Sony has shut down its PlayStation network after admitting an intrusion that risks the data of 77 million users including names, addresses, birthdates, passwords and credit card numbers, in fact just about everything a hacker might need to financially rob you. What is the point of Chip & PIN if you can get and misuse this sort of information on-line?
Surely, we are reaching some threshold on internet payments where consumers are going to revolt. It is totally unacceptable that the personal data and credit card details of 77 million people can be exposed.
Historically, this is not the biggest exposure that goes to Heartland Payment Systems who gave up over 130 million debit and credit card numbers in 2008/2009.
In theory, you might argue that it shouldn't matter if somebody knows your credit card number, what really matters are that they shouldn't be able to use it. In other words, you shouldn't be able to make a payment by just providing somebody's credit card number. And that's the simplicity of the argument the consumer must be involved in every transaction but with varying degrees of assurance and in the extreme case by the use of a Chip and PIN.
As a consumer I don't believe it is acceptable that I have to trust every merchant to handle my credit card information securely, and clearly they don't as the case in point with Sony. I would go even further and suggest that it is not economically viable to build a fool proof secure system to manage sensitive data through an intermediary, the only way is end point security and then of course you do have to trust that. However depending on the organisation involved, typically the bank that manages your account then the odds are more in your favour.
So if we have to have intermediaries such as merchants then it's back to some form of authentication just like Chip and PIN and it shouldn't be possible to go around it which is why the title of this article suggests that Chip & PIN has been broken by Sony's lax security attitude.
The question then becomes how do we pay on the internet? Clearly, user name (or email address) and password don't hold up as a forward thinking strategy (PayPal are you listening). So dynamic passwords or One Time Passwords (OTPs) are a step forward but they can be painful to manage. Devices such as the RSA SecureID token seem great but then in March this year RSA was obliged to report that their system had been breached and that sensitive data may have been discovered.
The banks have been promoting the Chip Authentication program (CAP) that uses authentication/signature widgets (i.e. calculator size devices) that can authenticate a transaction using your EMV payment card. The Security team at Cambridge University have pointed out some vulnerabilities that are possible with the implementation of such an approach but their main point is that consumers find this widget inconvenient to use (for which I agree) and that they would prefer some reader attached to the PC. And then the researchers point out you have reached hackers paradise, the land where everything can be modified without you knowing until it is too late.
Others dismiss this PC approach as suicide and explain that what you really need to use is your phone, some suitable software application, now I don't know what newspaper they are reading but they seem totally unaware that the modern smart phone is no more secure than a PC. In fact, I would go further, I think that the current state of Mobile Phone operating systems is probably less secure than the PC.
The reality is that at the end of the day you need some trusted hardware object that contains a secret that can be proven without revealing the secret, a bit of clever cryptography can do this. What you can then do is to be assured at least that this object was involved in the transaction. So in short, you need a secure element in the phone, NFC I hear you say, well unfortunately most phones seem to be relying on the SIM for the secure chip. However help is at hand, secure MicroSD cards are now becoming available (firstname.lastname@example.org) which can indeed provide a shared security object but I suspect we are going to hear more horror stories before it starts to catch on.
Dr. David Everett, Smartcard & Identity News