bloomberg on supermicro: sky is falling
SNaslund at medline.com
Wed Oct 10 15:55:27 UTC 2018
The entire point of the CVV has become useless. Recently my wife was talking to an airline ticket agent on the phone (American Airlines) and one of the things they ask for on the phone is the CVV. If you are going to read that all out over the phone with all the other data you are completely vulnerable to fraud. It would be trivial to implement a system where you make a charge over the phone like that and get a text asking you to authorize it instead of asking for a CVV.
After all this time it is stupid to have the same data being used over and over. We have had SecurID and other token/pin systems in the IT world forever. I have a token on my iPhone right now that I use for certain logins to systems. The hardware tokens cost very little (especially compared to the credit card companies revenue). The soft tokens are virtually free. A token should be useful for one and only one transaction. You would be vulnerable from the time you read your token to someone (or something) until the charge hit your account. You would also not have to worry about a call center agent or waiter stealing that data because it could only be used once (and if it is not their employer it would become apparent really quickly). Recurring transactions should be unique tokens for a set amount range from a particular entity (i.e. 12 transactions, one per month, not more than $500 each, Comcast only). For example, my reusable token given to my cable company should not be usable by anyone else. Why hasn’t this been done yet…..simple there is no advantage to the retailers and processors. There has been some one-time use numbers for stuff like that but it is inconvenient for the user so it won’t be that popular. The entire system is archaic and dates back to the time of imprinting on paper.
Tokenized transactions exist today between some entities and the processors but it is time to extend that all the way from card holder to processor.
> Once you get the Expiry Date (which is the most prevalent data that is not encoded with the CHD)
> CVV is only 3 digits, we saw ppl using parallelizing tactics to find the correct sequence using acquirers around the world.
> With the delays in the reporting pipeline, they have the time to completely abuse that CHD/Date/CVV before getting caught.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG