massive data theft at MasterCard processor
Ben Laurie
ben at algroup.co.uk
Tue Jun 21 13:04:16 EDT 2005
Steven M. Bellovin wrote:
> MasterCard reported the exposure of up to 40,000,000 credit card
> numbers at CardSystems Solutions, a third-party processor of credit
> card data. CardSystems was infected with a script that targeted
> specific data. In other words, this wasn't the usual carelessness,
> this was enemy action, and of a sophisticated nature. See
> http://www.mastercardinternational.com/cgi-bin/newsroom.cgi?id=1038 for
> the official statement.
>
> Designing a system that deflects this sort of attack is challenging.
> The right answer is smart cards that can digitally sign transactions,
> but that would require rolling out new readers to all the merchants.
No, because then you have to trust the readers. The only way this can
possibly work safely is to have a trusted device that does the crypto
_and all UI_ in the same package. And it has to belong to the user, stay
with the user at all times and be secure.
Cheers,
Ben.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list