[lug] OT: Credit Cards w/ Chips
William D. Knoche
bill.knoche at gmail.com
Sat May 16 10:15:05 MDT 2015
I don't know if there are any good papers still out there. Google search
should provide some clues.
I recall at Sun when we did the Javacard technology (early 90s) and put
smartcard readers in all our systems for a time.
I do know the concept was patented in the late 60s. The Germans and the
French werer far ahead in both technology and in application.
Wikipedia has a pretty good explanation and history.
Basically the idea is PKI using long keys and RSA, DES or DSA.
Sun removed the smartcard readers due to almost complete ambivalence by
our customers to security at the time. And I pointed out that there were
simple hacks to get around it. The most obvious was that in most cases
there was little or no physical security and that by simply pulling the
power I could force a reboot into single user. The other was a bit
before that when at SEL we claimed to have a very secure mls, red book
compliant, system and at at show, Usenix, I think, we offered a round
trip to Paris for dinner to anyone who could break it. Someone walked up
to the booth, asked how the technology worked and asked to be shown how
to administer it. He then asked if he could look at something and he was
in. The company cried foul but social engineering is a very real threat
and I believe we paid up. We know better now but often forget.
I am not sure I would give the keys to either IT or to the purveyors of
such technology. We have had the technology for a long time but even now
aren't really doing the "right" things but at least the level of
paranoia has gone up so a sense of urgency is now present and there does
appear to be effort applied to make things a little more secure.
I have often used the analogy of the front door to a home. Even when
willing to spend hundreds or even thousands of dollars on high quality
locksets the adjacent side lite or window is ignored and a small rock
from the yard can be used as a "key" - no need to pick that nice lock.
Many security strategies ignore everything but the front door. Most are
there just to challenge the violator hoping they will move on to easier
targets. We can and should do better. But a comprehensive analysis of
the risks followed by a rigorous application of security measures seems
beyond the level of commitment or budget of most.
I got a phone call from someone claiming to be from Microsoft security
and that my Windows system was at risk. They instructed me to enable
remote desktop and let them "fix" it for me. My wife also received a
very similar call. I wonder how many folks fell for this.
And so it goes...
On 05/16/2015 08:51 AM, Donald wrote:
>> The whole credit card processing is one example of how the world
>> would be better if IT people were more in charge. As many of these
>> replies have suggested, we just wouldn't put up with such insecure
>> solutions for so long.
> The whole CC industry is based on convenience not security.
> Years ago when the CC companies introduced mag cards, they had to get
> the vendors to accept them and the uses to uses them. The current
> technology was checks.
> Users saw the convenience is not carrying cash, but vendors saw too
> many bounced checks.
> The banks guaranteed those checks.
> I am sure those having a guarantee check card wished they could just
> use that card instead of writing a check.
> Today the current technology is Mag Strips. The CC companies has to
> guarantee those as well.
> As in the mag cards, will the CC companies shoulder the costs ?
> ( yes, we all know who actually shoulders those costs )
> Anybody on this list is well aware of the under workings of this "new"
> The bulk of the user public would not understand nor want to see a
> Are there any good articles written about the new chip technology that
> is accessible to the masses ?
> ( i.e. me )
> I would be surprised that the CC companies would not like to save the
> amount of payout they do every year. But is it enough to pay the
> upfront costs to change.
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
More information about the LUG