Chester Wisniewski of Sophos Talks About Secure Credit Card Transactions

Chester Wisniewski's nakedsecurity describes Wisniewski's specialty thus: "He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics." So he's obviously someone who might know a little about preventing future Target-style security debacles. We've also interviewed tech journalist Wayne Rash about this topic, and will probably interview another security expert or two. Many Slashdot users may find all this credit card security talk boring, but for those who handle security matters for a living, especially for retailers, it's vital information. So here's Tim Lord talking with Chet, who is a recognized security expert for Sophos, one of the big dogs in the IT security field, when Chet was in Texas for the latest iteration of Security B-Sides in Austin. (Alternate video link.)

Credit cards are NOT secure

Bitcoin is a much, much better alternative if you don't want to get caught.

Re:Credit cards are NOT secure

[ArcadeMan]

And that's why every transaction ever made with Bitcoin is publicly available in the blockchain.

Bitcoin is a good replacement to credit cards and PayPal because no single entity controls it. Imagine if there was half a dozen "PayPal" companies all competing against each other.

haha

[BuckaBooBob]

Nice April fools post... Secure credit card transactions... That's as likely as a honest politician

Broken by design

[Tailhook]

Until transactions are performed through a bank run broker such that the retailer NEVER GETS THEIR PAWS ON ACCOUNT CREDENTIALS, it's all a waste of time. I blame the banks; Target episodes are inevitable as long as the banks fail to provide an alternative to having retailers schlep around account credentials.

Re:Broken by design

[Em+Adespoton]

Until transactions are performed through a bank run broker such that the retailer NEVER GETS THEIR PAWS ON ACCOUNT CREDENTIALS, it's all a waste of time. I blame the banks; Target episodes are inevitable as long as the banks fail to provide an alternative to having retailers schlep around account credentials.

Interestingly, the US is the only place in the world not to implement Chip and PIN, which basically keeps retailers from getting their paws on account credentials. There's a move to chip, but PIN is being avoided, which means that it STILL won't be secure.

Re:Broken by design

[timeOday]

And why is this hard? About 10 years ago I had a credit card that offered a website. It would let you generate a new credit card number at any time that was only good for up to a certain amount. So you didn't have to give away the keys to the kingdom just to place a little purchase. But they shut it down and I haven't seen anything like it in years.

What I would like is a trusted hardware token (like a SecureID card) that I carry in my pocket. When the POS terminal requests a payment, it transmits the request to my token and I put in my PIN, which authorizes a payment but only for the specified amount! (Obviously the token could be a smartphone, to sacrifice some security for convenience.)

Re:Broken by design

[swb]

The payment network gets paid no matter what, so they have no incentive to reduce transactions or increase transaction costs.

Once Visa/MC start being forced to eat 1/3 of every fraudulent transaction instead of dumping it on retailers, banks and consumers then they will be more interested in security.

Re:Broken by design

Citibank still offers virtual account numbers via Online flash app or windows program only though which is dumb. You'd think they'd add it to their mobile apps.

Re:Broken by design

Target was so stupid they ran Windows (XP) on the POS computers.

That's just BEGGING to get owned. If you really can't gobble enough M$ knob at least use Win 7. Better to use OpenBSD if you actually care about securing data.

Re:Broken by design

Agreed. See 3C Transactions for one simple idea on how to implement this today. Never give out a cedential that can be used to generate a transaction. There's no good reason.

Re:Broken by design

[grep+-v+'.*'+*]

About 10 years ago I had a credit card that offered a website. It would let you generate a new credit card number at any time that was only good for up to a certain amount.

About 10 minutes ago, I did exactly that with Bank of America's ShopSafe -- not that they're the only one around. But I've used them for years and it works great.

You log into the website and select your supporting credit card. Then you find the (Mostly hidden? Why??) option and tell it the maximum dollar amount and the max numbers of valid months. It generates a new CC number and CSC with the limits you specify. The first vendor who uses the card is linked to the card so no one else can use it again. (The original vendor can; great for single-vendor monthly or periodic purchases.) You can even increase the total amount later or cancel the virtual card early if necessary. If not, it'll expire after it's short lifetime (months) is up

One time BoA alerted me that a virtual card I used at a charity was later used elsewhere. They surprisingly canceled the actual card along with the virtual one. The virtual cards purpose was long over, but I was surprised that they killed the real card supporting it. Still, no problems at all using these on-the-fly cards for years now. I use it for all of my year-end charitable contributions and for any place I don't absolutely 100% trust. (And a few that I even do!)

Re:Broken by design

[CadentOrange]

The majority of POS terminals in the wild run Windows XP. This is unlikely to change anytime soon, so I have no idea how Windows XP's official retirement in a few days time will play out as none of the retailers I work with intend to change their tills. This isn't surprising (to people who support POS terminals), as we still see terminals running Windows NT4 (!!!!!!!).

Our advice to retailers is to always have their tills on a separate non-internet facing network. No one really does this though ....

the word your looking for is tokenized CC's.

A retailer would only see the card once ever at which point you'd be assigned a token for all further transactions that would be matched at the end that talks to Visa.
So through the retailers networks it would only be a token but the fist time you assign it.

This is not new tech, its been around a while, the problem is some of the bigger players that had CC transaction lockins at retailers keep pushing crap that only encrypts the connections, none of the memory, even if memory was encrypted then you'd have to include the key. And if you encrypt memory, the bad guys will move to tapping the actual driver that talks to the reader, etc. etc.. it wont get better.

The only thing that improves the security is tokenization of the CC, so it wont ever be in the retailers system, so stealing the token would do nothing for you outside that retailer.

Just remember what is secure today wont hold water in 10 years, its a never ending process, that most companies can't afford to keep reinvesting in and stay competitive in the big box arena.

Re:the word your looking for is tokenized CC's.

[Tailhook]

see the card once

Broken. Right there. The only worthwhile solution has no transfer of payment instrument credentials. None, ever. No numbers, no PINs, no CVVs, no expiration dates. Nothing.

That's done with a broker. That's how Paypal works and that's how Bitcoin works. The fact that credit cards don't work that way is indifference on the part of banks. Banks fail to provide and alternative to handing over the keys to random and sundry knuckleheads and their insecure systems.

Re:the word your looking for is tokenized CC's.

[plover]

Because it's so simple to authenticate all parties to the broker. Now we've gone from trusting the merchant, the shopper, and the bank, to trusting the merchant, shopper, bank, and broker. That's the problem here: every solution that relies on trust instead of hardware cryptographic implementations is equally broken.

The smart cards in the EMV system are indeed the way to go, because they are issued by the bank, and your bank stores your account's secret in them. The bank's trust never leaves the bank's systems.

EMV limits fraud only to a person who physically has the card in their possession (and who knows the PIN, assuming your card requires a PIN.) As a customer, you don't have to trust that BigMart's cash register is paying the right company or not, because you're walking out the door with your paid-for stuff. BigMart's transaction security is BigMart's problem. You don't have to trust BigMart (or a hacker) to not steal your account number, because without the authentication coming from the smart chip, the bank should refuse any transactions. It doesn't even matter much if they steal your account number and your PIN, because without the chip they still can't recreate the authentication. And if a sophisticated hacker with an ion-beam manages to read the secret from the chip, it only violates your one card; not your other accounts, not someone else's account, and not the bank's master secret.

If we ever get there.

Consumer Controlled Credit (3C) Transactions

The 3C Transaction seems to have a lot of potential. I like the idea of never handing out a credential that can be used to compromise my account.

zinc sulfate

intersting!!
zincsulfate