- From: Robin Wilton <wilton@isoc.org>
- Date: Mon, 27 Jan 2025 11:08:06 +0000
- To: Manu Sporny <msporny@digitalbazaar.com>
- CC: "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <6AD685F4-D59F-482C-9AFA-B8AA6349EB5C@isoc.org>
I’ll just note that paper credit-card slips incorporated a biometric authenticator (the card-holder’s signature) which, in principle, is a lot harder to transfer to a third party than a PIN. The transition from signatures at point-of-sale terminals to chip and PIN was also not purely a technological step: at the same time, payment processors re-wrote the liability rules so that, by default, the card-holder was liable for card fraud. In other words, although paper credit-card slips sound archaic, it would be a mistake to conclude that the technical and commercial steps that followed were 100% beneficial to the user. As a further historical snippet, some folks will remember the period between paper slips and chip & PIN terminals, when the card-holder had to swipe the mag stripe through the terminal and then awkwardly sign a paper till-roll on the device, thus resulting in a signature that looked about as similar to your normal signature as your passport photo does to your actual face. Oh, wait… that’s pretty much how a lot of US retail terminals still work, but with a stylus and touch screen instead of the paper till roll. “Plus ça change, plus c’est la même chose”, as they say. If we’re going to dismiss previous tech-mediated authentication/authorization approaches, we should make sure we learn what was good about them as well as what was bad… Yrs., Robin On 26 Jan 2025, at 16:17, Manu Sporny <msporny@digitalbazaar.com> wrote: For example, some of the more seasoned among us might remember when we read our credit card numbers out loud over the phone to retailers... the rarest vintages among us might remember the *Ka-chunk, ka-chunk* of a credit card imprint machine, which would copy all the information needed to pull money out of our bank account onto a piece of paper that would then be bandied about by a minimum wage employee with no security training. Those are historically weak attack surfaces that have been almost eradicated due to newer, more secure technology practices coupled with strong motivations (fees and fines) for doing things in the older, less secure way. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. https://www.digitalbazaar.com/
Received on Monday, 27 January 2025 11:08:14 UTC