remote payment security
Comments(2)Credit cards. Epitome of security by obscurity? It isn’t even much obscurity. Whoever gets a hold of a card or makes a mental image of it can pretty much do anything until the account is suspended. I guess banks run fraud-detection algorithms, but still they, and therefore we, absorb the cost of fraud. Fighting fraud: it’s what Paypal says it spends its R&D dollars on.
Credit card number, name, billing address, expiration date are informational, so I don’t know how they have come to be used as “secrets” for a secure transaction. Seems like a terrible idea. Then there is the 3-digit CVV code. Would somebody mind explaining its utility to me? How does 3 more digits prevent fraud? (They are on the card just like the front-side numbers and they also must be disclosed during a transaction.)
There exists technology, but little infrastructure, for authenticating and trusting the remote host (or person — phone orders are even worse). For online transactions, banks have come up with at least two augmentations to the standard procedure to try to plug the hole. One involves password verification directly with the bank’s web site. Another is to issue single-use credit card numbers. Four soundbites ensue: Inelegant! Ad hoc! Not standardized! Unsatisfactory!
But this is moving in the right direction.
Many are grossly concerned with computer security and wireless channel security. Some are paranoid to the degree that nothing short of provably secure is acceptable for transmitting a few worthless bits that in reality nobody cares about. But we seem to settle for the foundational insecurity that underlies any kind of current remote payment using credit cards. Apparently managed insecurity is accepted, even if it deals with money, about which people should actually care. That’s a strange social phenomenon.
Since this post, I’ve been in a discussion about this and there are some important additional remarks:
1. While I said that most PGP users are indeed paranoid about protecting useless bits, some institutions like businesses do have important information that they would never want revealed.
2. A good rebuttal was brought up that information, once revealed, is irrevocable, whereas a stolen credit card can be revoked and the damage limited. Well, this isn’t exactly a rebuttal. The compromised key that reveals information can be revoked, too. But it’s true that massive information compromise can happen more quickly and on a more public scale than money fraud involving credit cards. The latter (usually) involves exactly one victim and one beneficiary. Therefore it makes sense that more effort is put into securing valuable information than securing a credit card.
You have very good points about data security and specifically personal data, not limited to credit cards. Credit card security and payment security in general can be mitigated, at best, by adhering to PCI DSS requirements and PABP compliance mandates by merchants, acquirers and software companies.
Personal data on a large scale (think OpenID with all logins for all sites) being breached leaves one target. You can supplement that with tokenization, you touched on this briefly in your original post, where the data breach of tokenization (where the tokens would be rendered useless) limits the damage.
I look forward to your further thoughts on this topic in the future.