[lug] OT: Credit Cards w/ Chips

William D. Knoche bill.knoche at gmail.com
Sat May 16 10:15:05 MDT 2015 

I don't know if there are any good papers still out there. Google search 
should provide some clues.
I recall at Sun when we did the Javacard technology (early 90s) and put 
smartcard readers in all our systems for a time.
I do know the concept was patented in the late 60s. The Germans and the 
French werer far ahead in both technology and in application.
Wikipedia has a pretty good explanation and history.

Basically the idea is PKI using long keys and RSA, DES or DSA.

Sun removed the smartcard readers due to almost complete ambivalence by 
our customers to security at the time. And I pointed out that there were 
simple hacks to get around it. The most obvious was that in most cases 
there was little or no physical security and that by simply pulling the 
power I could force a reboot into single user. The other was a bit 
before that when at SEL we claimed to have a very secure mls, red book 
compliant, system and at at show, Usenix, I think, we offered a round 
trip to Paris for dinner to anyone who could break it. Someone walked up 
to the booth, asked how the technology worked and asked to be shown how 
to administer it. He then asked if he could look at something and he was 
in. The company cried foul but social engineering is a very real threat 
and I believe we paid up. We know better now but often forget.

I am not sure I would give the keys to either IT or to the purveyors of 
such technology. We have had the technology for a long time but even now 
aren't really doing the "right" things but at least the level of 
paranoia has gone up so a sense of urgency is now present and there does 
appear to be effort applied to make things a little more secure.

I have often used the analogy of the front door to a home. Even when 
willing to spend hundreds or even thousands of dollars on high quality 
locksets the adjacent side lite or window is ignored and a small rock 
from the yard can be used as a "key" - no need to pick that nice lock.
Many security strategies ignore everything but the front door. Most are 
there just to challenge the violator hoping they will move on to easier 
targets. We can and should do better. But a comprehensive analysis of 
the risks followed by a rigorous application of security measures seems 
beyond the level of commitment or budget of most.

I got a phone call from someone claiming to be from Microsoft security 
and that my Windows system was at risk. They instructed me to enable 
remote desktop and let them "fix" it for me. My wife also received a 
very similar call. I wonder how many folks fell for this.
And so it goes...

--bill


On 05/16/2015 08:51 AM, Donald wrote:
>
>> The whole credit card processing is one example of how the world 
>> would be better if IT people were more in charge.  As many of these 
>> replies have suggested, we just wouldn't put up with such insecure 
>> solutions for so long.
>
> The whole CC industry is based on convenience not security.
>
> Years ago when the  CC companies introduced mag cards, they had to get 
> the vendors to accept them and the uses to uses them. The current 
> technology was checks.
>
> Users saw the convenience is not carrying cash, but vendors saw too 
> many bounced checks.
> The banks guaranteed those checks.
> I am sure those having a guarantee check card wished they could just 
> use that card instead of writing a check.
>
> Today the current technology is Mag Strips. The CC companies has to 
> guarantee those as well.
>
> As in the mag cards, will the CC companies shoulder the costs ?
> ( yes, we all know who actually shoulders those costs )
>
> Anybody on this list is well aware of the under workings of this "new" 
> technology.
> The bulk of the user public would not understand nor want to see a 
> change.
>
> Are there any good articles written about the new chip technology that 
> is accessible to the masses ?
> ( i.e. me )
>
> I would be surprised that the CC companies would not like to save the 
> amount of payout they do every year. But is it enough to pay the 
> upfront costs to change.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list