Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations

Walt Mankowski on 7 Mar 2018 12:17:28 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations

From: Walt Mankowski <waltman@pobox.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
Date: Wed, 7 Mar 2018 15:17:21 -0500
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=T7sl7LJT3GhscPjZP7QCjfUhEh8=; b=EE6JURD kcnrz45y7YWgXX9tgxRkB85zquGFqSuWhgP2CFwzitj7IFUkbA+Rj963qsu24U7R yJ/EIZbYgMQ07QZlGpFyKiAS184PzBW/14xyjybYiL6xmMWPbhmbvhICirJt/xp0 aLg0mGCfZ61Pde5tgHNX5rkT/kWyiBAb16k8=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: NeoMutt/20170609 (1.8.3)

On Wed, Mar 07, 2018 at 02:45:29PM -0500, Rich Freeman wrote:
> On Wed, Mar 7, 2018 at 2:15 PM, Walt Mankowski <waltman@pobox.com> wrote:
> > On Wed, Mar 07, 2018 at 12:46:26PM -0500, Rich Freeman wrote:
> >> Even with
> >> chip+PIN you're really only able to validate that a card+owner was
> >> present, not that they signed the specific transaction being presented
> >> to the bank.
> >
> > Congratulations! You've reinvented how chip cards work! With all due
> > respect to ESR's technical chops, this is a solved problem.
> 
> Read what I said again.  I have no assurance that when I use chip+PIN
> that the transaction I'm authorizing is the one I think I'm
> authorizing.
> 
> The terminal could display "your total is $100", I could enter my PIN,
> and then the terminal could send to my card a transaction for $10k
> with the PIN, get the validation code, and send that to the bank.

I'm confused about whether this is a real problem or one you've
invented. Presumably you're still getting a paper receipt and can use
that to contest the charge in case it's different on your statement.

> Also, current chip+PIN doesn't provide a solution for online or phone
> transactions.  Ideally a better solution would address this as well.

Apple Pay supports online payments. Again, I don't know how Android
Pay works.

> It would also eliminate the need for PCI compliance, because the
> terminal wouldn't need to be secure.  Why we're keying PINs into
> untrusted terminals in the first place seems like an anachronism.

The Wells Fargo app for my phone has a relatively new feature where it
gives you a one-time code you enter into the ATM instead of entering
your card. You still have to enter your PIN, but it's not tied to your
account number.

Walt

Attachment: signature.asc
Description: PGP signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
  - From: Rich Freeman <r-plug@thefreemanclan.net>

References:
- [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
  - From: JP Vossen <jp@jpsdomain.org>
- Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
  - From: Walt Mankowski <waltman@pobox.com>
- Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
Next by Date: [PLUG] Fwd: 7x24 Exchange Meeting at FMC Tower RESCHEDULED for March 13th
Previous by thread: Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
Next by thread: Re: [PLUG] POS Malware Found at 160 Applebee’s Restaurant Locations
Index(es):
- Date
- Thread