Credit card “security”
I know I’m supposed to be writing up the OpenBTS thing (it’s coming) but this was a quick thought that I had to get out in the meantime.
I hear a lot of people talking about PCI, discussing whether or not it actually does anything for security, whether it was a move on the part of the card issuers to improve security or simply shift liability, about the strengths and weaknesses of the protections it provides. Almost invariably, these conversations completely miss the far larger issue in credit card security. PCI is nothing but a distraction, a shiny thing to wave in the faces of infosec’ers, execs, and politicians alike, trying to distract them from the bigger issue.
The bigger issue is this – credit cards are broken. The very concept of a “credit card” as it exists today is as fundamentally broken as anything in Infosec has ever been.
Let’s think like infosec professionals for a second here instead of like consumers. Your credit card is a token, one that is used to:
- Prove your identity to the merchant
- Confirm your intent to process a transaction
- Identify your source of funding
We have many protocols that can do all of this and more with a high level of security, it’s trivial to name half a dozen. None of them require you to give your full plaintext credentials to a third-party – although that’s exactly what happens every time you use your credit card. You have to give every merchant a complete list of every bit of information that is required to process transactions against your account – or else they can’t process the transaction. Those credentials remain static for several years, by design being given to several thousand anonymous strangers (known only by their participation in the system) over their lifetime. Multi-year credentials for financial authorization that are, by design, shared with any participant in the system. Does this sound broken yet?
Seriously, why are we still using credit card numbers? Why don’t we have smartcards containing a megabyte of pre-programmed single-use card numbers (that’s a LOT of card numbers!) that we pull up once and throw away? Or some kind of signature algorithm, put a public key on the card and sign the transaction electronically? Or secure tunnels between the card and the processor backend (hell, even between the terminal and the backend)?
Why is it so trivial to spoof our most commonplace payments system when there are such obvious examples of ways to fix it? Why, in short, do we still have credit card fraud?
PCI, no matter what its strengths and weaknesses are, is a band-aid on a festering gangrenous wound. It’s a shiny pink band-aid with a little bit of sparkle to distract us all, but it’s nothing compared to the fundamental brokenness of our credit card infrastructure. We need to stop blaming merchants and consumers for failing to protect a set of data with a process that is inevitably doomed to failure, and instead start blaming the credit card companies for failing to produce a payment vector that is compatible with the security requirements of the 21st century.
We stopped using plaintext protocols for sensitive information decades ago, for good reason. Think about that the next time you swipe your credit card.
Leave a Reply
You must be logged in to post a comment.