08.26.09
PCI and Card Skimming
Dark Reading has an interesting article on the release by the PCI Council of a best practices guide to assist merchants in the prevention of card skimming (see http://www.darkreading.com/security/government/showArticle.jhtml?articleID=219401468&cid=nl_DR_DAILY_H). I really like Chris Paget’s take on the weaknesses of the proposal by PCI, i.e. the proposal does not address malicious intent, and does not address risk during manufacturing of POS devices.
My 2 cents’ worth on this important issue. First, the EMV specifications partly address the risk factors during manufacturing and distribution of POS devices. This is done through device and application certification. The application code should normally be signed and the signature validated at boot-up. This is not perfect though, as it leads to attack scenarios that can easily work around this control. But it is a start!
More importantly, one of the key weaknesses of EMV (and I have been saying so for 10 years now) is that the card and terminal do not mutually authenticate at the beginning of a transaction. This is a fundamental weakness. It would have required secure key storage in POS terminals, something the authors of the original specs did not have the stomach to impose.
In the end, I fear this weakness will come back and haunt the industry. As per Chris Paget’s suggestion, a Trusted Platform Module would help (see http://www.trustedcomputinggroup.org/) and there a lot of solid work has been done in this group and is readily usable in POS devices.
Bottom line: we cannot go back to bartering! We have to continue using plastic (physical or virtual) to pay for goods and services. It is quick, convenient, economical for all parties involved. But we need to keep the bad guys out or users will lose confidence in the system.
René