Sure and with the Exp Date, CVV, and number printed on every card you are open to compromise every time you stay in the hotel or go to a restaurant where you hand someone your card. Worse yet, the only option if you are compromised is to change all your numbers and put the burden on your of notifying everyone and that evening you hand your card to the waiter and the cycle starts over. The system is so monumentally stupid it’s unbelievable.
Steven Naslund
Chicago IL
I understand that in some countries the common practice is that the
waiter or clerk brings the card terminal to you or you go to it at the
cashier's desk, and you insert or swipe it, so the card never leaves
your hand. And you have to enter the PIN as well. This seems
notably more secure against point-of-sale compromise.
- Brian
This is common in India but then chip and pin has been mandatory for a good few years, as has 2fa (vbv / mastercard secure code) for online transactions.
Waiters would earlier ask for people's pins so they could go back and enter it - back when a lot of the POS terminals were connected to POTS lines rather than battery operated + with a GSM sim. That's stopped now as people grew more aware.
I understand that in some countries the common practice is that the
waiter or clerk brings the card terminal to you or you go to it at the
cashier's desk, and you insert or swipe it, so the card never leaves
your hand. And you have to enter the PIN as well. This seems
notably more secure against point-of-sale compromise.
- Brian
True and that should be mandatory but does not solve the telephone agent problem.
Steven Naslund
Chicago IL
IVR credit card PIN entry is a thing
For example - https://www.hdfcbank.com/personal/making-payments/security-measures/ivr-3d-secure
True and that should be mandatory but does not solve the telephone agent problem.
Steven Naslund
Chicago IL
And yet I got my DoD system ATOed my way earlier this year by
demonstrating to the security controls assessment team that the cost
of default-deny-all exceeded the risk cost of default-allow with IDS
alerts on unexpected traffic.
Because not spending more on a security implementation than the amount
by which it reduces the risk cost, is a CORE SECURITY PRINCIPLE while
default-deny-all is merely a standard policy.
Regards,
Bill Herrin
PIN is more secure but the device is wireless and may have been
compromised. All (that I've seen) POS are now PIN based in UK. Internet
use still asks for CVV sadly though verified by visa is still occasionally
used but is only protecting the places you probably already trust.
There have been cards with a OTP display but they didn't become popular.
I try and use Apple pay where possible. Apple assure us that their
account code and one time security codes prevent the attacker aquiring
the card number/pin/cvv and any captured data can not be used to make
another transaction. Really eveything should do at least this.
brandon
It is good but has several inherent problems (other than almost no one using it). Your card number is static and so is your pin. If they get compromised, you are done. Changing token/pin resolve the static number problem completely, compromise of a used token has no impact whatsoever.
Steven Naslund
Chicago IL
If there was a waiver issued for your ATO, it would have had to have been issued by a department head or the OSD and approved by the DoD CIO after Director DISA provides a recommendation and it is mandatory that it be posted at https://gtg.csd.disa.mil. Please see this DoD Instruction http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf (the waiver process is on page 23). If it did not go through that process, then it is not approved not matter what anyone told you. I know your opinion did not make it through that process.
Want to tell us what system this is?
Steven Naslund
Chicago IL
I'm pretty sure the "entire point" of inventing CVV was to prove you
physically have the card.
For example someone dumpster-diving a restaurant etc particularly in
the old imprint days when this was dreamed up wouldn't have the CVV or
at least not from that source.
Many merchant contracts' fees are based on whether you do sales on
physical cards (lower) vs not like online. I don't know off-hand how
that's affected by verifying the CVV online, I suspect it's mostly
used online to avoid certain kinds of fraud for all the other reasons.
We're very careful with CVVs as per contract agreement and they don't
go near the database, only used during the verification and gone when
the app fork exits.
Credit card fraud is, to the processors, a game of percentages and
cost/benefit.
Sure one could have the CVV w/o the card, these days a big hazard are
service people (e.g., restaurants) who can trivially snap both sides
of your card with their phone, they often take your card away and come
back later with the receipts and your card.
In Europe and probably elsewhere it's very common for them to process
your card with a hand-held device right in front of you which would
make that more difficult.
But any proposal to improve cc security has to reflect the
cost/benefit across millions of transactions. If one isn't working
with that data then they're only guessing.
Yes, I want to give you explicit information about a government system
in this public forum and you should encourage me to do so. I thought
you said you had some skill in the security field?
Regards,
Bill Herrin
Mr Herrin, you are asking us to believe one or all of the following :
1. You believe that it is good security policy to NOT have a default DENY ALL policy in place on firewalls for DoD and Intelligence systems handling sensitive data.
2. You managed to convince DoD personnel of that fact and actually got them to approve an Authorization to Operate such a system based on cost savings.
