Rich Freeman on 7 Mar 2018 11:45:36 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations


On Wed, Mar 7, 2018 at 2:15 PM, Walt Mankowski <waltman@pobox.com> wrote:
> On Wed, Mar 07, 2018 at 12:46:26PM -0500, Rich Freeman wrote:
>> Even with
>> chip+PIN you're really only able to validate that a card+owner was
>> present, not that they signed the specific transaction being presented
>> to the bank.
>
> Congratulations! You've reinvented how chip cards work! With all due
> respect to ESR's technical chops, this is a solved problem.

Read what I said again.  I have no assurance that when I use chip+PIN
that the transaction I'm authorizing is the one I think I'm
authorizing.

The terminal could display "your total is $100", I could enter my PIN,
and then the terminal could send to my card a transaction for $10k
with the PIN, get the validation code, and send that to the bank.

Also, current chip+PIN doesn't provide a solution for online or phone
transactions.  Ideally a better solution would address this as well.

It would also eliminate the need for PCI compliance, because the
terminal wouldn't need to be secure.  Why we're keying PINs into
untrusted terminals in the first place seems like an anachronism.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug