Creativity and security
Dave Korn
davek_throwaway at hotmail.com
Thu Mar 23 15:15:50 EST 2006
Olle Mulmo wrote:
> On Mar 20, 2006, at 21:51, leichter_jerrold at emc.com wrote:
>
>> I was tearing up some old credit card receipts recently - after all
>> these years, enough vendors continue to print full CC numbers on
>> receipts that I'm hesitant to just toss them as is, though I doubt
>> there
>> are many dumpster divers looking for this stuff any more - when I
>> found
>> a great example of why you don't want people applying their
>> "creativity"
>> to security problems, at least not without a great deal of review.
>>
>> You see, most vendors these days replace all but the last 4 digits of
>> the CC number on a receipt with X's. But it must be boring to do the
>> same as everyone else, so some bright person at one vendor(*) decided
>> they were going to do it differently: They X'd out *just the last
>> four
>> digits*. After all, who could guess the number from the 10,000
>> possibilities?
>>
>> Ahem.
>> -- Jerry
>>
>> (*) It was Build-A-Bear. The receipt was at least a year old, so for
>> all I know they've long since fixed this.
>
> Unfortunately, they haven't. In Europe I get receipts with different
> crossing-out patterns almost every week.
>
> And, with "they" I mean the builders of point-of-sale terminals: I
> don't think individual store owners are given a choice.
>
> Though I believe I have noticed a good trend in that I get receipts
> where *all but four* digits are crossed out more and more often
> nowadays.
In the UK, that is now the almost universal practice. And it's equally
almost universally the /last/ four digits across all retailers. Which is
good.
What is not so good, however, is another example of
not-as-clever-as-it-thinks-it-is clever new idea for addressing the problem
of receipts.
As we all know, when you pay with a credit or debit card at a store, it's
important to take the receipt with you, because it contains vital
information - even when most of the card number is starred out, the expiry
date is generally shown in full. So we're all encouraged to take them with
us, take them home, and shred or otherwise securely dispose of them under
our own control.
Of course, this is a) a nuisance and b) wasteful of paper. And obviously
enough, someone's been trying to come up with a 'bright idea' to solve these
issues.
So what they've been doing at my local branch of Marks & Spencer for the
past few weeks is, at the end of the transaction after the (now always
chip'n'pin-based) card reader finishes authorizing your transaction, the
cashier at the till asks you whether you actually /want/ the receipt or not;
if you say yes, they press a little button and the till prints out the
receipt same as ever and they hand it to you, but if you say no they don't
press the button, the machine doesn't even bother to print a receipt, and
you wander away home, safe in the knowledge that there is no wasted paper
and no leak of security information ...
... Of course, three seconds after your back is turned, the cashier can
still go ahead and press the button anyway, and then /they/ can have your
receipt. With the expiry date on it. And the last four digits of the card
number. And the name of the card issuer, which allows you to narrow the
first four digits down to maybe three or four possible combinations. OK,
10^8 still aint easy, but it's a lot easier than what we started with.
The risk could perhaps be fixed with an interlock which makes it
impossible to print the receipt out after the card has been withdrawn from
the reader, but I think the better solution would still be for the receipt
to be printed out every single time and the staff trained in the importance
of not letting customers leave without taking their receipts with them.
cheers,
DaveK
--
Can't think of a witty .sigline today....
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list