17 October 2017
Stephen Wilson

Stephen Wilson in Lockstep

Stephen Wilson - Lockstep Group

34Posts 132,440Views 174Comments
A post relating to this item from Finextra:

Smart Card Alliance slams end-to-end encryption

14 September 2009  |  11746 views  |  1
The US payments industry should use contactless chip cards along with dynamic cryptograms - rather than end-to-end data encryption - in the fight against fraudsters, according to an industry associati...

End to end Encryption will not dent black market

14 September 2009  |  3134 views  |  0

Randy Vanderhoof of the Smart Card Alliance speaks a great deal of common sense about end-to-end encryption. It won't do anything to prevent replay attacks, nor to take the value out of stolen ID data.  All it does is protect data-at-rest at intermediaries, and data-in-motion through a portion of the payment processing chain.  So the black market in stolen account details will not be impacted.

The fundamental problem with end-to-end encryption, unsurprisingly, is at the ends.  The point at which stolen card data can be injected at merchants is not protected by E2EE. 

Randy's analogy that E2EE "may be more akin to putting a steel door on a grass hut" is evocative but not quite right.  A more telling comparison would be using an armoured car to transfer cash from a merchant to the bank, but leaving the cash in a cardboard box for collection on the sidewalk outside the shop. The card payments system remains vulnerable to attack at the interface between merchant and processor.  E2EE won't stop the sorts of attack mounted by organised crime at large merchants (like TJMaxx); all it does is mitigate against heists occurring within the processors.  So as a "risk management" measure, it's very selective as to whose risk it manages.  E2EE might have the unintended consequence of making merchants more attractive as targets for ID thieves.  What then?  Perhaps another cycle of more yet more onerous PCI requirements?



Comments: (0)

Comment on this story (membership required)

Latest posts from Stephen

Now is not the time to go soft

03 August 2012  |  3911 views  |  2 comments | recomends Recommends 0 TagsSecurityPayments

How much worse can CNP fraud get?

17 July 2012  |  3113 views  |  1 comments | recomends Recommends 0 TagsSecurityPayments

Credit card numbers are like nitroglycerine

13 January 2012  |  4613 views  |  0 comments | recomends Recommends 0 TagsSecurityPayments

Banks really know their customers

13 December 2011  |  3218 views  |  1 comments | recomends Recommends 1

Taking full advantage of Chip

02 June 2011  |  4401 views  |  6 comments | recomends Recommends 0

Stephen's profile

job title Managing Director
location Sydney
member since 2008
Summary profile See full profile »
I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lockstep Group, which researches and develops innovative solutions to Card Not Present fraud and identity...

Stephen's expertise

Member since 2008
34 posts174 comments

Who's commenting on Stephen's posts