Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chester Wisniewski of Sophos Talks About Secure Credit Card Transactions (Video)

Posted by Roblimo on from the the-most-secure-credit-card-is-one-you-keep-in-a-safe-and-never-use dept.

Chester Wisniewski's nakedsecurity describes Wisniewski's specialty thus: "He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics." So he's obviously someone who might know a little about preventing future Target-style security debacles. We've also interviewed tech journalist Wayne Rash about this topic, and will probably interview another security expert or two. Many Slashdot users may find all this credit card security talk boring, but for those who handle security matters for a living, especially for retailers, it's vital information. So here's Tim Lord talking with Chet, who is a recognized security expert for Sophos, one of the big dogs in the IT security field, when Chet was in Texas for the latest iteration of Security B-Sides in Austin. (Alternate video link.)

10 of 17 comments (clear)

  1. haha by BuckaBooBob · · Score: 1

    Nice April fools post... Secure credit card transactions... That's as likely as a honest politician

    --
    Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
  2. Broken by design by Tailhook · · Score: 3, Insightful

    Until transactions are performed through a bank run broker such that the retailer NEVER GETS THEIR PAWS ON ACCOUNT CREDENTIALS, it's all a waste of time. I blame the banks; Target episodes are inevitable as long as the banks fail to provide an alternative to having retailers schlep around account credentials.

    --
    Maw! Fire up the karma burner!
    1. Re:Broken by design by Em+Adespoton · · Score: 2

      Until transactions are performed through a bank run broker such that the retailer NEVER GETS THEIR PAWS ON ACCOUNT CREDENTIALS, it's all a waste of time. I blame the banks; Target episodes are inevitable as long as the banks fail to provide an alternative to having retailers schlep around account credentials.

      Interestingly, the US is the only place in the world not to implement Chip and PIN, which basically keeps retailers from getting their paws on account credentials. There's a move to chip, but PIN is being avoided, which means that it STILL won't be secure.

    2. Re:Broken by design by timeOday · · Score: 2
      And why is this hard? About 10 years ago I had a credit card that offered a website. It would let you generate a new credit card number at any time that was only good for up to a certain amount. So you didn't have to give away the keys to the kingdom just to place a little purchase. But they shut it down and I haven't seen anything like it in years.

      What I would like is a trusted hardware token (like a SecureID card) that I carry in my pocket. When the POS terminal requests a payment, it transmits the request to my token and I put in my PIN, which authorizes a payment but only for the specified amount! (Obviously the token could be a smartphone, to sacrifice some security for convenience.)

    3. Re:Broken by design by swb · · Score: 1

      The payment network gets paid no matter what, so they have no incentive to reduce transactions or increase transaction costs.

      Once Visa/MC start being forced to eat 1/3 of every fraudulent transaction instead of dumping it on retailers, banks and consumers then they will be more interested in security.

    4. Re:Broken by design by grep+-v+'.*'+* · · Score: 2

      About 10 years ago I had a credit card that offered a website. It would let you generate a new credit card number at any time that was only good for up to a certain amount.

      About 10 minutes ago, I did exactly that with Bank of America's ShopSafe -- not that they're the only one around. But I've used them for years and it works great.

      You log into the website and select your supporting credit card. Then you find the (Mostly hidden? Why??) option and tell it the maximum dollar amount and the max numbers of valid months. It generates a new CC number and CSC with the limits you specify. The first vendor who uses the card is linked to the card so no one else can use it again. (The original vendor can; great for single-vendor monthly or periodic purchases.) You can even increase the total amount later or cancel the virtual card early if necessary. If not, it'll expire after it's short lifetime (months) is up

      One time BoA alerted me that a virtual card I used at a charity was later used elsewhere. They surprisingly canceled the actual card along with the virtual one. The virtual cards purpose was long over, but I was surprised that they killed the real card supporting it. Still, no problems at all using these on-the-fly cards for years now. I use it for all of my year-end charitable contributions and for any place I don't absolutely 100% trust. (And a few that I even do!)

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    5. Re:Broken by design by CadentOrange · · Score: 1

      The majority of POS terminals in the wild run Windows XP. This is unlikely to change anytime soon, so I have no idea how Windows XP's official retirement in a few days time will play out as none of the retailers I work with intend to change their tills. This isn't surprising (to people who support POS terminals), as we still see terminals running Windows NT4 (!!!!!!!).

      Our advice to retailers is to always have their tills on a separate non-internet facing network. No one really does this though ....

  3. Re:the word your looking for is tokenized CC's. by Tailhook · · Score: 1

    see the card once

    Broken. Right there. The only worthwhile solution has no transfer of payment instrument credentials. None, ever. No numbers, no PINs, no CVVs, no expiration dates. Nothing.

    That's done with a broker. That's how Paypal works and that's how Bitcoin works. The fact that credit cards don't work that way is indifference on the part of banks. Banks fail to provide and alternative to handing over the keys to random and sundry knuckleheads and their insecure systems.

    --
    Maw! Fire up the karma burner!
  4. Re:Credit cards are NOT secure by ArcadeMan · · Score: 1

    And that's why every transaction ever made with Bitcoin is publicly available in the blockchain.

    Bitcoin is a good replacement to credit cards and PayPal because no single entity controls it. Imagine if there was half a dozen "PayPal" companies all competing against each other.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  5. Re:the word your looking for is tokenized CC's. by plover · · Score: 2

    Because it's so simple to authenticate all parties to the broker. Now we've gone from trusting the merchant, the shopper, and the bank, to trusting the merchant, shopper, bank, and broker. That's the problem here: every solution that relies on trust instead of hardware cryptographic implementations is equally broken.

    The smart cards in the EMV system are indeed the way to go, because they are issued by the bank, and your bank stores your account's secret in them. The bank's trust never leaves the bank's systems.

    EMV limits fraud only to a person who physically has the card in their possession (and who knows the PIN, assuming your card requires a PIN.) As a customer, you don't have to trust that BigMart's cash register is paying the right company or not, because you're walking out the door with your paid-for stuff. BigMart's transaction security is BigMart's problem. You don't have to trust BigMart (or a hacker) to not steal your account number, because without the authentication coming from the smart chip, the bank should refuse any transactions. It doesn't even matter much if they steal your account number and your PIN, because without the chip they still can't recreate the authentication. And if a sophisticated hacker with an ion-beam manages to read the secret from the chip, it only violates your one card; not your other accounts, not someone else's account, and not the bank's master secret.

    If we ever get there.

    --
    John