Retailers Realize EMV Won't Save Them From ...

Network Computing Dark Reading

Advertise

About Us

Newest First | Oldest First | Threaded View

[close this box]

MarkSitkowski,
User Rank: Moderator
10/5/2014 | 1:38:46 AM

Re: Will there ever be a solution?

Here's the silver bullet.

Let me say, up front, that the whole architecture of the authentication/payment cycle is wrong.

Here's an easily implemented solution, which will leave the hackers with a lot of useless data, even if the retailer persists in storing card data in the transaction log, or a network snooper monitors all transactions:

1. The customer presents a credit card to the POS terminal

2. The (hopefully encrypted) card number is sent to the card validation server

3. Each customer has a secret keyword, like 'julyfourth', which only he knows, and which is never transmitted.

4. The validation server sends an alphabet, and a random selection of 1's and 0's to the POS terminal

5. The customer selects a pattern of 1's and 0's which match his keyword. This metadata is sent back to the validation server.

6. The validation server also selects a pattern of 1's and 0's which match the keyword.

7. If the two patterns match, the transaction is approved, if not, it's fraud.

Notice that, since the challenge is random, anyone trying to re-use it. will fail.

Additionally, if this system is used for card-not-present transactions, it is equally effective, and it doesn't rely on chips, biometrics, multi-factor authentication.

Oh, yes. It'll protect ATM transactions from spy cameras, network snoopers and other fraud attempts.

Reply | Post Message | Messages List | Start a Board

jagibbons,
User Rank: Strategist
10/1/2014 | 6:46:38 AM

Re: Will there ever be a solution?

Even with EMV and tokenization, there are still points in the overall business cycle where card data could be compromised. There are no silver bullets. That's why there are well over 200 controls in the PCI Data Security Standard.

Reply | Post Message | Messages List | Start a Board

Robert McDougal,
User Rank: Ninja
9/30/2014 | 4:14:06 PM

Will there ever be a solution?

As this problem continues to grow I wouldn't be surprised if in 5 years we must use a token in conjunction with our credit cards.

Reply | Post Message | Messages List | Start a Board

Editors' Choice

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP, 7/9/2021

Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours

Robert Lemos, Contributing Writer, 7/7/2021

It's in the Game (but It Shouldn't Be)

Tal Memran, Cybersecurity Expert, CYE, 7/9/2021

Live Events

Webinars

SecTor - Canada's IT Security Conference Oct 1-6 - Learn More

Black Hat USA - August 6-11 - Learn More

[FREE Virtual Event] The Identity Crisis

More Informa Tech Live Events

White Papers

Breaches Prompt Changes to Enterprise IR Plans and Processes

Five Best Practices for AWS Security Monitoring

Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal

AppSec Considerations For Modern Application Development

Ambush Attackers at the Endpoint with the Endpoint Detection Net (EDN) Suite

More White Papers

Cartoon

Latest Comment: I've heard of people walking right out the front door with entire servers...

Cartoon Archive

Current Issue

Black Hat USA 2022 Attendee Report

Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Incident Readiness and Building Response Playbook

In this special report, learn the Xs and Os of any good security incident readiness and response playbook.

Download Now!

Battle for the Endpoint

0 comments

How Enterprises are Developing Secure Applications

0 comments

Assessing Cybersecurity Risk in Today's Enterprises

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2017-2597
PUBLISHED: 2022-08-08

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.

CVE-2017-2631
PUBLISHED: 2022-08-08

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.

CVE-2017-2657
PUBLISHED: 2022-08-08

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.

CVE-2017-7527
PUBLISHED: 2022-08-08

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.

CVE-2021-41615
PUBLISHED: 2022-08-08

websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]