It has recently been revealed that malware, placed inside the P.O.S. system at Targets all over the U.S., collected well over 40 million individual creditcard details during the last two months of 2013.
This breach got me thinking about creditcards and whether they’re a secure enough form of currency transfer. To sum up the answer: no, not even close.
In computer security one of the attacks you must guard against is the Replay Attack. To summarize, if a “bad guy” can intercept a request to your server and then “replay it” themselves (this impersonating another user), they can begin to do all sorts of bad things. The wikipedia article provides a simple but compelling example:
Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides; meanwhile, Mallory is eavesdropping on the conversation and keeps the password. After the interchange is over, Mallory (posing as Alice) connects to Bob; when asked for a proof of identity, Mallory sends Alice’s password, which Bob accepts.
Now exchange “password” with “creditcard details” and you begin to realize that this form of payment is extremely insecure. If the bad guy, Mallory, can watch you enter your creditcard details into your Amazon account, what is to stop him from taking those and entering them anywhere else? Honestly, not much.
These are awful.
The fact is, there is very little out there that prevents your cards from being used by anyone for nearly anything once the details have been stolen. This, more than anything else, is why creditcard companies don’t hold you accountable for charges you didn’t make – because they know that their payment system is unerringly weak.
What I would really like to see, however, is Public Key Infrastructure put into place for payment systems.
I’m not going to get into a lot of depth about what PKI is except to highlight the parts relevant for what I’m thinking. With PKI you create a Public Key and a Private Key. You hold on to the private key and never give it out. You spread the public key to your creditcard company and to their merchant account payment processing partners. Through some mathematical magic, you can combine your private key with, say, a purchase request and the public key can then validate that your private key was used to sign the purchase. However, no one can use the public key to do the same. (A document signed with a public key will not validate with the same public key.) Additionally, if any of the details for the purchase request are changed, or the signature is tampered with, it’s readily identifiable.
With a system like this, replay attacks are impossible because you can’t “replay” the same data again. For starters, the thief would be making the same purchase (not very useful) and secondarily, the unique signature could be logged by the merchant as “already paid” and rejected immediately (further, flagged as potential fraud).
The dilemma with a system like this is that it’s fairly complex. Complexity, especially with PKI, can be tricky to get right.
That doesn’t mean we shouldn’t pursue it though. A smartcard which could check your fingerprint, accept a pin code, or monitor some other biometric to authorize it to sign a purchase would be fairly convenient, but avoid the problem of creditcard details leaking all over the place. It would be immensely comforting to know that no matter how sketchy that website is, I can guarantee that the purchase I made isn’t going to lead to different charges being racked up on my account.
There is work being done in this area, but I have yet to see any major vendors really take up the call to arms – and who can blame them? Creditcards “work” for all their flaws and retooling an entire business chain and norms is no small feat. Consider, of course, that creditcards have really only been around for 60 years or so, it’s not hard to imagine that in 60 years from now they’ll look radically different. And, perhaps, a bit more secure.
May 5th, 2014: Target announced they are outfitting themselves with chip-and-pin (a form of PKI-like protection).