User: Password:
|
|
Subscribe / Log in / New account

Google Authenticator for multi-factor authentication

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 11:52 UTC (Thu) by ekj (guest, #1524)
In reply to: Google Authenticator for multi-factor authentication by iabervon
Parent article: Google Authenticator for multi-factor authentication

That explains why VISA authenthicates transactions by asking you for several items of the same type.

Card-number (embossed on card) expiry-date (embossed on card) CVC (printed on card) owner name (printed on card).

[/cheapshot]


(Log in to post comments)

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 13:41 UTC (Thu) by epa (subscriber, #39769) [Link]

You're forgetting 'enhanced security' in some countries where a crappy dialogue box asks for your password. If you don't know the password, don't worry, you can reset it by providing your bank account number (embossed on card) and your date of birth (*not* on the card, but hardly a secret either).

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 15:53 UTC (Fri) by skitt (subscriber, #5367) [Link]

Some websites I place orders on now support an extra step, where my bank sends a one-time code to my mobile phone which I then enter to confirm the transaction. I don't know how widespread this is or what the determining factors are; I've seen it used with cards issued by various banks and via both Visa and MasterCard.

Wikipedia is your friend...

Posted Dec 9, 2011 16:04 UTC (Fri) by khim (subscriber, #9252) [Link]

It all explained in much details where usually such things are explained.

Wikipedia is your friend... or foe

Posted Dec 15, 2011 14:24 UTC (Thu) by gvy (guest, #11981) [Link]

Victor, just for the neutrality (pun intended): the technical articles on wikipedia might be reasonable (but that's not a given), while e.g. historical or national ones tend to get ugly and distorted by a strangely constant factor. You might be interested in [[VP:ISK256]] (translit back to Cyrillic) on ru.wikipedia.org.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 16:26 UTC (Fri) by dlang (subscriber, #313) [Link]

the determining factor is if the website has opted to implement such a feature.

Google Authenticator for multi-factor authentication

Posted Dec 12, 2011 19:00 UTC (Mon) by BenHutchings (subscriber, #37955) [Link]

The implementation used in the UK (Visa calls this 'Verified by Visa'; I forget what Mastercard calls it) is even better: no dialog, but an IFRAME. Cardholders are expected to enter their 'secret' details into random shopping sites that embed a frame that probably comes from the payment network. This is literally indistinguishable from phishing, since most users cannot determine where the frame really comes from, and even if they can a framing site can generally snoop on all interaction with a frame.

Google Authenticator for multi-factor authentication

Posted Dec 13, 2011 7:10 UTC (Tue) by paulj (subscriber, #341) [Link]

So, for the UK, the thing to do is to just ignore the VbV password crap. Hit the "Forgot password" link every time, enter the card data, enter some long, random data for the new password - then forget that.

I don't know if there's causation, but after a couple of times of doing this, I now no longer get prompted at all anymore for a VbV password. ;)

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 16:21 UTC (Thu) by jwarnica (guest, #27492) [Link]

The distinction of those methods (and also, signature, track 2) are ways that the CC companies can use as proof (well, evidence) that you actually have the card when doing that transaction.

Back in the physical swipe days, the embossing of the card and carbon paper made an imprint. The imprint was not just the card number, but demonstration that the card was actually there when the imprint happened.

"Track 2" data is similar; I dunno what it contains, but provides similar evidence that the actual card was actually used.

Expiry date help for phone or internet transactions, as does the CCV2 codes; just more evidence that someone has the card in hand.

Generally, the theory was that it is hard/impossible to copy two of these at the same time. Signature and CC # embossing are on the opposite side of the card. CCV2 # and CC#, opposite sides (for most cards), etc.

Obviously, as time has moved on, the effort/gain ratio of each of these has been overcome, and thus the introduction of more things.

Google Authenticator for multi-factor authentication - credit cards

Posted Dec 9, 2011 17:05 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

Expiration date is not normally an authenticating factor. I used to successfully submit charges all the time with made up expiration dates. The reason the rules require the merchant to provide that is to prevent the merchant from neglecting to check the expiration date.

The key value of the card verification code (the few digits printed somewhere on the card, aka CCV2 et al) is that it isn't recorded and transmitted all around, like the card account number obviously is. Anyone involved in accounting can see your card account number, but few people ever see your card verification code.

