Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/8/2016
10:55 AM
Josh Thurston
Josh Thurston
Partner Perspectives
50%
50%

From Paper To Plastic To Bits

Paying with your phone or other electronic wallets increases transaction security.

In 2005, the police arrested a man who attempted to steal my identity and discovered a stack of credit card receipts in his car. All of the stolen receipts were carbon copies that captured the credit card info. By mere coincidence, I had just teamed up with four friends and launched a startup. Our company offered a solution to process secure transactions from mobile phones --not something that was common in 2005, pre-smartphone era.

I frequently think about the security of merchant processing. The medium for which we exchange currency has expanded and changed in many ways. Millions of dollars are exchanged by mobile devices daily, and new technologies have come about such as electronic wallets and new credit cards that are encrypted and use digital ink.

There are a lot of e-wallet options available for your phone and as standalone electronic cards. They are offered by banks, merchants, and of course major smartphone companies. These offer convenience, faster payment processing, and fewer cards to physically carry. But are they safe, and are they more secure? I say yes.

New Mediums Abound

New mediums for credit and debit transactions are quickly hitting the market:

  • Wallet apps use NFC (near-field communication) to communicate details to the point-of-sale (POS) terminal. E-wallets require a PIN or fingerprint touch to authorize a payment.
  • Recently the industry has seen an inventive plastic card that brings secure encrypted currency exchange. While the technology does not work at every merchant terminal, the success rates will get better as the technology matures. Two companies to check out are Coin and Plastc.
  • Physical cards can be tapped on the terminal. Physical cards that have this feature can be read from about 20 cm and will automatically accept payments for $50 to $100, depending on your bank. That means that unshielded cards can be tricked into debiting your account by someone walking by with a wireless POS terminal. Be sure to carry your tappable credit cards in a shielded envelope or wallet.

When using a physical payment card, the merchant gets your credit card number and other details, which they store and use to track your purchasing behavior. If their POS system is breached, which has happened many times, thieves can steal your number along with hundreds or thousands of others. When you use your e-wallet, the merchant just sees an identification token. This token is unique to the card and device, so they can still track anonymized purchasing behavior, but it becomes more difficult to connect to an individual. Since each transaction also requires a unique and calculated cryptogram, nothing stolen from the merchant’s POS system can be used to make other fraudulent transactions.

When not using your card, it is at risk of being lost or stolen. Until you report it, a physical card can potentially be used to make purchases. The number is clearly visible on the card, as is the verification code. On your e-wallet, the card information is not stored at all. The wallet receives a separate, device-specific token sent by your bank. This information is transmitted encrypted, cannot be decrypted by the phone, and the actual credit card number is not retained so your number cannot be retrieved even if a thief manages to guess your passcode. In addition, the “Find My Phone” features available can help track down your lost e-wallet or wipe all information from memory if it has been stolen, further protecting your payment info.

Eventually, lower fraud rates could lead to lower credit card fees and interest rates. It will probably take years for the majority of payment transactions to move to e-wallets and accept electronic cards, so it is not time to disable the security on your POS system just yet. And hackers will continue looking for ways to break or trick the system. But encouraging faster adoption of e-wallets and electronic cards looks to benefit everyone involved. 

Josh Thurston is a security strategist in the Intel Security Office of the CTO.  In this role, Thurston drives business growth and defines the Intel Security go-to-market strategy for the Americas, creating and communicating innovative solutions for today's complex ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.