bloomberg on supermicro: sky is falling

I concur, and have been designing/building/running based on this premise
for a long time. It's usually not very difficult or painful when starting
fresh; it can be much more so when modifying an already-operational
environment. But even in the latter case, it's worth the effort and
expense: it much more than pays for itself the first time it stops
something from getting out.

The most difficult part of this process is often convincing people
that it's sadly necessary. I say "sadly" because it wasn't also so,
and that was a kinder, happier time. But that was then and this is now.
And now the worst threat often comes from the inside.

It also has three perhaps-not-quite-obvious benefits.

First, it forces discipline. Things don't "just work", and that's a
feature, not a bug. It requires thinking through what's required to
make services functional and thus (hopefully) also thinking through what
the potential consequences are. I'm no longer surprised how many chief
technology officers don't actually know what their technology is doing
(to borrow a phrase from Ranum) and are puzzled when they find out.
The clarity provided by this approach removes that puzzlement.

Second, it greatly reduces the extraneous noise that might make nefarious
activity harder to spot. There's an entire market sector built around
products that ferret out signal from noise; I find it easier not to
allow the noise.

Third, every attack we see coming in, every byte of abuse we see
arriving, is the consequence of someone else *not* implementing
default-deny and the collective cost of that across all operations
is enormous. If we can avoid contributing to that, then we've done a
small bit of good for everyone else.

---rsk

(this is probably OT now...)

I'm pretty sure the "entire point" of inventing CVV was to prove you
physically have the card.

Except that it doesn't serve that purpose. Anyone who ever had your card
in their hands (e.g. waiters) can just write that down and use it later
hence defeating the purpose of "physically having the card". (Call me
paranoid but I usually use a black pen to make the numbers undreadable
because of this, after my card (both sides) has been photocopied a
number of times...)

This has always been an amusing topic. At the end of the day it's a
financial risk management call from the banks -- as long as they lose
less money on the current system than the cost of fraud, things wiull
not change. Of course, they try to push those costs onto others as much
as possible, but that doesn't change the bottom line.

Robert

Robert Kisteleki wrote:

(this is probably OT now...)

> I'm pretty sure the "entire point" of inventing CVV was to prove you
> physically have the card.

Except that it doesn't serve that purpose. Anyone who ever had your card
in their hands (e.g. waiters) can just write that down and use it later
hence defeating the purpose of "physically having the card".

But waiters don't know your ZIP code which is the other thing needed for online verification (in the U.S.)

3D Secure is good enough. It will probably be mandatory for payment processors sometime in the future. In the meantime, it just costs the industry less to cover fraud losses.

(this is probably OT now...)

>
> > I'm pretty sure the "entire point" of inventing CVV was to prove you
> > physically have the card.
>
> Except that it doesn't serve that purpose. Anyone who ever had your card
> in their hands (e.g. waiters) can just write that down and use it later
> hence defeating the purpose of "physically having the card". (Call me
> paranoid but I usually use a black pen to make the numbers undreadable
> because of this, after my card (both sides) has been photocopied a
> number of times...)

What you're saying is they don't work as well as you might hope, not
that they don't serve that purpose.

If you snatched 5M credit cards numbers and expiraton dates but, as
required by contract, there were no CVVs in that db how well would
that work with sites which require a CVV for a transaction? Not well
at all. So there's a purpose.

Also, traditionally one's signature is on the back right next to that
CVV for a merchant to compare against which leaves forgery a mere
exercise in, well, forgery, since the example one has to reasonably
match is right there.

Which doesn't mean signatures don't work, it's just not much
protection against anyone who can reasonably forge a signature. But
many people can't or won't try, it discourages minor criminals like
your boyfriend using your card surreptitously while you were sleeping.

They're also some reasonable evidence that the transaction was done in
person with the card in hand. I know some merchant contracts wouldn't
allow forgiveness (who eats the fraud) for charges w/o a signature
where their contract claims they only do in-person purchases which
gets them a lower rate.

There is a concern for merchant fraud also in all this, unfortunately
that's very tempting.

BUT IT'S ALL WORSE THAN THAT!

When I had a book of checks stolen (and reported) several turned up
used in major big box stores with information like driver's license
number, date of birth, etc neatly written on them tho none of that
info was mine.

I doubt they went to the trouble of counterfeiting a driver's license,
it's possible but this was small-time fraud.

My suspicion was they were in cahoots with the cashier, simplest
explanation, the cashier was a friend who probably got a cut.

So anything in the presumed chain of events can often be suborned.

> This has always been an amusing topic. At the end of the day it's a
> financial risk management call from the banks -- as long as they lose
> less money on the current system than the cost of fraud, things wiull
> not change. Of course, they try to push those costs onto others as much
> as possible, but that doesn't change the bottom line.

I agree with this.

Quite a few years ago I was interviewed by a start-up manufacturer of
a big parallel "mini" to head their OS effort.

Something which came out in the conversation, which went on for hours!
(very pleasant tho), was that a major credit card company had pledged
in writing to buy $150M of their machines on day one of ship if they
could run a set of their anti-fraud algorithms quickly enough (their
spec) to be able to reject transactions in real time.

