About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Is mobile the new smartcard? | Main | More post-modern policing »

Security reporters

By davebirch posted Jul 2 2007 at 4:41 PM
[Dave Birch] With contactless payment systems continuing to expand, I see another report from the U.S. concerning fears that the wireless technology behind those systems is not secure enough for widespread adoption, despite assurances from Visa, MasterCard, and other major players. Aneace pointed to a similar discussion in May, except that that time it was that retailers who were saying that
Once the U.S. overcomes its security issues with contactless payments and assures the public of the safety of using them, this technology will explode.
But what are these stories about (and what do they mean)? A typical example is this story about cards transmitting cardholders names and numbers in the clear that is illustrated with a picture of a card that doesn't. But look at the heart of that story. According to a study by researchers at the University of Massachusetts and at security companies RSA and Innealta, many contactless cards will transmit your name, the credit card's number, and its expiration date (but not the CVV) unencrypted to anyone nearby with an RFID scanner. This is true, but I'd put a different spin on it: researchers have discovered that these cards comply with their specifications and do exactly what they are supposed to do.

Technorati Tags: ,

Now, of course it makes no real sense for the cards to transmit the card holders name. That's true. But it also makes no sense for standard chip & PIN cards to transmit the card holder's name either. It's just legacy thinking, another example of the transition to a new technology that is merely, in its first generation, used to simulate the old technology. In fact, as my colleague Tony Pickup has previously recommended, there's also no reason why the chip & PIN cards should deliver the same number over different channels. Why does, for example, my debit card give up the same PAN to a POS terminal as to an ATM? All this means is that PANs stolen from POS terminals can be used to make bogus ATM transactions. Let's start designing fraud out, we're all agreed on that.

But back to the impending security catastrophe that the journalists are warning us about. It's what these stories mean that continues to bother me. They suggest that card issuers will put cards into the market that will increase their risk. If this were true, what would be the explanation? That card issuers are dumb? That banks don't have any security experts? That suppliers are misleading banks? I'm really keen to know.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef00e0098b50438833

Listed below are links to weblogs that reference Security reporters:

Comments

And then people are surprised that credit card numbers are offered in India in bulk quantity. Lets get us some RFID readers and collect numbers.

At least in the US, the main goal of the credit card firms in all of this is to increase the volume of transactions. They have successfully dumped all of the liability and risk onto the merchants (with a bit on the consumer). This is why they have been pushing debit cards so hard (and successfully) - more transactions, but even less risk and liability for the card provider (in the US, debit cards do not have any of the long established protections of credit cards at this time).

If you have no liability, you have no security problem... since the card issuers have no liability, they don't care about real security - only increasing their fees and profits:

Contactless makes transactions easier and faster. That is what matters. They will put in just enough security to get the system accepted in the market. Of course the other benefit is that they will make money on selling a whole new set of infrastructure products to vendors (with a nice licensing fee to the card companies, no doubt). The greed of the card companies was why SET died.

Dave,
Every time a new channel or payment method rolls out the Chicken Littles demand attention. Yet we so often forget that new customer interaction methods are, quite literally, a two-way street. Mobile devices (which use contactless as the proverbial rails) naturally have security risks that demand attention, but they offer unique security benefits as well, namely the ability to enable the end user to detect or even approve/reject of transactions. Research data shows that new interactive technology has powerful security advantages, but their value is limited by security professionals' willingness to build on their strengths. Until we evolve our thinking about security beyond today's exclusive back-office fear mongering mindset, the criminals will have the upper hand.

Do the people who design these systems live under a rock?

Why is it that the "old" Internet technology we use has to encrypt the users card details at all times (for PCI compliance) but the idiots designing the shiny new card scanners still transmit this data in the clear?

Its simply not good enough and if the Journalists create enough of a stink to make them fix it quickly before contactless payments get much bigger then thats good for everyone.

Simon
Mi-Pay Ltd

The comments to this entry are closed.