Friday, December 18, 2009

Credit card security suggestions

As I've mentioned my credit card details were stolen and used in some online transactions. This led to a discussion about credit card security and what can be done to beef it up.

First up what security is in place already? Well for Cardholder Present transactions you need a card and a PIN; currently these can be obtained using card readers fitted over or instead of the legitimate ones. Dangerous as someone has to physically place it and possibly remove it, you have to make a forgery of the card and you have to use it in store to gain anything.

Far better is to go the online shopping route, for that you need three items - the address, card number and security number. The latter two simply need access to the card at some point (or cracking a shop's database) the former can be looked up.

This is the weakest point of the security system all the information is technically in the open and thus you'd expect extra measures to be implemented - hah! If the invoice address matches the address for the card and the card number and security code is correct the majority of stores will allow you to deliver goods anywhere.

The simplest solution would be to prevent goods being dispatched to anywhere other than the invoice address, so why not do this? Well with the vagaries of most delivery companies being "between 8am and 6pm" chances are you won't be around to accept goods at the invoice address. So instead why can't the credit card companies accept an additional "delivery address"; for those banking online this is easily completed, for those banking offline have a form to be filled out if the details change.

An online store accepts the credit card information, checks the invoice address matches the cardholder's and if the delivery address is different checks that this is a valid delivery address.

Sure it stops you ordering goods and having them dispatched to friends and it fouls up Amazon's Gift system, but these systems only arose because there was no checks in place on delivery addresses.

In fact in this day and age there's no reason not to have multiple delivery addresses, moreover for the Gift system have the store send the request to the credit card company. When you log in to the credit card you'll see a notice stating something along the lines of "Amazon is requesting a payment of [£X] to deliver a [goods] to [address] Confirm or Deny?".

Anyone trying to do online forgery now needs the same three details, plus your online account details. Much more secure.

[I've just sent a condensed version through to Egg, let's see what they come back with]
[Thank you very much it's been passed to the relevant department. Not quite boiler plate as they referred to the registered delivery address so I have some hope that it's been read by an actual human :-)]


Orphi said...

OK, how it originally worked:

To buy stuff, you swipe your card and sign the bit of paper they give you.

That means that to buy stuff, you need to physically steal the card and be able to forge the signature [which is helpfully printed on the back]. On honest truth, if you just act confident about signing, it's unlikely the minimum-wage 12-year-old boy behind the till will even bother to check.

Alternatively, you copy the data from the magnetic strip and make a new card. Much more difficult to do, but not impossible if you can get the right equipment. And has the advantage that the card holder doesn't know their card is “stolen”. (And no signature to forge!)

Then they did the whole Chil & PIN thing. It's supposed to have several benefits:

First, the data isn't on a magnetic strip any more, it's stored inside a small computer inside the card, and it's impossible to read the data out of the computer. [Short of dissassembling the card, which is designed to destroy itself if you try, 007-style.]

So if you can't read the data… how do you use it? Well, the card reader submits some transaction data to the chip, it does some mathematical calculations involving the secret data, and sends back the result only. [And it's ludicrously hard to figure out what the secret data is just from the result of the calculation.]

…all of which is utterly moot, because every Chip & PIN card I've ever seen also has a magnetic strip anyway. :-P

Also, the chip won't do the calculations until you type in the right PIN. [And no, the card reader can't just try all 10,000 combinations. The chip self-destructs after X number of consecutive wrong guesses. Like 100 or so.] So it's impossible to use the card without knowing the PIN.

…which is also moot. In fact, everything I've just talked about is completely moot, since today we have The Internet. To buy things using The Internet, you only need to write down a couple of numbers plainly visible on the surface of the card, and know the cardholder's address.

How difficult might it be for the guy at the checkout to do that? Especially if you're there to arrange to get stuff delivered? (Many shops seem to want you address “for the warranty” too, for that matter…)

In short, new technologies have been added to increase security, but the old ones still persist, and a system is only as secure as the weakest link.

Now, I can see several possible solutions to the current state of affiars — none of which have anything to do with delivery addresses.

1. Have the bank email you every time you make an online transaction and get you to connect to their website to authorise or reject it. Now if somebody steals your card or writes down its number, they also have to hack into your email account. (Does require that you tell the bank your email address before you can actually make any online or CNP transactions. Also great potential for phishing or pharming...)

2. Put card readers on people's computers. Seriously, that's how shops authorise transactions, right? Make it financially viable for end customers to purchase chip & PIN readers, and then reject any transaction that doesn't use this authentication. (Does mean that if you go to a computer with no card reader, you can't make a transaction.)

Of course, none of these methods are going to work as long as less-secure methods of authentication continue to be accepted.

Ultimately, though, I suggest that the banks won't do anything as long as the cost of fraud and fraud prevention is lower than their profit margin…

FlipC said...

It's a good point that the security systems in place for when you're physically present with a physical card are stronger than those when you're not present.

As for emailing someone such information, email isn't exactly secure and such requests would become yet another phishing vector.

As for card readers such things already exist and are used in online banking security systems. You insert your card, tap in the PIN and it returns a pseudo-random number that you use to confirm your identity.

In principle stores could ask for these confirmation numbers and check with the bank that they are legitimate. It means that each transaction is different and that a thief requires access to two pieces of hardware.

Likewise in theory these devices could be used physically in-store too. You go to pay at a card reader, put your card in your own reader, tap in the PIN, and get an authorisation code. Insert your card into the store terminal and tap in that new code. Even if the card gets cloned the thief doesn't know your PIN and the code gained is a one-off thus useless.

Hmm still it would cost money to implement and be yet another piece of hardware the customer has to keep track of and carry around with them. Hopefully the credit card/debit card companies would play nice and allow you to use any such device rather than one tied to a particular card.

Dan H said...

The only thing that would make it more secure is if the people who run the system (i.e. the banks) are the ones who lose out if it goes wrong. At the moment, it's the merchant who loses his money if there's a fraudulent transaction, so the banks have no incentive to spend money making that less likely.

To debunk some myths about Chip 'n' PIN being at all secure, you might like to read this recent demonstration from the Computer Lab Security Group about breaking it. These people have been breaking these systems for years.

FlipC said...

Indeed it's hardly secure and on the same topic I note that the ID cards have also been cracked.

As for who loses the money yes it's on the merchant, which in theory, for online transactions at least, should make them refuse delivery to any but the cardholder's address. Except being able to deliver beyond that is almost a necessity.

On the other hand the banks are in competition with one another and so if one started offering an address verification system or transaction hold then it should attract more clients both customer and store to help prevent their own losses.

Still that would take one bank to break ranks and that ain't going to happen.

Orphi said...

Yeah, fundamentally the banks don't have a lot of incentive to invest money in fixing the problem.

I rather suspect that if one lone bank went and tried to make the system more secure, customers would ignore the extra security and see only the extra price tag. Financial suicide.