February 8th, 2014

Mutter Something About EMV and aging ATMs

I've been attempting to reconcile how we can possibly exist in a while in which the following are true at the same time: ATMs still running really old versions of Windows (I _really_ hope all the OS/2 ones are gone or upgraded) that are no longer supported by Microsoft AND a world in which the liability shift for ATMs that don't process EMV cards using EMV occurred in, like April of _last_ year.

http://lp.verifone.com/media/2146788/emv_key_dates_chart_021213.pdf

"April 2013
Acquirers and sub-processor mandate to fully
process EMV transactions. Cross border
Maestro ATM liability shift to non-EMV ATMs."

What does that mean? That means if someone comes up to an ATM which only does mag-stripe (ignores chip if present) AND there is fraud associated with a transaction on that card at that ATM, the ATM owner has to eat it. Versus before, when it wasn't (all?) on them. So you would think, gosh, why haven't the ATMs upgraded? Odds on, they mostly have, and all those ancient ATMs running really old systems are somewhere that transaction sizes are very low ($20) and fees very high ($5 to the machine).

Duh.

Should have thought of that.

However, that above link seems hard to reconcile with this:

http://www.welchatm.com/visa-announces-emv-roadmap-and-liability-shift-for-atm-acquirers.html

Which suggests the ATM EMV compliance deadline is in 2017?

May also be helpful for figuring this out, given that I was quoting the mastercard timeline above, and here's another version of MC's timeframe for ATMs:

http://www.welchatm.com/mastercard-announces-extension-of-emv-roadmap-to-atms.html

Oh, silly me! Maestro ATMs are the European and other international ones.

Also:

http://www.cutimes.com/2013/06/18/tmg-webinar-the-emv-countdown-to-2015

"A reality, per Lillelund: all U.S. cards will not suddenly be EMV-compliant by October 2015. He estimated 30% to 60% percent will be."

I guess I don't really understand that, but I'm sure it will eventually make sense.

Today's Activities Include: open gym

After open gym, T. and R. went off to Johnny Rockets and then picked up a few things at Roche Bros. They then dropped the few things off at the house, picked up some x country gear and went skiing. The boys are Having Fun!

We ran into A.'s OT from EI days at open gym. It was fantastic having a nice long chat with her; I really like her and missed her so it was good to see her again. Alas, I was so involved in I Get To Talk To A Friend that I forgot to give A. warnings when open gym was about to end and she had an amazing meltdown when it was time to go. I've gotten so used to always prepping for transition that I had this silly idea in my head that she was handling transitions great. Ha! There's no way anyone with _my_ genetics is ever going to be okay with transitions. Oh, well. I'll try to pay a little more attention next time.

When M. came over for a brief visit and to play iPad games, A. decided she wanted to play Angry Birds Star Wars. At some point, I should probably just play this thing through, since it seems like one kid or another (not even necessarily my own) is always asking me to three star a level for them, and they can take me a while to figure out.

Hoovering up the data

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

I've heard a variety of things about the Target breach (a lot of them broken on the above referenced blog, FWIW -- I'm not a regular reader of it so I have no opinion), but this article really has some amazing tidbits in it.

The idea is that the initial access to Target's network was via an HVAC company. Earlier remarks about the breach focused on how easy, once in, it was to get to absolutely any system within the company. So why would an HVAC company have this kind of access? Internet of things!!!

"But according to a cybersecurity expert at a large retailer who asked not to be named because he did not have permission to speak on the record, it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.

“To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software,” the source said. “This feeds into the topic of cost savings, with so many solutions in a given organization. And to save on head count, it is sometimes beneficial to allow a vendor to support versus train or hire extra people.”"

There's a lot to think about there, but mostly I think that (a) internet of things, for real and (b) probably need to give (more) thought to the security implications, while making sure to keep costs down and retain convenience, because if it's expensive and/or inconvenient, the customer (company) isn't going to go for it.

An update at the bottom of the post has a response from the HVAC people. My remarks aren't so much about this particular instance as that it's potentially generalizable. Altho wow, if it only costs $100 million to upgrade to chip-and-pin EMV cards, that's going to look cheap to Target now.

Today's Activities Include: Volcano Causes 8 Dinosaurs to Die

Since last week, A. has been asking us to make a volcano, like in her preschool class. Today, R. got out a little metal prep cup, some baking soda and the cleaning vinegar. He set it up on a plate and A. demanded dinosaurs. We had some from party favors some months/years ago, that the kids had brought home, and I had saved, on the theory that sooner or later someone will demand dinosaurs and this will be a temporary stopgap until the stores open. Finding them took a few rounds of the upstairs shelves, but once delivered, A. put them under the foaming white stuff and exclaimed, "They all died! All the dinosaurs died!" cackling all the while.

Ah, to be young. :-)