Payment system security is hilariously bad


#1

[Read the post]


#2

Apparently these protocols were originally designed to run over serial links, with being on a point-to-point-with-only-trusted-buddies ‘network’ counting as the security architecture(which can work, if your conduits are nice and hard and you don’t have malicious insiders); but the dark desire to keep using the legacy software while also reaping the savings of piggybacking on the new commodity network tech unfortunately didn’t inspire anyone to build a suitably bulletproof encapsulation mechanism to protect the legacy traffic.

Not much different than what you’d see if you tapped into a ModBus or DMX-512 network, except that people don’t usually tunnel those over god-knows-what awful network; and nobody can jack your bank account by messing with theater lighting.


#3

Nobody will pay to build a vault until the bank gets robbed many, many times.

The surprising part is that nobody has thought to make security a selling point. Clearly, their marketing people explained that nobody cares about that. Right now, they may be right.


#4

Securi-what?


#5

I’ve been out of the industry for 20 years now, but this was exactly correct then, and AFAIK it still is.


#6

Its not like its difficult to tunnel through the internet these days. Its just like telnetting through an ssh tunnel, and ssh provides better security (IMHO) than using public key infrastructure.


#7

One way to get it fixed is each time there is a breach, fine Visa, Mastercard, American Express and Discover for not securing data. If they lose enough money, they will then fix the issue in no time.


#8

Hold bankers accountable? Great idea! Then we can end world hunger, or maybe reverse climate change.


#9

Hey I can dream can’t I?


#10

Like everything else, They Just Don’t Care. And they won’t care till it hits them to the tune of tens (or hundreds) of millions of dollars. Otherwise it’s easier and cheaper just to churn out shit. That applies to everything from mobile to cars to banks to utilities to whatever.


#11

It is worth remembering that anything involving ‘security’ is almost never as easy as it look(SSH-ing, for instance, almost uniformly refers to SSH-2, for a variety of good reasons involving the weakness of SSH-1; just as ‘SSL’ tends to actually mean 'TLS versions greater than 1 because the older ones were broken"); but in general the point is sound.

The currrent situation is a security disaster; but it’s hard to blame whatever engineers where told "we need something simple and cheap to implement on limited hardware connected via trusted hard-lines’ for the fact that the protocol is a massacre when run insecurely over a commodity ethernet arrangement. The task of building a multi-vendor-compatible secure tunnelling mechanism is probably pretty nasty, possibly nastier than just re-doing the the design for untrusted networks; but it seems unfair to blame the original designers. At almost any scale, some bus will be treated as ‘physically secure, efficiency is what matters’, and all sorts of security horrors will be perpetrated therein in the name of performance(in the case of PC compatibles, the most obvious example is things on the PCI bus that are allowed to DMA; that is basically the key to the kingdom; but it’s also a vital technique for saving CPU cycles and, barring Thunderbolt and similar, only affects cards physically inserted into the chassis, so isn’t a huge concern).

Naively using a protocol that depends on externally provided link-layer security is a pretty egregious sin; but it isn’t really the sin of the people who designed that protocol, there are circumstances where link-layer security is largely assured by physical means and anything on top of that is excess. The really ugly bit is the fact that the move from physically segregated serial lines to various flavors of network tunnelling did not include a suitably robust VPN-like implementation.


#12

In the least, even before the Age of Raspi Boards, they could buy a cheapo router, flash it with OpenWRT, and run OpenVPN.

Fuck money, we get critical SCADA systems running unsecured.


#13

Security is a selling point. All sorts of products are marketed as having that security stuff, after all.

The problem is that security is a legally meaningless term. All that is necessary to market your product’s security as a feature is to write down the words in your marketing literature.


#14

Right. But the people doing the buying aren’t qualified to test oral pH, much less the security of a network or protocol. I’m sure the executives wherever you work would be very impressed when the PCI standards come out with a big bold sticker on the front saying “100% completely unhackable. Use this system or else”.

Security is a selling point, but the Payment Card Industry doesn’t lose any money if it lies in it’s marketing copy. Not much that is.

Hell, the switchover to Chip and Pin in the US is going to make the PCI standards body rich as fuck, and the standards can also be fully backwards compatible, because they’re no more secure than the last set of standards, but use a “new” technology, so it must be better, right?


#15

That’s what really scares me. If we can blow up very well-protected uranium enrichment centrifuges in Iran with just a tiny amount of social engineering, then imagine what can possibly happen to general infrastructure that isn’t under the microscope?


#16
Fortunately, however, criminals have not yet taken advantage of these weaknesses.

Really? How could anyone know?


#17

This topic was automatically closed after 5 days. New replies are no longer allowed.