Better Credit Card Security

While talking with a friend, who is enduring some unpleasantness the conversation turned to issues with using credit cards to buy things, like food for example. That got me thinking, how would I design a really strong way to prevent data breaches?

Encrypt everything!

Well, perhaps not that, but hash everything. Here’s what I talked myself into, of course none of this is rational because nobody will effect a planetwide shift in payment processing based on what this yokel has to say, but still, here goes.

Issuing Bank sets up credit account, there are four key fields that are important for the classic transaction, name, number, expiration date, and CVV2. I think one could also establish a timebased one-time-password secret as well, it would operate like Google Authenticator functions. So you’d need a secret that the bank generated for their systems and the physical card too. You’d need a smart chip on the card so it could forward the TOTP code to the credit terminal at the point of sale.

The bank sets up a TOTP secret, so it’s named JQP Credit Card (or account number or whatever) and the secret is: 6B57078FB88A4DD73E447D2647DCEC7D04C3D887951BA6A2D8DBA294E0B60579. This number is forwarded to the credit card terminal. Right now it’s 726995, but in thirty seconds it’ll be something else. Since the credit card terminal and the bank share sync’ed time via time.nist.gov, there is no risk that there would be some sort of mismatch between the two.

The customer goes to the credit card terminal and swipes, a value is entered and a timestamp is recorded, all of this is already parts of a credit transaction. The terminal can read the name, expiration, CVV2, whatever from the magnetic stripe and the smart chip forwards the TOTP code, then the terminal assembles this into a EDI transaction:

JOHN/Q/PUBLIC#1111222233334444#1015#170#726995 and applies SHA256 to it, to create:

621d3dd5a66277a7ab3737f306728e3c4bc5f3cd20c8730c37cc61c6575de0ba

This is stored in a database and then forwarded to the bank with the timestamp, so it’ll look like this:

987654321#621d3dd5a66277a7ab3737f306728e3c4bc5f3cd20c8730c37cc61c6575de0ba#15.09#1426615839

So the bank will be presented with a Customer ID, SHA-256, they’ll have the total dollar amount, and they’ll have Epoch time, or the number of seconds from 00:00:00 UTC, January 1, 1970. This could be easily done by a Linux kernel by the output of date -j -f “%a %b %d %T %Z %Y” “date” “+%s”

The bank would then have everything they need, they’d have the secret key, which with the Epoch time from the transaction would give them the TOTP calculation, which would generate the answer 726995. Then they’d have the card details from the customer ID, the SHA-256, and the amount. They could then calculate the hash on their own:

621d3dd5a66277a7ab3737f306728e3c4bc5f3cd20c8730c37cc61c6575de0ba

And authorize the transaction.

Even if the card details were stolen by someone copying the numbers off the card, they wouldn’t get the TOTP secret. Plus the TOTP secret is changing every 30 seconds. If someone tried to run this transaction and guessed at the TOTP code, they’d generate this:
987654321#a1b714fba988632200c78a5b9021bca5b48f149b036aa901c03173f0f2de5399#15.09#14266158 and the bank would instantly detect this incorrect SHA hash and cancel the card and ship a new one.

This is rather involved but the practical upshot is, if a vendor kept these transactions in a database and someone stole the database to use for their own nefarious needs, the presence of the TOTP and SHA-256 would make the data in the database worthless because the TOTP has no predictable pattern if you don’t know the secret, and SHA-256 is very sensitive to even the smallest change in the input data that it’s hashing. This would free vendors, banks, and customers from risking PII leakage or identity theft.

I’ve also thought that this would be a great way to secure SSN’s as well for use with the government, they know your SSN and you know your SSN, so when communicating over a possibly compromised channel you can authenticate not with your SSN, but with the hash of your SSN.

John Q. Public, 123-45-6789 -> 01a54629efb952287e554eb23ef69c52097a75aecc0e3a93ca0855ab6d7a31a0

Out of Place

So when I walked into the local asian food market I definitely felt a sense of being a stranger in a strange land. I was clearly the tallest person in the market, as I walked around I realized that I couldn’t recognize a single thing on any of the packages. I was after ramen noodles and I didn’t think they would be too hard to find. After 15 minutes of wandering around the store I eventually did discover where the noodles were. What I found in the market that surprised me was that everything came in very strange sizes, initially it was all 11.3 ounces, so I originally thought that the issue was that they came in different metric values that made sense. After looking at the products I discovered that the metric values weren’t correct either, they were just very strange.

