[Info-vax] One possible market for VMS: secure credit card

johnwallace4 at yahoo.co.uk johnwallace4 at yahoo.co.uk
Sun Mar 22 19:26:00 EDT 2015 

On Sunday, 22 March 2015 18:28:30 UTC, JF Mezei  wrote:
> On 15-03-22 07:43, Jan-Erik Soderholm wrote:
> 
> > The common way to collect card information is to tamper with the
> > card terminals themselfs.
> 
> In the Cape May ferry example, they mentioned that the food outlets at
> terminals and on-board were compromised. The word "malware" was used in
> one of the press releases.
> 
> Looks to me like some solution that involved cash registers sending
> credit card transactions to some sort of central PC which then
> communicates with the credit card processor likely over internet. If all
> the terminals were compromised, it would point to an inside job by
> someone with access to all the terminals on shore and on ships.
> 
> The issue here isn't so much the terminals. With chip and pin (deployed
> just about everywhere outside the USA that is still stuck with mag
> stripes),  compromised terminals are rare as the communication is
> encrypted by the card itself.
> 
> But that still leaves open all internet based stores which use the "No
> card present" and (unfortunately) store credit card info for some reason
> which escapes me.  Theft of those databases is growing and represents
> major fraud losses before banks clue in on a particular merchant. (must
> analyse what is in common between cardholders whose card was comprimised
> from different banks to see that they all have 1 store in common).
> 
> Stores like Target in the USA will cease to have databases of card
> numbers when/of the USA goes chip/pin since they systems do not see a
> credit card number.  But their "shop on internet" continues to be loaded
> with credit cards entered by customers.
> 
> So having secure software to handle that part would be a nice target
> market.

You may wish to read some of the Chip+Pin-related work of Cambridge
University's Professor Ross Anderson before you conclude that Chip+Pin
is particularly helpful for security. 

E.g. 
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

What C+P is 'helpful' for is shifting the liability from the card
processors to someone else (the customer, the trader).

More information about the Info-vax mailing list