Creativity and security

[Dave Korn]

Olle Mulmo wrote:
> On Mar 20, 2006, at 21:51, leichter_jerrold at emc.com wrote:
>
>> I was tearing up some old credit card receipts recently - after all
>> these years, enough vendors continue to print full CC numbers on
>> receipts that I'm hesitant to just toss them as is, though I doubt
>> there
>> are many dumpster divers looking for this stuff any more - when I
>> found
>> a great example of why you don't want people applying their
>> "creativity"
>> to security problems, at least not without a great deal of review.
>>
>> You see, most vendors these days replace all but the last 4 digits of
>> the CC number on a receipt with X's.  But it must be boring to do the
>> same as everyone else, so some bright person at one vendor(*) decided
>> they were going to do it differently:  They X'd out *just the last
>> four
>> digits*.  After all, who could guess the number from the 10,000
>> possibilities?
>>
>> Ahem.
>>  -- Jerry
>>
>> (*) It was Build-A-Bear.  The receipt was at least a year old, so for
>> all I know they've long since fixed this.
>
> Unfortunately, they haven't. In Europe I get receipts with different
> crossing-out patterns almost every week.
>
> And, with "they" I mean the builders of point-of-sale terminals: I
> don't think individual store owners are given a choice.
>
> Though I believe I have noticed a good trend in that I get receipts
> where *all but four* digits are crossed out more and more often
> nowadays.

  In the UK, that is now the almost universal practice.  And it's equally 
almost universally the /last/ four digits across all retailers.  Which is 
good.

  What is not so good, however, is another example of 
not-as-clever-as-it-thinks-it-is clever new idea for addressing the problem 
of receipts.

  As we all know, when you pay with a credit or debit card at a store, it's 
important to take the receipt with you, because it contains vital 
information - even when most of the card number is starred out, the expiry 
date is generally shown in full.  So we're all encouraged to take them with 
us, take them home, and shred or otherwise securely dispose of them under 
our own control.

  Of course, this is a) a nuisance and b) wasteful of paper.  And obviously 
enough, someone's been trying to come up with a 'bright idea' to solve these 
issues.

  So what they've been doing at my local branch of Marks & Spencer for the 
past few weeks is, at the end of the transaction after the (now always 
chip'n'pin-based) card reader finishes authorizing your transaction, the 
cashier at the till asks you whether you actually /want/ the receipt or not; 
if you say yes, they press a little button and the till prints out the 
receipt same as ever and they hand it to you, but if you say no they don't 
press the button, the machine doesn't even bother to print a receipt, and 
you wander away home, safe in the knowledge that there is no wasted paper 
and no leak of security information  ...

  ... Of course, three seconds after your back is turned, the cashier can 
still go ahead and press the button anyway, and then /they/ can have your 
receipt.  With the expiry date on it.  And the last four digits of the card 
number.  And the name of the card issuer, which allows you to narrow the 
first four digits down to maybe three or four possible combinations.  OK, 
10^8 still aint easy, but it's a lot easier than what we started with.

  The risk could perhaps be fixed with an interlock which makes it 
impossible to print the receipt out after the card has been withdrawn from 
the reader, but I think the better solution would still be for the receipt 
to be printed out every single time and the staff trained in the importance 
of not letting customers leave without taking their receipts with them.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com