What added to my awkward feelings were that the market pleasantly requested that customers only purchase in cash. I did not have a problem with this, however I had to visit the bank first to get out $20, then make my purchase, then return to the bank and deposit cash. It wasn’t unpleasant as the bank was just around the corner from the market however it was a little funny.

As I drove off I realized that I could have just gone to Meijers markets instead and got what I was after all along. Now I don’t have any problem with patronizing the asian market however it would’ve been more convenient to visit Meijers and I could’ve saved the run around back and forth to the bank.

The next time I need a very special ingredient, of course I will go to the Asian food market for this purchase. For regular stuff I’ll just go to Meijers.

Special Note: This blog entry was 99% dictated using Apple’s newest OSX, Mountain Lion. I think it did a pretty good job. The only thing it didn’t get was special terms like “Meijers”.

Needlessly Complicating Everything

Today has been a comedy of complications. First it turns out that retail doesn’t give a damn about whether or not the roads are passable. We just endured the Snowpocalypse 2011, and while the sky did fall, it wasn’t as dire or dangerous as people had feared it might be. Overnight we accumulated probably 12-15 inches of snow and they all built up around my car and down my driveway. After I had some breakfast and relaxed a little, as Western had closed for business on Wednesday, I decided to try to get the garbage out to the street side for pickup. I got all dressed up, found some winter boots in the closet that I didn’t know we had, and opened the garage up. I got my shovel and started to heave-ho the snow out of my way. I got halfway down the driveway and one of my neighbors with a snowblower came up and asked if I wanted him to help me clear my driveway for ten bucks. I agreed and he went to get his pint-sized snowblower. He made quick work of the plow-drift that had built up at my driveways entrance and as he was snowplowing I was clearing off about a yard of snow with each push-and-shovel throw. He helped clear my driveway in about 5 minutes, dug out a notch in the snowbank roadside for my garbage trundle and even plowed clean a path for the mailman to get to my front door. All in all worth the ten bucks I think, he didn’t have to help me, I would have struggled through it, but it would have taken me much longer. I think it was an even deal.

But of course I don’t carry cash on me. So he was willing to wait for the money. This is the start of the complications. I needed to get $10 from the bank. This should be easy. It was not.

My first step was, after comics lunch with Scott I dropped him off at work and went to the PNC Branch at the corner of Westnedge and Romence roads. It’s a rather big branch and it was 2pm on a Wednesday, I didn’t think there would be any problems. Well, the bank was closed. The blizzard did that right quick. So no human beings at the bank, so I thought maybe I could pull the money out of the ATM, but I knew that the PNC ATM’s were only handing out $20’s. I thought I could cheat by going to Meijers and buying something cheap and then using my debit card, pull an extra $10 out, giving me what I’d need to pay off my neighbor. I got to Meijers and thought about what I needed or wanted. I couldn’t think of anything off the top of my head so I picked up a six-pack of Labatts for $5 and headed to the help-yourself checkout lane. After proving my age, I ran my debit card and tacked on another $10 to the deal. The Meijers system puked out the transaction and apparently there is a bank/computer glitch that renders all PNC Debit Card transactions invalid. So there I was in the help-yourself lane, with beer that was already ordered and I already verified my age so I bought it anyways using my budget-money, for which I certainly have enough to cover a $5 six-pack of beer. So now I had beer, but still no $10. Frustrated I left Meijers and I was driving home the safe way, which is down Kilgore Ave to Sprinkle and take that home, it has only very gentle grades, and it isn’t Westnedge Hill after a blizzard. On my way home I remembered that all the Speedway gas stations in Michigan are now outfitted with PNC ATM’s. So here I was, all the way full circle. I got to the Speedway, I withdrew $20, I went to the cashier and bought two $10’s with the $20, which elicited a grumpy comment from the gas station attendant – oh whatever – and got back in my car. Then I drove to the PNC Bank on Gull Road (closed as well, what a shocker!) and deposited back the extra $10, leaving me with a six-pack of beer and $10. I took Gull down to Texel, and counted off the addresses. Then I discovered to my chagrin that Texel is even-numbered halfway along and then it switches at the bend. *twitch* I finally got to my helpful neighbors house and knocked on the door. His wife opened the door, I handed her my $10 and thanked them for their kindness.

Now I’m home, I’ve taken care of what I had to and only had to go through this craziness because the banks were closed and ATM’s only spit out $20’s. At least I don’t owe my neighbor anything and that isn’t a cloud over my head.