Wednesday, 9 December 2009

Why is it our fault credit cards are easy to misuse?

Most people like that little plastic in their wallets. Payment cards are easy to use and relatively fast for purchases you need (or rather want). But what actually happens to the data when the card is swiped or inserted into the card reader. Who is responsible for the security of the data? As it stands currently it is a merchant that you shop at. But wait! The same merchant pays fees to banks and inherently to card schemes, like Visa and Mastercard, for a privilege of accepting the cards from us, customers.

So why are not payment cards as secure as they are easy to use? Why do I have, in my wallet, something with a bunch of numbers printed on? Why, when these are revealed to someone, he can shop on my behalf? Except I do not get the delivery! Is it time to make the revolution in the payment system to finally come up with something that is inherently insecure? The whole security model is around keeping numbers private. However, protecting something that is printed on a card and you enter it to all website during on-line shopping or tell over the phone is laughing idea. What year is today? Judging by the security model of credit cards it must be 1980 or something. But wait, it is 2010 and we have security technologies that can make credit cards secure.

Let me give you some examples. If the numbers on the card cannot be misused than we do not need to protect them. A microchip on the card can protect data effectively with pin or password. This system is used in the UK (slowly in the mainland Europe) and if used properly (EMV with proper PKI) it should provide sufficient security. Telephone and on-line shopping could use off-line readers that in which cards generate one-time codes. Yes, this is still vulnerable to real time man in the middle attacks but is far better then current system! There are around 730 million payment cards with chip capable of doing all above. It is just that they are all backwards compatible and hence vulnerable to old attacks. And is all that backward compatibility that requires all those numbers on payment cards to be visible.

The problem is that there is a little incentive to actually change anything. In the end customer are protected by law and merchants swallow the cost of security improvements set in PCI DSS. It is time for major overhaul of payment systems.


Post a Comment