My article about Bitcoin security and brick-and-mortar payments, which was published last Sunday by VentureBeat, received 35 comments, 323 tweets, and was shared 458 times on Facebook. Obviously, Bitcoin security is popular topic!
0 Comments
New card data breaches were discovered by RSA Security. Memory scraping malware was used to steal card data from multiple merchants in the US and abroad. RSA researchers uncovered the server infrastructure used in a global Point-of-Sale (PoS) malware operation responsible for the electronic theft of payment card and personal data from several dozen retailers, mostly based in the U.S. Infection activity has also been detected in 10 other countries including Russia, Canada and Australia. While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems. Amazon is reportedly going to enter the brick-and-mortar business by providing mobile checkout solution and competing with Square and PayPal. The system will allegedly include supplying retailers with Kindle tablets and credit card readers. VentureBeat just published my article about Bitcoin security: “Bitcoin payments will face big challenges heading to brick-and-mortar (but it’ll get there)”. I discuss the problematic areas of Bitcoin system design which large retailers must take into account if they decide to accept the Bitcoin payments. There are multiple messages about possible card data breach at Michaels Stores Inc. It would be interesting to know whether it's RAM scraper again or they have invented something else for a change. Besides the POS memory, there are at least 3 additional major areas (and many "sub-areas") of payment application vulnerabilities that can be easily exploited, even if the system is PCI compliant. There are interesting relationships between traditional and emerging payment technologies. The online marketplace for counterfeit credit cards has been accepting Bitcoin as a payment method. Some people think this is because Bitcoin is anonymous. I would say this is because Bitcoin is secure - at least, more secure than the originals of the products offered on this website. At one time the website accepted Liberty Reserve online currency, but shortly after federal charges against Liberty Reserve were made public in the Southern District of New York in May 2013, the fakeplastic website stopped accepting that currency and began accepting Bitcoin, a cryptographic-based digital currency. As set forth on the site’s “news” section, Bitcoin was viewed as a “safe” and “anonymous” method of payment for contraband. The site is still up and running. Don't waste your time if you want to spend your Bitcoins on this website: the registration is by invitation (from FBI?) only. The Target breach affected Canadian customers as well, although Canadian Target stores are equipped with different point of sale (Retalix 10) and payment (Retalix Connected Payments) software supplied by Retalix (now NCR). Probably, they did not manage (or did not bother) to secure the PII (Personally Identifiable Information) as they were focused on security of payment data. Note that PCI data security standards do not contain any requirements to protect the PII. In addition to the POS/payment software different from the US stores, take into account that magnetic stripe payment cards, which were the target during the Target attack, become a rarity in Canada after the EMV migration. Litecoin miners and owners, welcome to the club! Litecoin users join the real hacking world which is the day-to-day reality of traditional card payments for a very long time. As value and market capitalization of altcoins such as Litecoin grow, they become a desirable target for hackers just the same way as card payment system and Bitcoin network. Here is what actually happened. Give Me Coins (give-me-coins.com) is one of the largest Litecoin mining pools (about 14% of the Litecoin network). The LTC Payment Address parameter in pool user accounts settings has been reset by hackers. The parameter defines the user wallet's address to send the accumulated earnings from the mining. The earnings have been withdrawn from some accounts. The pool operators stated that they temporary disabled all the payouts, and the pool will compensate for any stolen Litecoins. I don't think the palm scanner as an authentication method will make it into a mainstream of retail payments, at least not in the US. It is bulky, and most important thing - requires significant physical interaction with the device, which customers try to avoid. I believe the future belongs to personal, contactless payment devices and gadgets, such as smartphones and smart cards equipped with biometric sensors, which would allow the buyers to interact with the merchant's payment system without physical contact. |
Books
Recent Posts
Categories
All
Archives
September 2024
|