[17525] in cryptography@c2.net mail archive
Re: massive data theft at MasterCard processor
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Jun 21 16:12:36 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 21 Jun 2005 18:04:16 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: cryptography@metzdowd.com
In-Reply-To: <20050617225211.C08E33BFE96@berkshire.machshav.com>
Steven M. Bellovin wrote:
> MasterCard reported the exposure of up to 40,000,000 credit card
> numbers at CardSystems Solutions, a third-party processor of credit
> card data. CardSystems was infected with a script that targeted
> specific data. In other words, this wasn't the usual carelessness,
> this was enemy action, and of a sophisticated nature. See
> http://www.mastercardinternational.com/cgi-bin/newsroom.cgi?id=1038 for
> the official statement.
>
> Designing a system that deflects this sort of attack is challenging.
> The right answer is smart cards that can digitally sign transactions,
> but that would require rolling out new readers to all the merchants.
No, because then you have to trust the readers. The only way this can
possibly work safely is to have a trusted device that does the crypto
_and all UI_ in the same package. And it has to belong to the user, stay
with the user at all times and be secure.
Cheers,
Ben.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