3. You are just trolling to start a discussion.
The reason I asked what system it is would be to question the authorities at DoD on who and why this was approved. If you don't want to disclose that then you are either trolling or don't want anyone to look into it. It won't be hard to determine if you actually had any government contracts since that is public data. There are very few systems whose EXISTENCE is actually classified, but you were the one that cited it as an example supporting your policy. If you cannot name the system then it doesn't support your argument very well does it. Completely unverifiable.
In any case I believe the smart people here on NANOG can accept or reject your security advice based on the factors above. I'm done talking about this one.
Steven Naslund
It only proves that you have seen the card at some point. Useless.
Steven Naslund
Chicago IL
To be fair, the idea that your security costs shouldn't outweigh
potential harm really shouldn't be controversial. You don't spend a
billion dollars to protect a million dollars worth of product.
That's hardly trolling.
Remember we are talking about classified intelligence systems and large IT organization infrastructure (Google, Yahoo, Apple) here (in the original Supermicro post).
That would be information whose unauthorized disclosure would cause grave or exceptional grave harm (definition of secret and top secret) to the National Security of the United States. Seems like that warrants a default deny all (which is DoD and NSA policy). I would argue that ANY datacenter server should be protected that way unless it is intended to be publicly accessible.
Steven Naslund
Mr Herrin, you are asking us to believe one or all of the following :
1. You believe that it is good security policy to NOT
have a default DENY ALL policy in place on firewalls
for DoD and Intelligence systems handling sensitive data.
Steve,
I believe it's a good idea for every security control to trace to
first principles not just as conceived but as implemented.
Default-deny-all is not a first principle. If often traces. Often is
not always. Treating often as always is the sort of lazy error that
leads users to work around non-sensible security implementations,
demolishing the security they would have provided.
2. You managed to convince DoD personnel of that fact
and actually got them to approve an Authorization to
Operate such a system based on cost savings.
You mischaracterize it as "cost savings" but that's essentially
correct. I spent six months going through the 1100 controls they laid
on me and where I thought a control would be destructive I provided a
thorough analysis of the anticipated mission impact for both the
control as written and the proposed alternate mitigation. The impact
is far more than a dollar sign. Make it hard to use and you sap the
system's utility to the mission. Make it hard to manage and you
increase the probability of error, decreasing the system availability.
And so on.
Won some of the arguments. Lost others. Built a better system with
happier users for the effort. You can believe that or not as you
choose.
Regards,
Bill Herrin
To be fair, the idea that your security costs shouldn't outweigh
potential harm really shouldn't be controversial. You don't spend a
billion dollars to protect a million dollars worth of product.
The problem with that idea is that it's almost always implemented as
your security costs shouldn't outweigh _your_ potential harm
Regards,
Lee
If you're only talking about classified systems, sure.
But it didn't sound to me like we were only talking exclusively about
those kind of systems.
It's not useless, it protects against what it protects. Like
dumpster-diving in the imprint days or if someone gets hold of all the
credit card numbers + expirations (+ names, maybe) from your
database. If you don't store CVVs (which is forbidden by contract)
they won't have CVVs and sites which require them won't accept
transactions. It's kind of like a PIN but yes too easily stolen.
A friend used to write "ASK FOR PHOTO ID" in the signature portion of
his credit cards and, I saw this, cashiers would look at it, look at
his signature as if they were comparing, and say OK thank you!
From: NANOG <nanog-bounces@nanog.org> On Behalf Of Naslund, Steve
Sent: Wednesday, October 10, 2018 1:06 PM
If there was a waiver issued for your ATO, it would have had to have been issued by a
department head or the OSD and approved by the DoD CIO after Director DISA provides a
recommendation and it is mandatory that it be posted at https://gtg.csd.disa.mil. Please see this
DoD Instruction http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf
(the waiver process is on page 23). If it did not go through that process, then it is not approved
not matter what anyone told you. I know your opinion did not make it through that process.
That only applies to RMF systems where DSS is the AO on behalf of the DoD. For anything that falls outside DSS purview you can do whatever the COTR for the Cog is willing to sign off on. Even under RMF, MUSAs and isolated LANs have those requirements tailored out by default. IWANS and UWANS that don't have connectivity to anything but themselves are also NA for the firewall requirements. At the present, contractor systems that don't connect to a USG network aren't required to implement any of the STIGs other than base OS. I don't expect things to stay that way, but I haven't heard anything from DSS to indicate it'll be changing anytime in the near future.
It's less difficult than it first appears to get ATO from a technical standpoint (the paperwork hell IA is buried under is an entirely different story, but I'm not them and have no desire to be).
Jamie