Saturday, January 10, 2009

A good idea, badly done

According to a Computerworld article, "Starting Jan. 1, Visa Inc. is requiring all new fuel-dispensing machines being installed at gas stations around the U.S. to support the Triple Data Encryption Standard, a mandate that is designed to make it harder for identity thieves to steal debit card data from gas pumps by shielding the personal identification numbers (PIN) of customers."

While using strong encryption (such as 3DES) is a good idea, it's too bad that's the focus - breaking the encryption is not a very effective way to steal credit card numbers. Far easier is one of a hundred other methods - breaking into the server where the credit card numbers are stored, installing a "skimmer" to read the credit card at the gas pump, hacking the software, etc.

Seems to me that Visa needs a better risk assessment methodology...


Post a Comment

Subscribe to Post Comments [Atom]

<< Home