2009-10-06|11: 30:07|12.34Many of us hold fallen victim to credit/debit card fraud, either through operators illicitly amassing the Numbers of the cards they manage ( the little chips ) or through crackers interrupting into charge card databases.

The inquiry is: deadly of wholly overhauling the system, is there any manner security could be ameliorated?

My ( preliminary ) thoughtfulnesses on the theme gives the followers:

Pre-authentication
For clients who opt-in, necessitate texting the dealing sum ( optionally +/- a given sum ) for dealing ( ESP above a certain sum ) to be O.K.. Job: SMS is not a unafraid medium. Applying a smartphone, one could get around this ( on the other hand the proportion of clients covered will be much littleer ), but given that information connectivity is not common ( ESP in U.S. and Asia ), we 'd still be throttle to SMS.

If we care simply about hallmark, the cleartext plus its PGP signature would accommodate inside 160 chars, but if one desires to inscribe the content also, it Holds not possible.

e.g. for the cleartext

2009-10-06|11: 30:07|12.34

( the timestamp is asked to foreclose rematch onsets. Yes, this is obviously not procure plenty still, but the representative is to exemplify the transmitting size job ).

Subscribed, the signature takes 104 bytes. Plus the 26 bytes of the message, and a nominal extractor, we get 131 bytes, within the boundaries. But what if the message is to rest private too? Applying GnuPG, I get a message size of 625 bytes. This could be dissever into multiple SMSes, but it Holds not convenient.

Post-authentication
Hold the card issuer direct an SMS *after* an authorisation postulation is haved. We still hold the transmitting size job supra, but the issuer can select to convey less sensitive infoe.g. instead than the sum, convey the merchandiser identifier. Still a seclusion job, and this will obviously not be popular on a busy check-out line. Besides holds the job that to do it procure, you 'd involve a smartphone ( to either decrypt the message, or verify the signature ).

Cypher
There already are security mechanisms inviting the CVV/CVC codification. Do it invite a secret figure alternatively, one that is settable by the client.

But above all...
Raise the base degree of hallmark took! Some on-line traffickers like Virago still make not even verify the charge reference ( which is convenient, if one 's card is released in a land like Indonesia, where somehow reference check *never* works, but shuddery. Though, funnily, I hold n't gotten any card misused on Virago. I *did* hold one stolen card utilise on iTunes, so Apple 's hallmark is obviously comparably weak ).

Any other thought I 'm losing, or any job with the three strategies above that I hold not observed, allow me cognize ( remark or trackback ) and I 'll update the station. Thanks!

Technorati Tags: banking cryptography security

Related posts:
8-bit screen of Magnetic flux
Do-Over
Pragmatism and Correlationism: Kant and the Short Statement