bloomberg on supermicro: sky is falling

Alain Hebert ahebert at
Wed Oct 10 15:27:52 UTC 2018


     Once you get the Expiry Date (which is the most prevalent data that 
is not encoded with the CHD)

     CVV is only 3 digits, we saw ppl using parallelizing tactics to 
find the correct sequence using acquirers around the world.

     With the delays in the reporting pipeline, they have the time to 
completely abuse that CHD/Date/CVV before getting caught.

For chipless markets ( You know who you are )

     I'm way more worried about Pinpads carrying Track1+Track2 
unencrypted thru Serial, USB, Bluetooth, Wireless custom connection...

     ( I snooped Serial, USB, Bluetooth for a Pinpad PA-DSS project )

     And with the PA-DSS spec being dropped by 2020 it will become worst.

Alain Hebert                                ahebert at
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911    Fax: 514-990-9443

On 10/10/18 10:32, Brian Kantor wrote:
> On Wed, Oct 10, 2018 at 02:21:40PM +0000, Naslund, Steve wrote:
>> For example, with tokenization there is no reason at all for any
>> retailer to be storing your credit card data (card number, CVV, exp
>> date) at all (let alone unencrypted) but it keeps happening over
>> and over.
> It's been a while since I've had to professionally worry about this,
> but as I recall, compliance with PCI [Payment Card Industry] Data
> Security Standards prohibit EVER storing the CVV.  Companies which
> do may find themselves banned from being able to process card
> payments if they're found out (which is unlikely).
> 	- Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list