Order of the Bath

The key requirements when approving a transaction are authentication, proving that you are the person you say you are, and authority, that you are allowed to perform the transaction. With a typical credit card transaction, these two go together as the authentication shows that you are the owner of the account who automatically has full authority. There is scope to break that link, but that would need to be another article.

The mantra in the security industry regarding authentication is

1. Something you have—such as a card.
2. Something you know—such as a PIN or password.
3. Something you are—much harder and relies on such things as biometrics.

When you go into a shop, you take the card out of your wallet immediately satisfying point one. Presented with a keypad, you type in your PIN satisfying point two. If the card had a photograph then it would (very weakly) satify point three as well, just as the signature used to do before Chip-and-PIN.

Cardholder Not Present transactions have always been weak. These are those done on the phone, by post or over the internet. Point one becomes subverted because there is no way to tell that you actually have the card, you could just have a photo-copy or a note of the number. If point three was ever covered then that is lost as well. So the authentication is reduced just to what you know—the card number. They have tried to improve this recently by adding three extra digits to the back of the card. The theory was that this number was not embossed nor recorded in shop transactions so was less likely to be compromised. In practice it is still visible to anyone who handles the card (which is why I obliterate mine) and an increasing number of face-to-face transactions are asking to know and record the number. Hotel receptionists, for example, who want to be able to process a transaction if you do a runner.

There are a number of initiatives to improve the position, mostly by providing the customer with some sort of device to generate a sequence of one-time passwords which are predictable by the bank but not anyone else. Each device is unique and keyed to your account. This has taken a significant step forward and now it is possible to build such a device directly into the card; a great achievement as the card still has to be capable of passing through an ATM machine and shop chip readers. What this provides is two major improvements: firstly it restores the requirement “Something you have” because you have to have the card to use it and it is locked to your account so there is no using one device with another card number. Secondly, it requires the “secret” number to be entered into the device itself not the online/telephone transaction so there is no risk of it leaking; and this number is now the truly secret PIN not the number printed on the back of the card.

This will surely annoy hotel managers though.

This entry was posted on 5 Dec 2008 at 10:51 by Rick and is filed under Security, Technical. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.