Wednesday, December 30, 2009

Protecting Consumers by Solving Credit Card Theft

Over the past month of so, I have spent a lot of time thinking about the various weak points in the consumer privacy and protection space. Everything from the risks of smart phones, to the increasing risks of social networking, to the never ending problem of credit card theft.

The problem that seems so easy to solve and the one that would have the biggest benefit to not only consumers but financial institutions is to fix the credit card theft problem. When we look at this problem deep down, it is very simple. You use your credit card somewhere and either the clerk or server makes a copy of your account number and CVV code (3 digit code on the back of the card) or the system processing the card stores that information and is later compromised through various malicious attack vectors. Once this account number and CVV is in the hands of someone else, if can be freely used and abused and or sold to be used and abused by someone else.

The simple solution to this problem is to marry the token code technology that has been providing trusted mutli-factor authentication for years in to the credit card. Meaning that your credit card would look very similar to RSA's SecurID 900 series token cards, as seen here

Token code technology provides a changing one time use number (called a token code) that is good for 60 seconds and then changes to a new number that is then good for 60 seconds. So in the event that some one did steal your credit card number, CVV code, and they wrote down the current token value that is being displayed on the card, they would have to use that within 60 seconds and they would only be allowed to use it once. After the 60 seconds were up, the token code would not work. This would prevent all credit card number theft and would limit credit card issues to physical theft of the actual card itself.

The token code verification process would work very similar to the way credit card companies will some times ask for you to enter your zip code during a transaction to verify that you are the owner of the card. But the token code can not be stolen and reused. It can not be socially engineered. A cyber-criminal would have to physically have possession of the card to use it.

Given that token codes can only be used once and they are only good for 60 seconds, this greatly reduces if not eliminates the risk to consumers and financial institutions, however, it does introduce two very solvable draw backs:

1) You would need to replace all existing cards with token cards, which are not cheap. However, it could be argued that financial institutions spend far more than the cost of the tokens in dealing with fraud each year. Financial institutions could also offer this as a service to consumers and say that for a $10.00 one time fee, we will give you a card that you do not have to worry about the number being stolen.

2) What do you do with quick pay on-line sites like and automatic bill pay sites that allow consumers to store their card on file for quick and easy checkout. To solve this problem there would be an authentication process that would require the consumer to log in to the their credit card company's web site and authorize an existing successful token based transaction to be repeatable and tokenless. Therefore you would need to have one successful token based purchase in order to set this up which would guarantee that you were in possession of the card during the first transaction. You could then further set restrictions on how many tokenless transactions from a specific web site or company could be made per period of time or how large of a dollar value could be charged tokenless per period of time.

If credit card companies made this very simple change, it would greatly reduce or eliminate all of the issues with credit card number theft. This could save financial institutions an enormous amount of money each year in dealing with fraud and would increase consumer confidence in the protection of their credit card information.

Thursday, October 1, 2009

A place to start

For the past couple of years I have toyed with the idea of starting a blog where I could illustrate and talk about things that are of interest to me and discuss some of the research I do on a daily basis, however, to this date I have been reluctant to start one. Posting routinely to a blog, like posting to any other form of social network site, carries a high value in my risk matrix. But more on my views of social networking and mass transparent communication at a later time.

While this blog will not be entirely devoted to technical and security related posted as the first post will illustrate, I do plan on spending a lot of time discussing my day to day research and the risks that we face from an On-line World. For those that have attended or heard one of my presentations at a security or trade show conference a lot of what I talk about here, will be the details behind what I talk about in class.

With that said, I have been wondering how best to start this blog. After a week or so of thought and the experience I had last night at dinner, I find it fitting that I should start this blog talking about food. For those that know me personally, I can hear you laughing as it must seem to you that all I do is talk about food..

The other day an associate of mine had taken me to Anthony's at Point Defiance ( near Tacoma WA for lunch and the atmosphere, the views, and most importantly the food was wonderful.

Typically I need to visit a restaurant ten times before I will rate it and or recommend it, but after eating lunch I went ahead and added Anthony's to my google map of places to eat. Lunch was that good. For the curious, I had a halibut dish that was grilled and covered in a white sauce. (Their on-line menus are “samples” and do not list the item I had). Next time I go back I will make exact note of what I had ordered.

My general process and criteria for rating a restaurant is, I look for deviations in quality of the various items on the menu, I look for consistency with a single item across multiple visits, the atmosphere and cleanliness of the facility are important and lastly the overall experience as it relates to the staff and the presentation of the food helps me decide if I will one go back, and two if I will recommend it to friends.

So given my experience with lunch I was really excited to go back and try something else on the menu. So I asked my GPS device where the nearest Anthony's was to my hotel and went there for dinner the following night. My two big tests for seafood restaurants are; 1) can they actually make a good fish-n-chips and 2) are their deserts compliments to the subtleties of the fish or do they over power them.

I arrived at Anthony's HomePort Des Moines around 8:00 PM and very hungry, never a good sign for me on a fully unverified restaurant, but I had high hopes that my lunch at Anthony's was not a fluke. For starters, finding this particular restaurant was very difficult, the signage and lighting was very poor. And once inside, you have to walk up stairs to find the restaurant. The restaurant you walk into on the ground floor is not Anthony's which makes things very confusing. The hostess that greeted me was nice, though you could tell she was having a really bad day or had brought her wows from home with her to work. The restaurant was nice and though I could barely see out the wall of windows due to the darkness of the night, it was obvious that in the day light the views would be wonderful.

I ordered Fish-n-Chips and from here things went down hill. My dinner came and I began to eat and much to my frustration the Alaskan Cod was awful. The fish smelled fishy (which I have learned means the fish is not fresh) which does not make sense when the restaurant claims fresh fish and sits on the Puget Sound. The breading on the fish was excessively oily and sticky which also not a good sign. The fries were okay, but my stomach was revolting and I was only able to eat about half of my dinner.

When the server came to clear the table I asked for a desert menu, something I usually do not do till about the fifth visit, but I was hoping for something to remove the taste and fill my stomach. When a restaurant offers a signature dish or a named dish, I usually start with that. This time I ordered their signature desert, a Blackberry Cobbler. Wow, another disaster of a dish. The desert comes in a medium sized bowl with a hard crust layer and a massive amount of ice cream on top. Almost like they knew the desert is not good so they need to add extra ice cream to compensate. The crust tasted like cardboard and was a good ¼ inch thick. The cobbler was so thin it could have been blackberry soup. Definitely not a cobbler and not something I will ever have again.

So while my lunch at their Port Defiance location was wonderful, my dinner at their HomePort Des Moines location was awful. I will try and eat lunch their again before I head home, maybe I can verify if things were really just a fluke on my first visit. But for now it is looking questionable on whether or not they will get a positive rating.

The one thing that just baffles me is how a restaurant like this can mess up Fish-n-Chips. If you can make all of the great creme sauces for Halibut and Salmon dishes how is it that you can not make a good breading and cook it in hot enough oil so that it does not saturate the food and make it taste like you are eating lard. For the record the best Fish-n-Chips, in my opinion, is at Trolls up in British Columbia Canada at Horseshoe Bay, and second best place for Fish-n-Chips is at a brew pub in a suburb of Salt Lake, Utah, called Hoppers.