In the original design, secrecy of the card account number wasn't considered a security feature at all. It was public knowledge and security was provided by physical presence of the card and a signature alone. As telephone ordering became more important, banks started trying to keep the account numbers secret as a security measure, but that's obviously pretty weak. Likewise, even secrecy of checking account numbers is now considered a security measure.

This is strange...

Posted Dec 10, 2011 6:51 UTC (Sat) by khim (subscriber, #9252) [Link]

I used to successfully submit charges all the time with made up expiration dates.

How can you do that? I've had card from a few banks, but they all reject transactions with incorrect expiration dates (at least electronic ones). This is PITA when card expires: if order is placed with old expiration date and is not shipped before it's annulled and new one is issued then you need to go to the web site and change the data. And not all sites provide nice interface to do that...

This is strange...

Posted Dec 10, 2011 15:16 UTC (Sat) by corbet (editor, #1) [Link]

Our experience as a credit card merchant suggests that banks differ widely in the practices they apply. For a lot of them, if you have a number, that's all they care about. We routinely get emails from people who realize they put in the wrong name or expiration date, but the charges go through just fine. Other banks insist on correct address information and will turn down charges because they don't like the position of the moon that night.

expiration date in credit card authentication

Posted Dec 10, 2011 18:02 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

It doesn't surprise me that for some charges the expiration date has to be right. There's a lot of diversity in this area.

But I know that traditionally, the expiration date wasn't part of authentication. When I did it, it was in 1999 using a traditional merchant credit card terminal.

Banking computing standards often take a decade to make even a trivial change because regulators are very careful. I'm pretty sure that this terminal wasn't even capable of transmitting the expiration date I typed to its partner.

Google Authenticator for multi-factor authentication

Posted Dec 14, 2011 20:55 UTC (Wed) by eli (guest, #11265) [Link]

Signature and CC # embossing are on the opposite side of the card.
Take out one of your credit cards. Look at the back of it. Notice that everything on the front of the card is embossed into the card, which changes the shape of the back of the card. If you get a good image of the back of that card, you can read the data embossed on the front.

Google Authenticator for multi-factor authentication

Posted Dec 8, 2011 17:17 UTC (Thu) by iabervon (subscriber, #722) [Link]

It was originally something you had (the card), and something you knew (how to get a pen to produce your signature). But neither of these works without a semi-trusted point-of-sale agent who watches you sign and sees that you actually have the card. Providing effective authentication for credit cards now (considering both how they're used and the state of forging technology) would cost more than fraud costs, so they haven't bothered. To the extent that they've done anything, it's just an attempt to make their accounts a bit harder to abuse than other cards. (Asking for an extra password to use a card would probably cut way down on fraud at the moment even if you don't compare the password to anything, because attackers will tend to think, "this one's weird" and go on to the next number in their list, which will work fine without anything special.)

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 1:23 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

The signature is something you are, not something you know. It comes from too low a part of the brain to be in the same category as a password.

The system really doesn't rely on a semi-trusted point-of-sale agent; the retailer is about as untrusted as anyone by VISA, which is why he used to have to get an imprint of the card, and now has to swipe it through a reader. To prove to a large extent that the card was actually present. In addition, the retailer has to produce a signature that reasonably matches the one on the card, proving to some extent that the owner of the card was there too.

The only thing I've seen change since the early days is that for small transactions, someone - I don't know if it's Visa or the retailer - is now willing to take the risk of fraud in exchange for speed and convenience.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 10:20 UTC (Fri) by mpr22 (subscriber, #60784) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

Google Authenticator for multi-factor authentication

Posted Dec 9, 2011 16:27 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I find it impossible to regard a signature as being in any useful sense "something you are". The useful property of "something you are" credentials is that a fraudster can't learn to have them, and a fraudster can certainly learn to have your signature.

And yet the main reason signatures exist is that many people do regard them as something you are, being difficult for a fraudster to learn.

I, for example, could almost certainly not reproduce your signature, no matter how much I practiced. So there's one fewer fraudster to worry about.

None of the security mechanisms we're talking about are perfect, so it's all about reducing, not eliminating, the chance of fraud.

In any case, it's not "something you know" -- if it were, then you could instantly disclose to someone how to write your signature.

(Incidentally, the other major purpose of a signature that people often overlook is not as security, but as a statement. The fact that someone wrote his name (or even an X) on a piece of paper makes it impossible for him to argue he didn't mean to commit himself. As most people are honest, whether he signed or not is often not disputed).


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds