TELECOM Digest OnLine - Sorted: Re: Don't Let Data Theft Happen to You

Re: Don't Let Data Theft Happen to You

Phil Earnhardt (pae@dim.com)
Sun, 17 Jul 2005 14:46:14 -0600

Review Index Sorted By: [ date ][ thread ][ subject ][ author ]
Next message: John McHarry: "Re: Don't Let Data Theft Happen to You"
Previous message: Steve Sobol: "Re: Corrupted PC's Find New Home in the Dumpster"
May be in reply to: Lisa Minter: "Don't Let Data Theft Happen to You"
Next in thread: John McHarry: "Re: Don't Let Data Theft Happen to You"
TELECOM Digest: Home Page

On Thu, 14 Jul 2005 18:15:38 -0500, Jim Rusling <usenet@rusling.org>
wrote:

>> When paying with a credit card, the server brings a small wireless
>> terminal directly to the table. It looks just like a compact adding
>> machine, with a paper roll on the back, but with a card slot on the
>> front, where you insert your card. If it's a debit card, you key your
>> PIN on the keypad. The receipts are printed right from the same
>> device, and the card never leaves your possession.

>> If devices like this were used in the states, you could presumably
>> also use the keypad to add a tip amount to the check. (In France,
>> where service is included, tips are a rarity, and when offered at all
>> are invariably in cash.)

> I would worry about the security of the wireless connection.

One would hope that such devices *could not operate* unless there was
a secure connection.

I have more fundamental concerns: what would prevent the creation of a
validation device that was completely functional but managed to copy
and transmit the credit card information? What would keep an
unscrupulous restraunt manager or waiter from substituting such a
device? For that matter, what would keep an unscrupulous customer from
swapping a trojan horse wireless validater widget while the waiter
wasn't looking?

AFAICT, any system which counts on the secrecy of a number is simply
problematic today. Challenge/response systems are the only way to go:

1. The vendor sends the details of the transaction: your credit card
number (which is no longer sacrosanct), the vendor's account number,
and the amount of the transaction. Optionally, there could be a
customer-supplied number shipped up for the customer's own tracking of
transactions. These are sent to a centralized validation authority.

2. The validation authority issues a challenge code for this
transaction.

3. The customer enters the code in their personal validation card
which generates the response code. The customer manually enters the
validation code; the vendor relays the validation code to the
centralized authority and the transaction is validated.

The personal validation card would be protected with a PIN and
biometrics.

AFAICT, having such a system would eliminate a massive amount of
fraud. Besides using the card for validating transactions, any
alteration of my credit information: applying for a new "credit card",
change of address, etc. would require exactly the same validation.

> Jim Rusling

--phil

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: John McHarry: "Re: Don't Let Data Theft Happen to You"
Go to Previous message: Steve Sobol: "Re: Corrupted PC's Find New Home in the Dumpster"
May be in reply to: Lisa Minter: "Don't Let Data Theft Happen to You"

Next in thread: John McHarry: "Re: Don't Let Data Theft Happen to You"

TELECOM Digest: Home Page

Post Followup Article	Use your browser's quoting feature to quote article into reply
Go to Next message: John McHarry: "Re: Don't Let Data Theft Happen to You"
Go to Previous message: Steve Sobol: "Re: Corrupted PC's Find New Home in the Dumpster"
May be in reply to: Lisa Minter: "Don't Let Data Theft Happen to You"
Next in thread: John McHarry: "Re: Don't Let Data Theft Happen to You"
TELECOM Digest: Home Page