Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 544567 12-Nov-2011 13:08 Send private message

I like way Kiwibank handle authentication. You set three answers to three questions then they ask for a couple of letters from part of one of the answers each time you want to log in.

This would be an excellent solution for the credit card companies.

7740 posts

Uber Geek
+1 received by user: 308

Trusted
Subscriber

  Reply # 544604 12-Nov-2011 15:44 Send private message

Unlike Sony all sensitive details were hashed/salted/encrypted so while it's bad it's no way near as bad.

Still annoying.


1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  Reply # 544629 12-Nov-2011 16:58 Send private message

I heard all the CC data was encrypted with AES256, still...

228 posts

Master Geek
+1 received by user: 7


  Reply # 544632 12-Nov-2011 17:02

1080p: I heard all the CC data was encrypted with AES256, still...

228 posts

Master Geek
+1 received by user: 7


  Reply # 544633 12-Nov-2011 17:02

1080p: I heard all the CC data was encrypted with AES256, still...


the earth will be swallowed by the sun before they crack it.

1599 posts

Uber Geek
Inactive user


  Reply # 544634 12-Nov-2011 17:04 Send private message

throbb:
1080p: I heard all the CC data was encrypted with AES256, still...


the earth will be swallowed by the sun before they crack it.

It all depends on how strong the keys are. If they had a credit card in here so that they can tell exactly what the output should be then it should be reasonably easy to just run a brute force against that one key. That said there is still the other implications of this: virtually every bodies identity has been stolen here.

7740 posts

Uber Geek
+1 received by user: 308

Trusted
Subscriber

  Reply # 544637 12-Nov-2011 17:06 Send private message

Sony's credit card data was also encrypted, however Sony a used device based root key which was of course leaked/discovered/known before the main hack.

2505 posts

Uber Geek
+1 received by user: 243

Trusted
Subscriber

  Reply # 545276 14-Nov-2011 17:17 Send private message

codyc1515: 
It is in fact two-factor in most cases, you have 1) the card and 2) the pin or 3) the CVC. To combat the real problem what we need is to have the CVC be dynamic rather than static, like, the CVC could be a screen on the card just like the bank tokens and the CVC would only be valid once.

Wouldn't work.  Technically, the CVC is not actually required to process a transaction - the only requirement is that if it is provided, it must be correct.  You don't see this buying from most NZ merchants as all the NZ processors require it, but overseas processors (especially the ones that specialise in "high risk") do not necessarily.  So your solution, though a good start, still wouldn't work.

SaltyNZ: 
There is, and most NZ retailers are picking it up over the next 12 months or so. Basically, whenever the card issuers detect an unusual transaction online they will redirect you to a secondary authentication/verification page to do further checking before allowing you to continue. If the purchase is within your normal patterns, it stays out of the way. But as soon as a red flag is raised, it kicks in.

National Bank are great; I bought some clothes for the kids in San Francisco while I was there. Within 30s of the transaction, they called me and asked me if I was overseas, where I was, and what I had just bought. Having verified the transaction was legit, they asked how long I expected to stay, and the security system was pacified for a week. It was outstanding.


Ah, Verified by Visa and MasterCard SecureCode.  They're great for merchants as any transaction where VbV or MSC was performed grants immunity from "unauthorised charge" reversals (basically making the issuing bank liable).  Unfortunately only one bank in NZ actually issues cards with VbV or MSC enabled.  Slack.

1571 posts

Uber Geek
+1 received by user: 11

Subscriber

  Reply # 545290 14-Nov-2011 17:55 Send private message

Kyanar:
Wouldn't work.  Technically, the CVC is not actually required to process a transaction - the only requirement is that if it is provided, it must be correct.  You don't see this buying from most NZ merchants as all the NZ processors require it, but overseas processors (especially the ones that specialise in "high risk") do not necessarily.  So your solution, though a good start, still wouldn't work.

Whoa. You're right. I'd never even thought of that. Some online payment processing forms don't even ask for the CVC. Although, those are the ones that usually are asking for billing address details.
But that's another point. When billing address details are actually required, do those details get validated to the nth degree before allowing the transaction to go through?

So, really, the only option is to make the CVC mandatory for a start (i.e. for non-card-present transactions, as they should all require a PIN anyway), and then develop an always changing CVC code system.

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Snap have failed our company!
Created by dafman, last reply by toejam316 on 21-Oct-2014 16:38 (22 replies)
Pages... 2


Spark Socialiser
Created by freitasm, last reply by code15 on 21-Oct-2014 17:10 (19 replies)
Pages... 2


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


Another Trade Me competitor: SellShed
Created by freitasm, last reply by gzt on 21-Oct-2014 15:21 (27 replies)
Pages... 2


Why would Suresignal calls be worse quality than non-Suresignal calls from the same location?
Created by Geektastic, last reply by froob on 21-Oct-2014 08:21 (41 replies)
Pages... 2 3


Picture resizing on the forum
Created by Jase2985, last reply by freitasm on 18-Oct-2014 13:32 (13 replies)

Internet question...
Created by Geektastic, last reply by Geektastic on 17-Oct-2014 22:59 (40 replies)
Pages... 2 3


Overcharged by Slingshot for months - warning to existing customers
Created by dusty42, last reply by dusty42 on 21-Oct-2014 18:23 (23 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.