16 April 2014

StirCrazy

John Dring - Intel Network Services

4 | posts 11,493 | views 209 | comments

Digital Signatures....

17 October 2008  |  2704 views  |  4

Well not PKI, but I have always had a grudge about those digital tablet or handheld POS things you are sometimes asked to sign on top of.  With all the talk about Chip + PIN, it reminded me...

I mean, you are basically digitising your signature into some merchants system, which is stored, somewhere, and in theory used to verify that you did purchase said item because they have your signature to prove it.

But surely, they now have my signature stored digitally, so it could be applied to any sales ledge they store a copy of, thus rendering it pointless.  I mean, what's the point?  They would always have to produce the paper original to show the ink.

So, I make a point of refusing to sign on these things, mainly in the US, and they have to print a paper version to sign, or I sign with a cross, which is worse.

Chip and PIN is therefore good for me, except I now have about 6 PINs to remember.  Most are as issued.  I have cards I can't use because I long ago discarded (nay destroyed) the PIN advisory and forgot the PIN (because I didn't create it).  But at least I could change a PIN from time to time.  Not so easy with an actual signature... I never heard of people changing their signature on record?  But say I made all my PINs the same - then say my PIN was compromised/observed?  Then stealing my wallet and cards is a factor of times more expensive to me, because Banks don't guarantee me against fraud if I have 'lost' my PIN.

And while I am musing these things.  What good is the CVV number?  Who says this is any proof whatsoever that you have your card in your posission?  Sure its on the back of your card, and not raised, so in the old 'roller' machines which took imprints of your card, it's not left on the counterfoil.  And I guess its not on the mag-stripe either, if someone is double scanning your card.

But every merchant who makes a note of this number, stores it in their system, together with my card details.   So again, my CVV is 'out there' and can't be trusted as an indication I have my card with me.   I mean, I even store my CVV someone safe on my PDA so I can use my 'Credit Card' if I have to, without having my wallet on me.

We do these things because we have to. They only marginally improve your identification.

-j

 

 

 

 

TagsCardsSecurity

Comments: (4)

Stephen Wilson - Lockstep Group - Sydney | 18 October, 2008, 04:35

"What good is the CVV number?  Who says this is any proof whatsoever that you have your card in your posission?  Sure its on the back of your card, and not raised, so in the old 'roller' machines which took imprints of your card, it's not left on the counterfoil."

Eactly right.  The CVV made sense at first because dumpster diving was the main way to steal personal IDs, and the CVV was hard to obtain.  But now that it is commonly collected online and saved god-knows-where, it is no harder for crooks to obtain that the PAN.  We might as well move to 19 digital credit card numbers!

Stephen Wilson.

 

David Griffiths - gryffle - Hertford | 20 October, 2008, 14:38

Just for the record, merchants are specifically required NOT to store the CVV, and neither for that matter are the card issuers. 

However, I don't suppose it matters much if you have merchants who think they are to big for the rules to apply to them. 

Stephen Wilson - Lockstep Group - Sydney | 21 October, 2008, 01:19

"Merchants are specifically required NOT to store the CVV"

Indeed, but what a multitude of issues lies beneath the surface!

- Collecting the CVV and them discarding it, is non trivial, as anyone in IT knows.

- The CVV is cached at multiple steps along the way.  The merchant needs to transmit it to the gateway: where does the CVV end up, and who is responsible for its safekeeping? Who can say it's been discarded?

- PCI compliant systems need to be carefully designed, carefully installed and carefully maintained, if they are to keep the solemn promise of discarding the CVV. 

- Above all, CVVs are valuable on the black market.  Therefore there is a profit incentive for insiders to sell them.  You can have a merchant that is PCI compliant up to the hilt, but is still leaking CVVs like a sieve because corrupt employees are selling them on.

It all points to the futility of using any ID data alone (CVV2, billing address etc.) to authenticate a card holder.  ID data, when it is replayable in CNP transactions, is immensely valuable.  It is the very value of naked ID data that makes PCI compliance ultimately of very marginal benefit. 

Sadly, every SME running an online business and taking credit cards is on the hook for PCI, requiring crazy levels of security and audit, when all it takes is one corrupt insider with access to a large volume system to siphon off a million cardholder records.

Cheers,

Stephen Wilson, Lockstep.

David Griffiths - gryffle - Hertford | 06 November, 2008, 16:27

In the dim and distant, we used to call it "good practice".  Now, apparently, it is no longer "good practice" it's "PCI:DSS compliant", and that makes it all hard work and too much effort.

The standards only require that bits of info are not retained longer than necessary for the completeion of the transaction - what in the past was good practice.  Even the issuers don't store the CVV, so why would retailers EVER believe that they should.  There is no issue (usually) about the CVV sitting dormant until overwritten by the one in the next transaction.  The problem arises when the designers and programmers decide that it would be a good idea to store the whole transaction "just in case".  If they just stored the bits that would be required to resolve cardholder queries, there would be no issue.  But ... they don't they store the lot!

A transaction system employing "good practice" principles will pass PCI:DSS every time.   

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from John

Does NFC equal mobile payments?

21 May 2011  |  3482 views  |  2  |  Recommends 1 TagsMobile & onlinePayments

Elementary, but please explain...

10 July 2009  |  2696 views  |  0  |  Recommends 0 TagsRetail banking

Nice try

06 November 2008  |  2612 views  |  2  |  Recommends 0

Digital Signatures....

17 October 2008  |  2704 views  |  4  |  Recommends 0 TagsCardsSecurity
name

John Dring

job title

Digital Services and mCommerce

company name

Intel Network Services

member since

2008

location

Swindon

Summary profile See full profile »
Digital Commerce - Service Provider Mobile/Web/TV, Commerce, Security, Content, API Monetisa...

John's expertise

What John reads
John writes about

Who is commenting on John's posts