Re: Don't Let Data Theft Happen to You

> When paying with a credit card, the server brings a small wireless

>> terminal directly to the table. It looks just like a compact adding >> machine, with a paper roll on the back, but with a card slot on the >> front, where you insert your card. If it's a debit card, you key your >> PIN on the keypad. The receipts are printed right from the same >> device, and the card never leaves your possession. >> If devices like this were used in the states, you could presumably >> also use the keypad to add a tip amount to the check. (In France, >> where service is included, tips are a rarity, and when offered at all >> are invariably in cash.) > I would worry about the security of the wireless connection.

One would hope that such devices *could not operate* unless there was a secure connection.

I have more fundamental concerns: what would prevent the creation of a validation device that was completely functional but managed to copy and transmit the credit card information? What would keep an unscrupulous restraunt manager or waiter from substituting such a device? For that matter, what would keep an unscrupulous customer from swapping a trojan horse wireless validater widget while the waiter wasn't looking?

AFAICT, any system which counts on the secrecy of a number is simply problematic today. Challenge/response systems are the only way to go:

  1. The vendor sends the details of the transaction: your credit card number (which is no longer sacrosanct), the vendor's account number, and the amount of the transaction. Optionally, there could be a customer-supplied number shipped up for the customer's own tracking of transactions. These are sent to a centralized validation authority.
  2. The validation authority issues a challenge code for this transaction.
  3. The customer enters the code in their personal validation card which generates the response code. The customer manually enters the validation code; the vendor relays the validation code to the centralized authority and the transaction is validated.

The personal validation card would be protected with a PIN and biometrics.

AFAICT, having such a system would eliminate a massive amount of fraud. Besides using the card for validating transactions, any alteration of my credit information: applying for a new "credit card", change of address, etc. would require exactly the same validation.

Jim Rusling


Reply to
Phil Earnhardt
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.