Thursday, November 19, 2009

MasterCard's Mobile Chip and PIN Displays





Here is a snippet from and article published in Evan Schuman's StorefrontBacktalk.  The piece talks about how MasterCard is trying to authenticate card not present transactions via mobile devices with "single use passwords" or "one-time-passwords" which have already been found to be vulnerable to real-time keyloggers.  Here's a couple paragraphs and some more info on real-time keylogging...





“This is interesting in that it’s the first public announcement I’ve seen, at least from a major player, to leverage the mobile phone to secure a card-based transaction,” said payments expert Todd Ablowitz, president of Double Diamond Group. “Of course, the question, as always, is about adoption. Can MasterCard and the other players looking to secure card-not-present (CNP) transactions get merchant and consumer adoption? How long will it take? No doubt there is a high level of fraud in CNP transactions, especially as related to card-present transactions, but will this be the solution? It remains to be seen. In the payments industry, that can take a long time to play out.”



MasterCard is offering two types of the new mobile Chip Authentication Program (CAP), an SMS version and a downloadable app for smartphones. Both options present single-use passwords in a fashion similar to the home-based card readers usually supplied to consumers by banks to authenticate card-not-present transactions.



(Editor's Note: Those One-Time-Passwords have been proven to be susceptible to real-time keylogging programs.  One step forward, two steps back...)  See:Real Time Keylogging Makes OTP Log-In Obsolete





Continue Reading at StorefrontBacktalk.com





More on Real-Time Key Logging: 



The NY Times had a story and a blog backgrounder focusing on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. The capability came to light in a court filing (PDF) by Project Honey Pot against "John Doe" thieves. The case was filed in order to compel the banks — which are almost as secretive as the cyber-crooks — to reveal information such as IP addresses that could lead back to the miscreants. Or at least allow victims to be notified.



Real-time keyloggers were first discovered in the wild last year, but the court filing and the Times article should bring new attention to the threat. The technique menaces the 2-factor authentication that some banks have instituted:



"By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA's SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula. If [your] computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can't see."







2 Comments | Read MasterCard Goes Mobile With Chip-And-PIN Displays

  1. Tom Mahoney Says:

    Just what we all need, another big security hole for the bad guys to get into.




  2. Mike Lyons Says:

    I concur Mr. Mahoney. Any safeguards in place to prevent money laundering through virtual bank accounts and unlicensed money remitters?




Reblog this post [with Zemanta]

Disqus for ePayment News