Rich Freeman on 7 Mar 2018 11:45:36 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations |
On Wed, Mar 7, 2018 at 2:15 PM, Walt Mankowski <waltman@pobox.com> wrote: > On Wed, Mar 07, 2018 at 12:46:26PM -0500, Rich Freeman wrote: >> Even with >> chip+PIN you're really only able to validate that a card+owner was >> present, not that they signed the specific transaction being presented >> to the bank. > > Congratulations! You've reinvented how chip cards work! With all due > respect to ESR's technical chops, this is a solved problem. Read what I said again. I have no assurance that when I use chip+PIN that the transaction I'm authorizing is the one I think I'm authorizing. The terminal could display "your total is $100", I could enter my PIN, and then the terminal could send to my card a transaction for $10k with the PIN, get the validation code, and send that to the bank. Also, current chip+PIN doesn't provide a solution for online or phone transactions. Ideally a better solution would address this as well. It would also eliminate the need for PCI compliance, because the terminal wouldn't need to be secure. Why we're keying PINs into untrusted terminals in the first place seems like an anachronism. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug