[lug] OT: Credit Cards w/ Chips

Bear Giles bgiles at coyotesong.com
Mon May 18 08:52:54 MDT 2015 

Don't forget the legal aspect. Europe has a secure system since the banks
are on the hook. The US has an insecure system since the merchants are on
the hook. (iirc)

We're finally changing because the laws have changed. Imagine that - change
the liability and you see different behavior.

But as to the broader question - we tend to think in terms of urban
solutions. What do you do about the little store out in the middle of
nowhere, the one where they're lucky to have low-quality voice service. The
system has to work for them as well. We ran into that at the USDA - we had
a web-based solution which was fine for most users but then we had to deal
with border agents at the middle of nowhere in deep rural New Mexico and
Arizona. They were lucky to have 2400 baud modems in the office, nothing in
the field.

Even urban areas aren't safe. After Sandy the telco said 'screw it, land
lines are expensive to install and maintain' and put in a VOIP system for
everyone. Only one problem - the credit card payment systems can't run on
VOIP. The merchants couldn't process credit cards. Their solution - which
is a huge violation of their contracts - is to write down the credit card
information INCLUDING THE SECURITY CODE and processing the info later at a
different site. You don't write down the security code. Ever. That's a good
way to lose your merchant account. I don't think you can write down the
full credit card number either any more - if you store it it has to be
encrypted and stored to financial industry standards (read $$$). So they
were risking their business, or at least $100k audits and monitoring,
because their telco didn't want to replace some copper wires.

On Sun, May 17, 2015 at 10:06 PM, Mike Stanczyk <stanczyk at pcisys.net> wrote:

>
> On Sat, 16 May 2015, William D. Knoche wrote:
>
>  I don't know if there are any good papers still out there. Google search
>> should provide some clues.
>>
>
> Security Engineering V2 by Ross Anderson is available on the web at:
> http://www.cl.cam.ac.uk/~rja14/book.html
>
> It's chock full of stories on things done right and usually wrong.
> There some chip-and-pin stuff in there but I don't remember which
> chapter.
>
> Mike
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20150518/657f96e5/attachment.html>

More information about the LUG mailing list