Most people like that little plastic in their wallets. Payment cards are easy to use and relatively fast for purchases you need (or rather want). But what actually happens to the data when the card is swiped or inserted into the card reader. Who is responsible for the security of the data? As it stands currently it is a merchant that you shop at. But wait! The same merchant pays fees to banks and inherently to card schemes, like Visa and Mastercard, for a privilege of accepting the cards from us, customers.
So why are not payment cards as secure as they are easy to use? Why do I have, in my wallet, something with a bunch of numbers printed on? Why, when these are revealed to someone, he can shop on my behalf? Except I do not get the delivery! Is it time to make the revolution in the payment system to finally come up with something that is inherently insecure? The whole security model is around keeping numbers private. However, protecting something that is printed on a card and you enter it to all website during on-line shopping or tell over the phone is laughing idea. What year is today? Judging by the security model of credit cards it must be 1980 or something. But wait, it is 2010 and we have security technologies that can make credit cards secure.
Let me give you some examples. If the numbers on the card cannot be misused than we do not need to protect them. A microchip on the card can protect data effectively with pin or password. This system is used in the UK (slowly in the mainland Europe) and if used properly (EMV with proper PKI) it should provide sufficient security. Telephone and on-line shopping could use off-line readers that in which cards generate one-time codes. Yes, this is still vulnerable to real time man in the middle attacks but is far better then current system! There are around 730 million payment cards with chip capable of doing all above. It is just that they are all backwards compatible and hence vulnerable to old attacks. And is all that backward compatibility that requires all those numbers on payment cards to be visible.
The problem is that there is a little incentive to actually change anything. In the end customer are protected by law and merchants swallow the cost of security improvements set in PCI DSS. It is time for major overhaul of payment systems.
The semantic web (or web 3.0 as some call it) is loosely defined as machine generated and consumed content. The If This Than That (IFTTT) is...
I have had my new Nexus 7 for 2 weeks now. It's now been updates to Android 4.2 after which I enabled the full disk encryption. Unlike i...
Introduction I am passionate about information risk security management. It is an area that is like shifting sands, constantly moving wi...
I have been using 1Password on my Mac since the version. Then with the arrival of iPhone and later iPad 1Password folks were quick to introd...
Yesterday I wrote about DigiNotar incident . And today another Certificate authority announced the incident as well. Apparently the same hac...
I have attended many interviews over last 10 months, all of them on the right side of the table though. I will never forget one particular c...
Today was certainly very busy in the security world. Security researches and analysis commented on #ShadyRAT report from McAfee. Just try...
Yet again, I have stumbled on a company that limits maximum password length. This time it is a giant software vendor, Adobe. I simply wa...
(c) Vladimir Jirasek. Powered by Blogger.
- ► 2012 (13)
- ► 2011 (23)
- ► 2010 (19)
- ▼ December 2009 (2)