I like way Kiwibank handle authentication. You set three answers to three questions then they ask for a couple of letters from part of one of the answers each time you want to log in.
This would be an excellent solution for the credit card companies.
1080p: I heard all the CC data was encrypted with AES256, still...
the earth will be swallowed by the sun before they crack it.
It all depends on how strong the keys are. If they had a credit card in here so that they can tell exactly what the output should be then it should be reasonably easy to just run a brute force against that one key. That said there is still the other implications of this: virtually every bodies identity has been stolen here.
Sony's credit card data was also encrypted, however Sony a used device based root key which was of course leaked/discovered/known before the main hack.
codyc1515: It is in fact two-factor in most cases, you have 1) the card and 2) the pin or 3) the CVC. To combat the real problem what we need is to have the CVC be dynamic rather than static, like, the CVC could be a screen on the card just like the bank tokens and the CVC would only be valid once.
Wouldn't work. Technically, the CVC is not actually required to process a transaction - the only requirement is that if it is provided, it must be correct. You don't see this buying from most NZ merchants as all the NZ processors require it, but overseas processors (especially the ones that specialise in "high risk") do not necessarily. So your solution, though a good start, still wouldn't work.
SaltyNZ: There is, and most NZ retailers are picking it up over the next 12 months or so. Basically, whenever the card issuers detect an unusual transaction online they will redirect you to a secondary authentication/verification page to do further checking before allowing you to continue. If the purchase is within your normal patterns, it stays out of the way. But as soon as a red flag is raised, it kicks in.
National Bank are great; I bought some clothes for the kids in San Francisco while I was there. Within 30s of the transaction, they called me and asked me if I was overseas, where I was, and what I had just bought. Having verified the transaction was legit, they asked how long I expected to stay, and the security system was pacified for a week. It was outstanding.
Ah, Verified by Visa and MasterCard SecureCode. They're great for merchants as any transaction where VbV or MSC was performed grants immunity from "unauthorised charge" reversals (basically making the issuing bank liable). Unfortunately only one bank in NZ actually issues cards with VbV or MSC enabled. Slack.
Kyanar: Wouldn't work. Technically, the CVC is not actually required to process a transaction - the only requirement is that if it is provided, it must be correct. You don't see this buying from most NZ merchants as all the NZ processors require it, but overseas processors (especially the ones that specialise in "high risk") do not necessarily. So your solution, though a good start, still wouldn't work.
Whoa. You're right. I'd never even thought of that. Some online payment processing forms don't even ask for the CVC. Although, those are the ones that usually are asking for billing address details. But that's another point. When billing address details are actually required, do those details get validated to the nth degree before allowing the transaction to go through?
So, really, the only option is to make the CVC mandatory for a start (i.e. for non-card-present transactions, as they should all require a PIN anyway), and then develop an always changing CVC code system.
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly
to your computer or smartphone by using a feed reader.
Trusted
ID Verified
