|
This can probably be answered by people in the industry like Tendai. Smart card readers are now at the 10 dollar price point. What do industry provided hardware do that these readers don't? If it's reading data off a chip, couldn't off the shelf hardware accomplish that task even if proprietary software did other pieces of the transaction process?
|
# ? Oct 2, 2018 18:29 |
|
|
# ? Apr 25, 2024 23:47 |
|
Encryption and verification. The card won't share its information with a terminal unless it is guaranteed that the terminal is secure and under the control of the card processor.
|
# ? Oct 2, 2018 22:42 |
|
spog posted:Encryption and verification. Would there not be a way to accomplish the same thing with software? Like the card won't share its details if it hasn't made a secure connection to the processor's servers or something? I don't know how any of this works.
|
# ? Oct 3, 2018 14:59 |
|
Hummer Driving human being posted:Would there not be a way to accomplish the same thing with software? Like the card won't share its details if it hasn't made a secure connection to the processor's servers or something? I assume the premise is, if you try to do it the way you suggest, someone could just tell the card "hi, I'm a secure connection, give me your details". By having a chip, you probably don't ever transmit the card details (if they've done it sensibly) - instead you tell the chip "please sign this transaction which is itself signed as valid by the central server" and the chip goes "yeah, that looks valid against the server public key that I know, now I too have signed it with my private key that was never revealed, here you go" and the terminal goes "hey server, here is the transaction signed by the chip on this card" and the server goes "yup that looks valid against the card's public key, we're good here."
|
# ? Oct 3, 2018 15:41 |
|
roomforthetuna posted:Not a card person but a software person. If you can manually type in credit card information (number, expiration, CV) online, then why couldn't you do the same thing with a card reader that doesn't belong to a processor?
|
# ? Oct 3, 2018 20:45 |
|
Hummer Driving human being posted:If you can manually type in credit card information (number, expiration, CV) online, then why couldn't you do the same thing with a card reader that doesn't belong to a processor?
|
# ? Oct 4, 2018 00:46 |
|
spog posted:Encryption and verification.
|
# ? Oct 4, 2018 03:47 |
|
PT6A posted:Beyond this, I'm pretty sure merchants are begging them not to make things more difficult. That "verified by VISA" password scheme was everywhere for while, and then it vanished, and I'm pretty sure it's because people would always forget passwords and get frustrated by the reset process, etc., causing a lot of abandoned checkouts. I'm guessing it's better to eat the cost of the occasional fraud than it is to piss customers off. Online merchants in Sweden, use MasterCard SecureCode and Verified by Visa. As implemented by banks here, they do not use a password but instead have either SMS verification codes that go to your phone, or use the locally issued electronic soft token "bank-ID". My point is, if your bank wants to improve security using 2-factor authentication, going the route of a chip reader would be a lot more expensive than either of these two options based on mobile phones. The down side is, anyone who isn't able to receive an SMS is also unable to shop online. Which I'm fine with if it stops scammers from buying poo poo with my money. Basically, receiving SMS is a lower bar to pass than getting on the Internet to do shopping. Another bank (Nordera) did try the card reader thing. They issue use the card reader and customers have to use chip&PIN to access the online bank as well as to do purchases. I think that's still in use but the other banks never picked it up (presumably because it's expensive and less user friendly). Hippie Hedgehog fucked around with this message at 14:07 on Oct 4, 2018 |
# ? Oct 4, 2018 14:04 |
|
Hippie Hedgehog posted:Online merchants in Sweden, use MasterCard SecureCode and Verified by Visa. As implemented by banks here, they do not use a password but instead have either SMS verification codes that go to your phone, or use the locally issued electronic soft token "bank-ID". Thanks for the info. I guess that makes sense because chip and PIN predated the explosive use of SMS by a little bit.
|
# ? Oct 4, 2018 16:44 |
|
Why can't we use an extra peripheral for making purchases says a guy who Cleary doesn't work IT support. People are God drat idiots when it comes to anything computer related. They will gently caress this up or download some malware / hack that will compromise it anyways.
