As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible. As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer’s card. Laurie said that American Express told him: “We are comfortable with the security of our product.” Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing. However, Laurie noted that the captured account number could still be used for online transactions.[From The hands-free way to steal a credit card | Defense in Depth – computer security, hacking, crime, viruses – CNET News.com]
Adam is a great guy and he does excellent work, but on this one he’s wrong. You cannot use the alias PAN (ie, the PAN given up via the contactless interface, not the one printed on the card) in anything except a contactless transaction and you cannot use it to make a bent contactless card because you need the Amex security keys in order to generate the right digital signature. If you attempt to use the alias PAN in an online transaction, the Amex host will decline it.
I hate to add my usual rant about the reporting of contactless security issues, but it does annoy me that some of the media reports have a tone to them that sort of asks how come Amex (and by extension, their consultants!) are so dumb that they design and build a new payment scheme that can be trivially defeated? The assumption that card issuers know nothing about security is, frankly, slightly offensive.
Anyway, must run. Just off to get a cup of tea, put my feet up, and watch BBC Newsnight:
Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We’ll be asking what are the banks going to do about it?[From BBC NEWS | Talk about Newsnight | Tuesday, 26 February, 2008]
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]