Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
10:55 AM
Josh Thurston
Josh Thurston
Partner Perspectives

From Paper To Plastic To Bits

Paying with your phone or other electronic wallets increases transaction security.

In 2005, the police arrested a man who attempted to steal my identity and discovered a stack of credit card receipts in his car. All of the stolen receipts were carbon copies that captured the credit card info. By mere coincidence, I had just teamed up with four friends and launched a startup. Our company offered a solution to process secure transactions from mobile phones --not something that was common in 2005, pre-smartphone era.

I frequently think about the security of merchant processing. The medium for which we exchange currency has expanded and changed in many ways. Millions of dollars are exchanged by mobile devices daily, and new technologies have come about such as electronic wallets and new credit cards that are encrypted and use digital ink.

There are a lot of e-wallet options available for your phone and as standalone electronic cards. They are offered by banks, merchants, and of course major smartphone companies. These offer convenience, faster payment processing, and fewer cards to physically carry. But are they safe, and are they more secure? I say yes.

New Mediums Abound

New mediums for credit and debit transactions are quickly hitting the market:

  • Wallet apps use NFC (near-field communication) to communicate details to the point-of-sale (POS) terminal. E-wallets require a PIN or fingerprint touch to authorize a payment.
  • Recently the industry has seen an inventive plastic card that brings secure encrypted currency exchange. While the technology does not work at every merchant terminal, the success rates will get better as the technology matures. Two companies to check out are Coin and Plastc.
  • Physical cards can be tapped on the terminal. Physical cards that have this feature can be read from about 20 cm and will automatically accept payments for $50 to $100, depending on your bank. That means that unshielded cards can be tricked into debiting your account by someone walking by with a wireless POS terminal. Be sure to carry your tappable credit cards in a shielded envelope or wallet.

When using a physical payment card, the merchant gets your credit card number and other details, which they store and use to track your purchasing behavior. If their POS system is breached, which has happened many times, thieves can steal your number along with hundreds or thousands of others. When you use your e-wallet, the merchant just sees an identification token. This token is unique to the card and device, so they can still track anonymized purchasing behavior, but it becomes more difficult to connect to an individual. Since each transaction also requires a unique and calculated cryptogram, nothing stolen from the merchant’s POS system can be used to make other fraudulent transactions.

When not using your card, it is at risk of being lost or stolen. Until you report it, a physical card can potentially be used to make purchases. The number is clearly visible on the card, as is the verification code. On your e-wallet, the card information is not stored at all. The wallet receives a separate, device-specific token sent by your bank. This information is transmitted encrypted, cannot be decrypted by the phone, and the actual credit card number is not retained so your number cannot be retrieved even if a thief manages to guess your passcode. In addition, the “Find My Phone” features available can help track down your lost e-wallet or wipe all information from memory if it has been stolen, further protecting your payment info.

Eventually, lower fraud rates could lead to lower credit card fees and interest rates. It will probably take years for the majority of payment transactions to move to e-wallets and accept electronic cards, so it is not time to disable the security on your POS system just yet. And hackers will continue looking for ways to break or trick the system. But encouraging faster adoption of e-wallets and electronic cards looks to benefit everyone involved. 

Josh Thurston is a security strategist in the Intel Security Office of the CTO.  In this role, Thurston drives business growth and defines the Intel Security go-to-market strategy for the Americas, creating and communicating innovative solutions for today's complex ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...