|
# ? Oct 4, 2018 18:06 |
|
Klogdor posted:Here in Norway (so yes, way smaller, not comparable, etc..) we have this neat thing called BankID , it started out being just a universal one time code generator you could use for logging into any online bank, but now you can use it to confirm credit and debit card charges online, logging in to most government sites (taxes, health stuff etc) and they stopped requiring hardware a long time ago. Now I just get a passphrase on my phone, and confirm by entering my personal pin on there. Denmark has a similiar system (NEMID) although it's actually a card you get in the mail that has about 150 one time codes on it. It's used for all online banking and government services. A new one is sent automatically when a certain amount of those codes are used up. On the plus side, it's reasonably secure so long as you don't lose your wallet and a phone isn't required. However it isn't used by any private online merchants (to my knowledge) likely because it would use the codes up too quickly. I still like it, because we're basically using WW1 spy technology to log in. One-time pads are neat.
|
# ? Oct 5, 2018 10:03 |
|
Smartphones and a basic (slow but unlimited) data plan really need to be considered a human right at this point, and made available to people who can't afford them. To do otherwise will increasingly cut off a segment of the population from participation in society and modern life.
|
# ? Oct 7, 2018 14:37 |
|
SMS is loving terrible for security. Nothing should use SMS for authentication. Give people totp devices if you have to but don't use SMS.
mystes fucked around with this message at 01:49 on Oct 8, 2018 |
# ? Oct 8, 2018 01:47 |
|
mystes posted:SMS is loving terrible for security. Nothing should use SMS for authentication. Give people totp devices if you have to but don't use SMS. Smartphones can use TFA apps that aren't SMS based.
|
# ? Oct 8, 2018 03:23 |
|
I thought people were complaining about requiring smartphones being unfair to poor people and saying SMS was better.
|
# ? Oct 8, 2018 04:09 |
|
A totp device or app is fine for simple logins or card payment confirmation, but it is not sufficient for online banking to be secure. It does nothing to prevent someone from MITM-ing y session and altering your requests, to transfer your money to their own account. This con is easily set up using a fake bank login page and a phishing email. Each payment request needs to be signed by the customer so they can't be altered.
|
# ? Oct 8, 2018 07:36 |
|
Hippie Hedgehog posted:This con is easily set up using a fake bank login page and a phishing email. Having individual payment requests be signed would be pretty hard to implement practically (the whole flow for payment processing would have to change completely). mystes fucked around with this message at 14:19 on Oct 8, 2018 |
# ? Oct 8, 2018 14:17 |
|
SMS authentication for logging into bank accounts will be banned sometime in the next two years in the EU. Don't know if the same applies to card transaction confirmations, but if people have to use an app or device anyway, it makes sense to use those for confirmations as well. Plenty of banks already use those for 3dSecure transactions.
|
# ? Oct 9, 2018 15:51 |
|
mystes posted:
It's what every bank does in Sweden so it's probably not as difficult as you think. (I'm not intentionally bragging about how my country solved every imaginable online banking problem, it's just people keep saying those particular things we already did are hypotheticals.)
|
# ? Oct 9, 2018 18:52 |
|
Hippie Hedgehog posted:It's what every bank does in Sweden so it's probably not as difficult as you think. (I'm not intentionally bragging about how my country solved every imaginable online banking problem, it's just people keep saying those particular things we already did are hypotheticals.)
|
# ? Oct 9, 2018 18:57 |
|
mystes posted:Can you link to information about how it works? I tried to search but since I don't know what it's called I'm having trouble finding it. Dunno how this page does in Google Translate but knock yourself out. https://hjalp.swedbank.se/sidhjalp-internetbanken-privat/sakerhetsdosa/svarta-ovala-dosan/index.htm
|
# ? Oct 9, 2018 19:18 |
|
That seems pretty well thought out. The U.S. couldn't even be bothered to require use of pins for in-person payments .
|
# ? Oct 9, 2018 19:27 |
|
Oh, I found it, it's the type called Challenge-response token here. https://en.m.wikipedia.org/wiki/Security_token When authorizing a payment or transfer, the challenge from the server is the amount transferred. First time to a new recipient, the challenge is the account number. It's not watertight but it's not trivially broken with a MITM like one-time passwords off a scratch card are. Hippie Hedgehog fucked around with this message at 19:47 on Oct 9, 2018 |
# ? Oct 9, 2018 19:41 |
|
PT6A posted:That "verified by VISA" password scheme was everywhere for while, and then it vanished. It's still there, but it can now let through anything it classifies as low-risk without needing to ask for the password.
