Encrypting card information, even at rest, has no benefit, if the systems that access that data need to decrypt it to use it. All one has done is move the security pressure point from the storage of the raw data, to security of the encryption keys. CVV codes have no benefit if the acquirer stores these as well.
2FA can help - all banks in Singapore issue tokens to customers, and all use Verified by Visa and Mastercard Securecode. Additionally all cards are chip enabled. Issuing smart card readers to everyone would probably solve a lot of problems, as long as merchants don't store the public key. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Sunday, 1 April 2012 12:11 PM To: NT System Admin Issues Subject: Re: Check your CC cards if you are holding a Mastercard or Visa, major breach announced 10M+ in cards On Sat, Mar 31, 2012 at 10:07 PM, Andrew S. Baker <[email protected]> wrote: > http://finance.yahoo.com/news/mastercard-tells-banks-possible-security > -breach-154439326.html >From the article: "Processing companies ... are supposed to encrypt card >information." Encryption does not address most of the active security threats out there. To quote Eugene "spaf" Spafford, "Using encryption on the Internet is the equilvant of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." He said this over a decade ago, and it's even more true today. If the endpoints are very vulnerable, a secure link is worthless. FTA: "The illegal use of the data could be stymied if an online merchant asks for the three or four digits printed on a card known as the 'CVV code.'" It's a well-known maxim that security, like a chain, is only as good as the weakest link. Part of the problem with bank card security is that many vendors and stations employ a minimum of security. It does no good that only some vendors adopt stronger security; the bad guys know to use the weak vendors. From this follows a multi-faceted problem -- technology, cost, and people. Stronger security could be implemented (tech). But such measures would require wholesale replacement of merchant equipment and software (cost). People don't want to pay for real security most of the time (people). Those of us who would actually be willing -- even on an elective basis -- are too few to afford it on even an amortized basis. Unfortunately, I expect things will have to get much worse before enough people see the value in information security. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
