Anders Rundgren
2014-05-04 06:11:13 UTC
Sort of linked to the "eternal" HTTPS Client Cert Authentication UI issues, I would like to highlight
a related problem which is much bigger and that is the fact that we after 20 years with the web
still mainly use unauthenticated Cardnumbers + "passwords" (CCV) printed in clear on
credit-cards for authorizing web-payments. AKA known as "Card Not Present" transactions
Just about every month there are reports on massive break-ins in servers which would be
fairly useless if there were a useful authentication scheme involved. In fact, even the "secure"
EMV cards used in the EU and Asia, are exactly as susceptible to these attacks as their
non-secure US counterparts, since the lowest common denominator (the web) must be supported .
Obviously the entire authentication space is in a poor condition compared to the rest of the web.
Anders
a related problem which is much bigger and that is the fact that we after 20 years with the web
still mainly use unauthenticated Cardnumbers + "passwords" (CCV) printed in clear on
credit-cards for authorizing web-payments. AKA known as "Card Not Present" transactions
Just about every month there are reports on massive break-ins in servers which would be
fairly useless if there were a useful authentication scheme involved. In fact, even the "secure"
EMV cards used in the EU and Asia, are exactly as susceptible to these attacks as their
non-secure US counterparts, since the lowest common denominator (the web) must be supported .
Obviously the entire authentication space is in a poor condition compared to the rest of the web.
Anders