I have been thinking about banking and making payments for goods a lot lately and suddenly came to the realisation that we as users always rely on somebody else for the security. Think about it. When we go to an ATM, we assume it is a real one that belongs to the bank because of its branding. If we go to an online website we look at the url, branding and possibly the certificate if we know what we are doing. What about a POS device. Just because it looks like a real one and has the VISA or Mastercard branding does not mean it is. There was a case in the UK a few years ago during some renovation to a storefront when some clever criminal setup a fake ATM were a real on used to be. It looked and operated like the real think. Except it kept saying that it was out of cash. Behind the machine was a little computer noting down the magstripe and PIN numbers of everyone that tried to use it. A similar attack can be achieved with a POS device. It is just so easy. So why do we trust the device. Is it because we just do not know what to look out for.
My view is that the banking industry has an obligation to ensure that financial services are secure. As the criminal minds change, they need to find better ways to combat theses types of attacks. Luckily they are. EMV technology combats this. During the processing of a transaction the smart card can actually validate the validity of the POS device, although I believe this is not always implemented. So how do we do this with other mediums of payments. Online payments are more tricky. Banks are looking at ways to do this, but currently no clear mechanism exists. A nice way would be to get the user to use their mobile phone to authenticate the transaction. As for mobile banking and payments, the only real option that banks are finaly realising is to use the SIM card to authenticate the transaction.
The bottom line is that we as users cannot assume that the device we use to enter our banking details is secure unless we own it or validate its authenticity.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment