Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:55 AM
Josh Thurston
Josh Thurston
Partner Perspectives

From Paper To Plastic To Bits

Paying with your phone or other electronic wallets increases transaction security.

In 2005, the police arrested a man who attempted to steal my identity and discovered a stack of credit card receipts in his car. All of the stolen receipts were carbon copies that captured the credit card info. By mere coincidence, I had just teamed up with four friends and launched a startup. Our company offered a solution to process secure transactions from mobile phones --not something that was common in 2005, pre-smartphone era.

I frequently think about the security of merchant processing. The medium for which we exchange currency has expanded and changed in many ways. Millions of dollars are exchanged by mobile devices daily, and new technologies have come about such as electronic wallets and new credit cards that are encrypted and use digital ink.

There are a lot of e-wallet options available for your phone and as standalone electronic cards. They are offered by banks, merchants, and of course major smartphone companies. These offer convenience, faster payment processing, and fewer cards to physically carry. But are they safe, and are they more secure? I say yes.

New Mediums Abound

New mediums for credit and debit transactions are quickly hitting the market:

  • Wallet apps use NFC (near-field communication) to communicate details to the point-of-sale (POS) terminal. E-wallets require a PIN or fingerprint touch to authorize a payment.
  • Recently the industry has seen an inventive plastic card that brings secure encrypted currency exchange. While the technology does not work at every merchant terminal, the success rates will get better as the technology matures. Two companies to check out are Coin and Plastc.
  • Physical cards can be tapped on the terminal. Physical cards that have this feature can be read from about 20 cm and will automatically accept payments for $50 to $100, depending on your bank. That means that unshielded cards can be tricked into debiting your account by someone walking by with a wireless POS terminal. Be sure to carry your tappable credit cards in a shielded envelope or wallet.

When using a physical payment card, the merchant gets your credit card number and other details, which they store and use to track your purchasing behavior. If their POS system is breached, which has happened many times, thieves can steal your number along with hundreds or thousands of others. When you use your e-wallet, the merchant just sees an identification token. This token is unique to the card and device, so they can still track anonymized purchasing behavior, but it becomes more difficult to connect to an individual. Since each transaction also requires a unique and calculated cryptogram, nothing stolen from the merchant’s POS system can be used to make other fraudulent transactions.

When not using your card, it is at risk of being lost or stolen. Until you report it, a physical card can potentially be used to make purchases. The number is clearly visible on the card, as is the verification code. On your e-wallet, the card information is not stored at all. The wallet receives a separate, device-specific token sent by your bank. This information is transmitted encrypted, cannot be decrypted by the phone, and the actual credit card number is not retained so your number cannot be retrieved even if a thief manages to guess your passcode. In addition, the “Find My Phone” features available can help track down your lost e-wallet or wipe all information from memory if it has been stolen, further protecting your payment info.

Eventually, lower fraud rates could lead to lower credit card fees and interest rates. It will probably take years for the majority of payment transactions to move to e-wallets and accept electronic cards, so it is not time to disable the security on your POS system just yet. And hackers will continue looking for ways to break or trick the system. But encouraging faster adoption of e-wallets and electronic cards looks to benefit everyone involved. 

Josh Thurston is a security strategist in the Intel Security Office of the CTO.  In this role, Thurston drives business growth and defines the Intel Security go-to-market strategy for the Americas, creating and communicating innovative solutions for today's complex ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a service.