The following message is a courtesy copy of an article that has been posted to bit.listserv.ibm-main as well.
[EMAIL PROTECTED] (Tom Schmidt) writes: > I once heard a former CIA spook say that any POS system can be hacked > from a truck parked at the curb, if the price/value is right. > (Speaking from a previous lifetime in marketing research.) Maybe > somebody built a proof-of- concept device??? (Think: TEMPEST) re: http://www.garlic.com/~lynn/2007h.html#56 T.J. Maxx data theft worse than first reported ... don't think individual POS terminals sitting on the counter ... think corporate POS concentrator ... where all POS transactions for the whole corporation passes thru on the way to the financial network. this is slightly analogous to the internet payment gateway (we periodically claim is the original SOA) long ago, and far away, we were called in to consult with this small client/server startup that had this technology called SSL and wanted to do payment transactions on their server. http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.garlic.com/~lynn/aadsm5.htm#asrn3 a "payment gateway" was developed and deployed ... it is somewhat analogous to a corporate POS concentrator ... but can be used by lots of different (small) webservers any place on the web (as opposed to webservers in large corporation that frequently just aggregate into a corporate POS concentrator). as before ... there are all kinds of evesdropping technology (some may or may not require some sort of physical operation) ... and then use the harvested information for fraudulent transactions in various kinds of "replay attacks" (being able to use information harvested from previous transactions ... in new fraudulent transactions) http://www.garlic.com/~lynn/subintegrity.html#harvest as an aside ... it isn't too unusual to see such trucks parked all over the place around silicon valley ... they are brought in for regular audits for leaking/stray emissions. they typically don't bother to disquise external antennas for some topic drift ... posts about trade secret litigation and some question about whether the security was proportional to the risk (i.e. had to demonstrate security procedures that were proportional to the claimed value of the stuff at risk): http://www.garlic.com/~lynn/2001d.html#42 IBM was/is: Imitation... http://www.garlic.com/~lynn/2002d.html#8 Security Proportional to Risk (was: IBM Mainframe at home) http://www.garlic.com/~lynn/2003i.html#62 Wireless security http://www.garlic.com/~lynn/2005r.html#7 DDJ Article on "Secure" Dongle http://www.garlic.com/~lynn/2006r.html#29 Intel abandons USEnet news http://www.garlic.com/~lynn/2007e.html#9 The Genealogy of the IBM PC http://www.garlic.com/~lynn/2007f.html#45 The Perfect Computer - 36 bits? http://www.garlic.com/~lynn/2007f.html#46 The Perfect Computer - 36 bits? http://www.garlic.com/~lynn/2007f.html#57 Is computer history taught now? part of the web case ... was that the existing infrastructure is extremely vulnerable to replay attacks. from security acronym PAIN P - privacy (sometimes CAIN, confidential) A - authentication I - integrity N - non-repudiation in the case of the payment gateway, SSL was used for privacy/confidentiality of the transaction transmitting thru the internet ... i.e. achieving "security" with encryption as countermeasure to evesdropping (as part of replay attacks). However, as we've frequently noted was that the most of the harvesting exploits appear to happen at the end-points ... as opposed to while the transaction is actually being transmitted. now, in the mid-90s, the x9a10 financial standard working had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. the result was x9.59 financial transaction standard http://www.garlic.com/~lynn/x959.html#x959 in effect, the x9.59 financial standard substituted end-to-end "authentication" and "integrity" (for privacy, confidentiality, encryption) to achieve "security". providing end-to-end "authentication" and "integrity" eliminated evesdropping as a risk or compromise ... since information from existing transactions could no longer be used for fraudulent transactions in replay attacks i.e. x9.59 transactions aren't vulnerable to evesdropping, skimming, harvesting exploits ... whether "at-rest" or "in-transit". we've claimed that the largest use of SSL has been the e-commerce stuff that we previously worked on ... as part of hiding transactions during transmission. x9.59 eliminates the requirement for hiding transactions (and therefor eliminates one of the major uses for SSL). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html