Security, Again

Oh, goodie! Something new to be grouchy about.

A couple of days ago I received a new credit card in the mail. Not because the old one had expired. Oh, no, not a bit. The old one was good for another few months. This replacement was because of the old one “may have been compromised at an undisclosed merchant or service provider”. How nice. I can state with absolute certainty that it was not Neiman Marcus, as I’ve never shopped there. It could have been Target. I’m not too proud to admit that I sometimes shop there. For one thing, they have the best price around on dark chocolate M&Ms.

On the other hand, the letter with my new card did say “undisclosed”. News reports suggest that there were at least three other US retailers have been hacked in the same fashion as Target and Neiman Marcus. Despite the laws requiring disclosure, we may never know who those companies are: given the backlash against Target, they may decide it’s cheaper to risk fines for non-disclosure than to go public and have customers go elsewhere.

Not that there’s really an “elsewhere” to go to. Let’s face it, every retailer, online or brick-and-mortar, is vulnerable to hacking. It’s enough to make you want to go back to cash. Or maybe barter.

But I digress. Let’s get back to that shiny new card I got in the mail. I said that the old card would still have been good for a few more months. Guess what the expiration date on the new card is. Give up? It’s the same as the old card.

So I went through my usual routine to dispose of the old card: chopping it up into itty-bitty pieces, and then mixing the bits into the waste removed from the cats’ litter boxes. It may not be any safer than just throwing out the pieces, but I figure it should at least discourage the casual garbage thieves. Having done that, I braced myself to spend the next several days going around to all of the places that I have set up to automatically charge my card. Nothing important, of course, just little things like my cell phone, my insurance, and the home alarm system.

And then, in a couple of months when the new card expires and the company sends me another new card, I get to do it again. Such fun! What a thrill! What a great use of my time!

Now, keep in mind that this is, if memory serves, the third time this particular card has been replaced due to a security breach at a merchant. The whole “update the auto-payment” routine is getting a bit old.

So I called the company to ask if they could please issue me a new card with an expiration date a couple of years in the future. That way, I should be good with all of the auto-payments until the next security breach. I spoke to a gentleman (I use the term loosely) who was terribly sorry to inform me that there is “no tool to change the expiration date,” but that because I had raised the issue, they might someday have one.

I carefully explained that “might someday” didn’t do me any good now. “Oh, yes sir, I understand. You’ll be getting a call back from a manager soon.” On further questioning, it turned out that “soon” meant “in the next couple of weeks”. I pointed out for the second time that they only allowed a week and a half for me to switch to the new card, so a call in a couple of weeks wouldn’t at all. “Let me see if I can get you a firm date for the call back,” the gentleman said, and then hung up on me.

Of course, I swore for a couple of minutes, then called again. This time I got a disgustingly cheery young woman. I explained that another representative had hung up on me, and asked her to check what notes he had put on my account. “Wants to change expiration date” was the entirety of the message. No explanation of why or reference to the urgency of the matter. So I explained the whole thing to the second rep (in four-part harmony). “But that’s not a problem, sir. When the new card shows up in a few months, you won’t have to do anything because it will have the same number.” I pointed out that I would have to do something: update the expiration date at all of the relevant vendors.

“Oh,” she responded. “Let me talk to a supervisor. Don’t go away!” And off she went. Amazingly, she didn’t hang up. She returned a minute later and told me that they do not change expiration dates until there is less than two months remaining on the card.

“So,” I asked, “if this new card is compromised in the next couple of months, I’ll get another new account number with the same expiration date?”

“That’s right! It’s for your convenience!”

I was a bit shell-shocked at that. I didn’t ask her to try to explain how that was convenient for anyone except the credit card company. I just extracted myself from the call and spent the next several minutes banging my head against the wall, then went off to start updating my auto-payment accounts.

Oh, wait, I thought of someone else for whom an unchanged expiration date is convenient: the criminals who now have my old account number. Visa’s account number generation algorithms are well-understood as even a quick Google search will show. For certain types of cards, there’s a fairly small set of valid account numbers that could be assigned. It wouldn’t be that difficult to generate some trial card numbers and have them match up to the known expiration date. That’s all you need for many online vendors.

If you think about it, changing the account number generation process to also update the account expiration should be a minor software tweak. The code to choose a new expiration date already exists: it gets used whenever a card expires or when a new account is opened. Adding a call to that routine to the “change account number” code should be fairly trivial. Unless their code is a truly horrible mess, it would be a low risk change, and easy to test. But it would, of course, cost money. Visa’s net profit for fiscal 2013 was only $4.98 billion. I suppose a small software change like this would seriously imperil their bottom line. Such a shame.

Such is life. If you’ll excuse me, I need to get over to the Post Office. I’ve got some packages of shredded cards and litter box sweepings to send to Visa, Target, and Neiman Marcus. Maybe it’ll give them some new ideas on security.

One thought on “Security, Again

  1. Pingback: That Trick Never Works | Koi Scribblings

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.