However advanced the security model used by a retailer's point of sale terminals, whether it be biometrics, EMV cards, one time passwords or any other kind, the single point of failure is the fact that useful data is left behind on the retailer's system.
This makes it an attractive target for hackers, who bypass the authentication system, by hacking the network, or the operating system, steal the database, and re-use the card details, user information and whatever else was there for the taking.
To perform identity authentication, only two pieces of information are needed. A form of user ID, and an associated secret, known only to the user and the authentication system.
In most cases, the user ID is implied by a credit card number, and the secret is passed from the user, to the retailer, and then to the credit card company, possibly in encrypted form. All of this information is recorded, together with the transaction details,
in the log files on systems belonging to the retailer and the credit card company.
This is the flaw. The systems contain data worth stealing. It doesn't matter that it is encrypted, since the thieves have plenty of time, and adequate computing resources.
Let us postulate a point of sale terminal which doesn't need to read a credit card number, but is content to take a simple user ID.
Let us further postulate that the terminal doesn't pass a secret to the credit card company, but merely sends metadata, i.e information related to the secret. Now, we don't even need encryption.
Finally, let us postulate that the metadata is different with each transaction performed by the customer, but relates to the same secret.
Both the customer and the credit card company know the secret, so deciphering the metadata is a simple matter. The retailer doesn't need to know the secret, and just retransmits the metadata from customer to credit card company. If the whole transaction
is stored on the retailer's system, and is then stolen, it is useless to the thief, since he can't decipher the metadata.
The creation of the metadata is the crucial part of this security model, and the following is one approach.
Both the customer and the credit card company agree on a word or phrase, or even an arbitrary collection of letters, as the secret.
When the customer wishes to authenticate, the POS terminal presents him with an alphabet, paired with a random array of numbers, like this:
The customer then enters the numbers corresponding to his secret, which are sent to the credit card company. It doesn't matter if the retailer stores this together with the transaction details since, the next time the customer performs a transaction, the
numbers will all be different, and the previous numbers will be useless to the thief.
The numbers will also be useless to any spy camers, skimming devices, network snoopers and key logging malware.
To add a further level of security, it isn't even necessary to transmit the numbers. A SHA256 hash is irreversible, but the credit card company can reconstruct the hash of the secret, and match this with the incoming hash from the retailer.
Point of sale terminals can be made secure. Very secure. It's just a matter of wanting to.