The company had done forensics and I think the estimate was if they
could have run those algorithms they would have saved them some big
number like $50K/hour in fraud. But they couldn't run them fast enough
to allow for reasonable transaction times.

And then ya sit around the bar thinking you know how this or that
startup is funded or why...that would not have been one of my guesses!

Robert Kisteleki wrote:

>
> > (this is probably OT now...)
> >
> > > I'm pretty sure the "entire point" of inventing CVV was to prove you
> > > physically have the card.
> >
> > Except that it doesn't serve that purpose. Anyone who ever had your card
> > in their hands (e.g. waiters) can just write that down and use it later
> > hence defeating the purpose of "physically having the card".
>
> But waiters don't know your ZIP code which is the other thing needed for online verification (in the U.S.)

So be wary if they ask you for photo id which likely has your zip code!

But asking for photo id is a good thing for legitimate card holders,
could reduce fraudulent in-person use of stolen cards.

What a mess.

Once upon a time, bzs@theworld.com <bzs@theworld.com> said:

But asking for photo id is a good thing for legitimate card holders,
could reduce fraudulent in-person use of stolen cards.

Requiring an ID is also a violation of the merchant agreements, at least
for VISA and MasterCard (not sure about American Express), unless ID is
otherwise required by law (like for age-limited products). I've walked
out of stores that required an ID.

"Naslund, Steve" <SNaslund@medline.com> writes:

It only proves that you have seen the card at some point. Useless.

It doesn't even prove that much. There is nothing preventing a rogue
online shop from storing and reusing the CVV you give them. Or selling
your complete card details including zip code, CVV and whatever.

In practice, the CVV is just 3 more digits in the card number. No
security whatsoever in that.

Bjørn

It has always been curious to me how/why the U.S., with one of the
largest economies in the world, still do most card-based transactions as
a swipe in lieu of a PIN-based approach.

In South Africa (and most of southern Africa), all banks make the use of
PIN's mandatory, for all types of cards. With the rest of Africa using
credit cards more recently, I imagine they are also PIN-based.

Europe also use PIN's, as far as I have experienced.

Asia-Pac was swipe-based for a long time when I lived there, but I know
places like Malaysia and Singapore have started a major PIN-based
transaction drive in the past 3 years.

3D Secure for the online version of the transaction also means your card
number and CVV number are less susceptible to fraud via restaurants and
the like. Of course, this is not fool-proof, as both the merchant and
bank need to support and mandate this, which is not well-done at a
global level.

Mark.

There are two parts of the problem. The first is the assumption of
risk: the current model of operation in the US (like in other western
economies) puts the onus of risk of misuse of the card on specific
actors. When you change the basis from signature (fraud) to chip+pin
(leak of knowledge) you have to change the legal basis. Remember, this
is an economy where WRITING CHEQUES is still normal. Clearly, the
legal basis of money transactions in the US is hugely complicated by
savings and loan, credit unions, banks, state and federal law, taxes.
We all have some of this worldwide, they have a LOT.

Secondly, the cost basis. Who pays? In most of the world the regulator
forced cost onto specific players because they could, and forced
people to tool up because they could. But, the costs did have to get
met. Some people paid more than others. In the US, for reasons not
entirely unlike the first set, *making* people do things with cost
incursion is remarkably difficult. Making the Walmart brothers re-fit
every terminal, when they can go down to DC and buy votes to stop it
happening, Making Bank of America spend money re-working its core
finance models to suit online chip+pin when it can go down to Walmart
and lean on the owners to go down to DC and buy votes...

Seriously: Its not lack of clue. Its lack of intestinal political
fortitude, and a very strange regulatory and federal/state model.

Shame, but I can see how this makes sense as to why things are the way
they are.

Speaking of "cost" as a motivator, in South Africa, most of the banks
are now using extra fees as a way to force users to do their banking
online (phone, laptop, app, e.t.c.). If you want to walk into a bank to
deposit money, withdraw money, make a transfer, e.t.c., you pay for that
service over and above, while the process costs you zero (0) when done
online. This has led to banks now renovating banking halls into where
there was once 23 tellers, you now have 1 service usher, 1 teller, 2
support agents and 20 self-service computers.

I hope the U.S. does catch-up. If we were swipe-based here, we'd all be
broke :-). I know a number of major merchants in the U.S. now use PIN's,
and I always stick to those when I travel there.

Mark.

Mark Tinka wrote:

I hope the U.S. does catch-up. If we were swipe-based here, we'd all be
broke :-). I know a number of major merchants in the U.S. now use PIN's,
and I always stick to those when I travel there.

In the U.S., pin codes are required for EFTPOS transactions (called debit) over interbank networks like Pulse, STAR, etc

Swipe-and-sign (and now just swipe for small amounts) is for Visa, Mastercard, Discover transactions (called credit)

Skimming and card fraud is actually uncommon in the U.S. these days, and the police are very effective at combating it. It's just cheaper for the industry to eat fraud losses than to "upgrade" systems. The transition to chip-based cards was a debacle.

I have a low-cost/high interest rate account at one of the Canadian bank and each "assisted" transaction is $5.

