go. I used them all the time online, and were especially when doing one-off purchases at merchants I didn’t have much history with.
It looks like PayPal is offering a virtual debit card feature that acts as a MasterCard, though I haven’t been able to try it yet.
It’s good to see institutions that are on the ball in these cases, because it still seems to be the exception.
One-time credit card numbers are available from some providers. The two issuers that I use, Bank of America and CitiBank, have them, and I use one-time numbers exclusively for online transactions and things I send through the postal service.
Even re-issuing a card is not much of a guarantee of security. People don’t even really have know your credit card number. They can guess it given enough chances, and then create a fake credit card to match the numbers:
http://www.oregonlive.com/news/oregonian/index.ssf?/base/news/120676296493670.xml&coll=7&thispage=1
“I use one-time numbers exclusively for online transactions and things I send through the postal service.”
Yep. So, what would it take to insert that protocol into the retail checkout scenario?
Ah, you were speaking of putting the one-time-use numbers into the traditional (physical) retail channel. Hmmm, sorry, no grand thoughts there…
Just grabbed the feed… thanks for posting this.