Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:55 AM
Josh Thurston
Josh Thurston
Partner Perspectives

From Paper To Plastic To Bits

Paying with your phone or other electronic wallets increases transaction security.

In 2005, the police arrested a man who attempted to steal my identity and discovered a stack of credit card receipts in his car. All of the stolen receipts were carbon copies that captured the credit card info. By mere coincidence, I had just teamed up with four friends and launched a startup. Our company offered a solution to process secure transactions from mobile phones --not something that was common in 2005, pre-smartphone era.

I frequently think about the security of merchant processing. The medium for which we exchange currency has expanded and changed in many ways. Millions of dollars are exchanged by mobile devices daily, and new technologies have come about such as electronic wallets and new credit cards that are encrypted and use digital ink.

There are a lot of e-wallet options available for your phone and as standalone electronic cards. They are offered by banks, merchants, and of course major smartphone companies. These offer convenience, faster payment processing, and fewer cards to physically carry. But are they safe, and are they more secure? I say yes.

New Mediums Abound

New mediums for credit and debit transactions are quickly hitting the market:

  • Wallet apps use NFC (near-field communication) to communicate details to the point-of-sale (POS) terminal. E-wallets require a PIN or fingerprint touch to authorize a payment.
  • Recently the industry has seen an inventive plastic card that brings secure encrypted currency exchange. While the technology does not work at every merchant terminal, the success rates will get better as the technology matures. Two companies to check out are Coin and Plastc.
  • Physical cards can be tapped on the terminal. Physical cards that have this feature can be read from about 20 cm and will automatically accept payments for $50 to $100, depending on your bank. That means that unshielded cards can be tricked into debiting your account by someone walking by with a wireless POS terminal. Be sure to carry your tappable credit cards in a shielded envelope or wallet.

When using a physical payment card, the merchant gets your credit card number and other details, which they store and use to track your purchasing behavior. If their POS system is breached, which has happened many times, thieves can steal your number along with hundreds or thousands of others. When you use your e-wallet, the merchant just sees an identification token. This token is unique to the card and device, so they can still track anonymized purchasing behavior, but it becomes more difficult to connect to an individual. Since each transaction also requires a unique and calculated cryptogram, nothing stolen from the merchant’s POS system can be used to make other fraudulent transactions.

When not using your card, it is at risk of being lost or stolen. Until you report it, a physical card can potentially be used to make purchases. The number is clearly visible on the card, as is the verification code. On your e-wallet, the card information is not stored at all. The wallet receives a separate, device-specific token sent by your bank. This information is transmitted encrypted, cannot be decrypted by the phone, and the actual credit card number is not retained so your number cannot be retrieved even if a thief manages to guess your passcode. In addition, the “Find My Phone” features available can help track down your lost e-wallet or wipe all information from memory if it has been stolen, further protecting your payment info.

Eventually, lower fraud rates could lead to lower credit card fees and interest rates. It will probably take years for the majority of payment transactions to move to e-wallets and accept electronic cards, so it is not time to disable the security on your POS system just yet. And hackers will continue looking for ways to break or trick the system. But encouraging faster adoption of e-wallets and electronic cards looks to benefit everyone involved. 

Josh Thurston is a security strategist in the Intel Security Office of the CTO.  In this role, Thurston drives business growth and defines the Intel Security go-to-market strategy for the Americas, creating and communicating innovative solutions for today's complex ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.