|
# ? Dec 20, 2018 08:09 |
|
Hey, I actually know something about this. I do security consulting for places like [3 letter government agency] and [huge global bank]. Also places I'm not allowed to talk about, but those are less about taking your money and more about finding new and exciting ways to murder you. Aaanyways, the short answer for why we don't use chip and pin online is . Pop quiz: How much should a company spend on security? Think about it for a minute. *Jeopardy theme plays* Bzzzt - time's up. If you said anything except "less than it costs to do nothing," you're wrong. I'm not exaggerating - the first thing I do with a customer is I sit down and ask them "If your the entire extent of your security was a sign that says 'Plz don't hax us!!!', how much would it cost you in damages/fines/market share/whatever?" Their answer is an absolute upper bound on what I can justify them spending on security. "But wait!" I hear you say "There is no such thing as too much security!" No. Wrong. Bad dog. *Bops you on nose* Do you have an armed guard standing outside your door at home? No? Why not? Because it's too expensive, right? Well this is the same thing. "But wait!" Oh no, here we go again "I hear about companies getting hacked and losing $Texas worth of customer data all the time! Shouldn't they be spending at least like $Arkansas or something?" No, because a company doesn't actually lose all that money - their customers do (In theory - in practice, you're not gonna go on the dark web and sell your SSN and DoB for $15. But you could, I guess, if you really wanted). The company is interested in the amount THEY lose - through fines or lost revenue or paying for a year of that worthless credit monitoring junk. "Okay, so how much SHOULD they spend?" I hear you ask. Well, there's a pretty simple (again, in theory) equation for figuring that out: First you figure out everything that could possibly pose a risk. Yes, EVERYTHING. Even that one thing everyone has been ignoring and playing hot-potato with. You know the thing I'm talking about. Once you have that list, you assign each of the risks two numbers - how much it would cost If said risk turned into a reality (This is referred to as a single loss expectancy, or SLE) and how often, in years, the loss is expected to actually happen (This is ARO - Annual Rate of Occurance). You multiply the two together and you get ALE - Annualized Loss Expectancy, i.e: how much this poo poo costs us every year. Quick example: if a fire in your building will cost $1,000,000 in losses, and you expect to have a fire every 10 years, your ALE is $1,000,000 x 0.1, or $100,000. Easy, right? "So we should spend $100,000 per year on preventing fires?" No, dummy. Haven't you been paying attention? The goal is to MINIMIZE the cost. If you spend your entire ALE, you may as well have done nothing. In reality, there are a few techniques we can use to tackle this from here. All of them have their pros and cons, and some of them might not be applicable. In general, these are risk mitigation, risk transference, risk avoidance, risk acceptance and risk denial. Risk mitigation is doing something to reduce either the rate of occurrence or the expected loss. In the fire example, that could be installing sprinklers and fire suppression systems, running fire drills, banning smoking next to the collection of dried hay bales in your break room, etc. You can't mitigate all the risk - if your fancy fire suppression system cuts the ALE in half but costs $60k/year, it ain't worth it. Mitigating risk can sometimes cause risk somewhere else, too - installing asbestos carpeting might be super cheap and cut down on fires quite a bit, but the mesothelioma lawsuits are gonna bite you in the rear end in 40 years. Unless you are an LLC in the US, in which case take that poo poo to the bank cause you'll be long gone before the bodies start pilling up. Risk transference is exactly what it sounds like - making someone else own the risk. This normally means buying insurance. You will not "win" at this. Your insurance company is in the business of evaluating risk. They are better at it than you are. If they weren't, they wouldn't be in business any more. They WILL charge you more than your ALE because that is literally how they make money. If you're a small company, it's probably worth it because you can eat a $10,000 bill each month better than you can eat a $1,000,000 bill every 10 years, even if that costs you an extra $200,000 in the long run. If you're Goldman Sachs, you'll just underwrite yourself, which brings me to... Risk acceptance. Maybe the risk isn't that bad. Maybe you can eat that 7 figure bill every once in a while. Maybe it costs more to do something than it does to do nothing. That's totally fine, AS LONG AS YOU DOCUMENT IT AND HAVE A PLAN FOR WHAT TO DO WHEN IT ACTUALLY HAPPENS YOU WOULDN'T BELIEVE HOW MANY COMPANIES DON'T DO THIS AAAAAAAAHHHHHHJJDTKSFKHFGHB!!!!!!1 What if... What if we just didn't have any buildings? That way, there's nothing to burn down . This is a real thing, and it's called risk avoidance. I mean, not the having no buildings thing. That's stupid. But the time that college's