Frank

This is a confusing and off-topic discussion with respect to network engineering.

But for completeness:

Payments systems are architected by fraud rates, not by isolated security requirements or engineering mandates, as i think most network engineers can understand.

The fraud rates in the US for credit card transactions were historically very, very low and being a large jurisdiction with a single national law enforcement branch (the FBI) enforcement was effective.

Compare this to Europe in the 1980s when credit cards were accepted very few places. This was for two reasons:

1. the fraud rates were much, much higher, which created chargebacks for merchants that they preferred not to eat;
2. trans-national enforcement was virtually nonexistent. interpol had ~zero time to deal with credit card fraud.

so the best european fraud rings always operated from a different country than where they perpetrated the fraud.

when chip-and-pin was introduced, the point was actually twofold:
A) security
B) shifting liability to the consumer

somewhat famously, even after chip-and-pin was proven compromised, UK banks continued to make consumers liable for all fraudulent transactions that were ‘pin used’. this was very, very good for the adoption of credit cards in europe but it was very, very bad for a few people. banks, as usual, didn’t are and made some decent money.

So why did the US get pin-and-signature? Target.

International fraud rings finally got wise to the ripe opportunity that was the soft underbelly of the US economy and figured out ways to perpetrate massive, trans-national fraud in the US. and as soon as that happened, the US got chips. the signature-vs-pin part is mostly about the fact that there are still low rates of fraud here as tracked by chargeback rates and as a result there’s no real need to pay the cost of support to set everyone up with a pin.

and that’s what security is always all about: cost tradeoffs. people in countries where everyone has a pin have eaten that cost already and had to because the fraud rates were high enough to justify it. people in the US do not have PINs that they know and setting those up costs money and maintaining people’s access to them costs money. so if that’s not worth it, it doesn’t get done. nor should it.

i generally find it amusing when people from other countries mock the US for not having PINs. this is just another way of saying “my country has high fraud rates and yours appears not to.” . you can see this in the comment below “If we were swipe-based here, we’d all be
broke :-).”. the payments systems are architected to minimize cost and maximize adoption and they are usually at (or moving towards) some locally optimal point. the US is no exception in that.

now, the checking/chequing system is a whole other, embarrassing beast and mocking that one is just the correct thing to do.

anyway, let’s talk about networks, no?

cheers,

t

Once upon a time, Scott Christopher <sc@ottie.org> said:

Swipe-and-sign (and now just swipe for small amounts) is for Visa, Mastercard, Discover transactions (called credit)

Signatures are no longer required for chip card transactions in the US,
except I think for transactions where the auth is done on the amount
before an added tip (restaurants).

Skimming and card fraud is actually uncommon in the U.S. these days, and the police are very effective at combating it. It's just cheaper for the industry to eat fraud losses than to "upgrade" systems. The transition to chip-based cards was a debacle.

Skimming is still highly active at gas pumps, where chip support was
pushed off (current requirement I believe is late 2020, but may be
delayed again).

The skimmers get more creative all the time; they're getting inside
pumps (possibly with help of low-paid station attendants, but also
because of poor physical security) and installing the skimmer hardware
out of sight. The hardware has Bluetooth, so the bad guys just pull up
and get gas and someone in the car can retrieve the data (from multiple
pumps even).

Todd Underwood writes:

[interesting and plausible reasoning about why no chip&PIN in US]
anyway, let's talk about networks, no?

This topic is obviously "a little" off-topic, but I find some
contributions (like yours) relevant for understanding adoption dynamics
(or not) of proposed security mechanisms on the Internet (RPKI, route
filtering in general, DNSSEC etc.).

In general the regulatory environment in the Internet is quite different
from that of the financial sector. But I guess credit-card security
trade-offs are still made mostly by private actors.
(Maybe they sometimes discuss BGP security on their mailing lists

That was me - and "low" (fraud rates) is not "zero" (fraud rates).

Personally, I don't want to add to the statistic. The inconvenience
isn't worth the bragging right :-)...

Mark.

Well,

Older Pump station installation (and maybe new ones) use RS-232/442 to communicate in clear text with their controller into the building.

Easy to tap to skim Track 1/Track2 of the CHD which is good to dups cards.

Now to get the physical CVV you need a physical skimmer installed on top the pump which is where your Bluetooth come in action.

With those you can dups and make “Card No Present” transaction (aka Internet).

It is a risk/reward thing.

PS: Lazyness is pretty much the greatest threat. EU/CAN/etc are all CHIP while some other economy still refuse to spend that extra $1 per card

Signatures are required for chip card transactions above a certain
dollar amount, with that dollar amount varying from merchant to
merchant. I ran into this at the Sprint store when I used a chip card
to pay $800+ for my company's overdue wireless bill, and I had to apply
pen to paper by hand. And I didn't do my usual response to "sign here":
draw a triangle and put "yield" in it.

Once upon a time, Stephen Satchell <list@satchell.net> said:

That was true a few years ago, but it’s been at least a year since I’ve seen a swipe anywhere. The change happened quite quickly. It’s all been chip, or chip-and-pin, for at least a year.

                                -Bill