Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Citi re-issues cards following merchant breach

Citigroup has started sending replacement credit cards to customers whose accounts may have been compromised in the massive Heartland Payment Systems breach, the Associated Press reports.


See article

Technology can solve this issue for the benefit of consumers

A relevant solution to solve this issue is to add an extra layer of security avoiding the capability to "repay" with the same data (card details - static information).

Would you accept a system where, by simply collecting your physical address (for ex. with YellowPages), someone is able to enter your home. This is quite the same by authorising a transaction based only on valid "card details" (identification information). A key to lock this system is missing!

In Europe, a one-time password solution using the chip of the already deployed banking cards, is gaining strong momentum. It replaces static-based methods (low security login-password for accessing online banking services; 'plastic' card details only to pay). This solution, named 'Home Chip and PIN' in the UK is also largely deployed in Scandinavia, Benelux, Switzerland, Eastern Europe and is beginning to roll-out in France and Italy (named 'Vericode').

By requesting a chip card-based strong authentication to allow a transaction (for example in the 3D-Secure architecture / Verified by Visa / MasterCard SecureCode), any stolen database information will become unuseful without a fresh One-Time signature and so, future heartland-like breaches will not force issuer to re-issue cards.

3223

Comments: (1)

A Finextra member
A Finextra member 02 March, 2009, 11:05Be the first to give this comment the thumbs up 0 likes

"any stolen database information will become unuseful without a fresh One-Time signature and so, future heartland-like breaches will not force issuer to re-issue cards."

Not quite.

A fraudster posing as a man-in-the-middle can pretend to be an online merchant, get your card number, exp date, cvv, pop-up the verified by visa stub, get your verified by visa password and even the OTP (if you're using an OTP)  AND   replay all these with a legitimate merchant.

Authentication of the online merchant or online bank (actually the commercial site) must also be done in order to ensure that the consumer is giving his card data (and OTP) to a legitimate commercial site.

 

Blog group founder

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,626

Comments

6,042

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.


See all