Police department insisted they wanted to leave their cruisers running while they weren't in them so they didn't have to wait for the AC to cool off the car? Yeah, we avoided that risk by telling them to go pound sand. Sometimes the best way to make something safe is to not do it in the first place. Like that goon with the 60mph zipline. The last one is, I swear to God, every customer's favorite - risk denial. What is risk denial? Putting your fingers in your goddamned ears and screaming LA-LA-LA I CAN'T HEAR YOU THERE IS NO RISK HERE, NO-SIREE. Don't do this. Everyone does this So, to answer your question: Why don't online merchants use chip and pin? Because the amount of risk that would be mitigated by doing so is less than the combined costs and risks of doing it. I have hard numbers for this (because I've done this exercise), but even if I didn't, someone out there certainly has and you know that was their conclusion because nobody is doing it. Fin. KillHour fucked around with this message at 07:45 on Jan 3, 2019 |
# ? Jan 3, 2019 07:41 |
|
I'm not sure that exactly logic applies here because in the case of credit cards there would be virtually no cost to the companies that decide how credit cards work (the networks and issuing banks) to add some sort of additional security for internet transactions, and it's definitely in their interests to eliminate fraudulent transactions. Rather, they are worried about pissing off merchants and consumers. Also I think this is a situation where it would be much simpler if we didn't already have existing infrastructure to worry about; I'm pretty sure all parties would be able to agree that some sort of 2FA system would be worth the cost if we were starting from scratch.
|
# ? Jan 3, 2019 16:21 |
|
PT6A posted:May I also suggest that the US, one of the few countries to still use exclusively Imperial measurements, is historically speaking unwilling to embrace new ideas and standards regardless of their advantages? Mass adoption of credit cards in the US took place in the 1970s, and as a result much of the infrastructure and integration was with 1970s technology. In most of Europe, due to being, historically speaking, unwilling to embrace new ideas and standards regardless of their advantages, did not see mass adoption of credit cards until the 1990s. As a result, they were able to take advantage of newer technologies while also taking into account the lessons learned from the US rollout.
|
# ? Jan 18, 2020 02:25 |
|
KillHour posted:A lot of words that boil down to Learn To Properly Assess and Communicate Risk and Costs you can learn to do this on a local (your job, your company) level with a few simple excel spreadsheets. i highly recommend this course as an intro to This that can be taken entirely online: https://www.extension.harvard.edu/course-catalog/courses/how-to-assess-and-communicate-risk-in-information-security/24587 i will say that most folks/orgs are terrible however at assessing the true cost of an incident and tend to say "$500k in fines, wrap it up" when it fails to encompass the lost productivity, replacement equipment, loss of trust, the amount of resources your internal teams spend putting out the fire instead of something else, cost of being forced to comply on a short timetable by regulators, etc. bus hustler fucked around with this message at 16:17 on Jan 18, 2020 |
# ? Jan 18, 2020 16:15 |
|
mystes posted:I'm not sure that exactly logic applies here because in the case of credit cards there would be virtually no cost to the companies that decide how credit cards work (the networks and issuing banks) to add some sort of additional security for internet transactions, and it's definitely in their interests to eliminate fraudulent transactions. Rather, they are worried about pissing off merchants and consumers. Also - it's in their interest to eliminate fraud, but it's also probably not costing them as much as you think. They get the merchants to eat a significant portion of that, and the tradeoff of making it absudly easy to buy stuff online is probably working out fine for them.
|
# ? Feb 4, 2020 06:46 |
|
The newish US "security" measures of asking for the zip code of the card holder just makes things a giant pain in the rear end for foreign visitors. poo poo gets rejected all the time when I want to buy gifts for my family and I can't use my credit card at the pump to pay for gas because my zip code only has 4 digits now.
|
# ? Feb 4, 2020 11:06 |
|
|
# ? Apr 25, 2024 23:47 |
|
greazeball posted:The newish US "security" measures of asking for the zip code of the card holder just makes things a giant pain in the rear end for foreign visitors. poo poo gets rejected all the time when I want to buy gifts for my family and I can't use my credit card at the pump to pay for gas because my zip code only has 4 digits now. I know it works with Canadian postal codes (which go letter-number-letter number-letter-number) if you just put in the three numbers from your postal code followed by 00. Perhaps there's a similar conversion that credit card issuers in your country do (I'd try adding a zero, if your postal codes are 4 digits).
|
# ? Feb 9, 2020 04:04 |