W3C home > Mailing lists > Public > public-identity@w3.org > May 2014

Payment authorization on the web - Haven't moved in 20 years

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Sun, 04 May 2014 08:11:13 +0200
Message-ID: <5365DA01.4070207@gmail.com>
To: "public-identity@w3.org" <public-identity@w3.org>
Sort of linked to the "eternal" HTTPS Client Cert Authentication UI issues, I would like to highlight
a related problem which is much bigger and that is the fact that we after 20 years with the web
still mainly use unauthenticated Cardnumbers + "passwords" (CCV) printed in clear on
credit-cards for authorizing web-payments.  AKA known as "Card Not Present" transactions

Just about every month there are reports on massive break-ins in servers which would be
fairly useless if there were a useful authentication scheme involved.  In fact, even the "secure"
EMV cards used in the EU and Asia, are exactly as susceptible to these attacks as their
non-secure US counterparts, since the lowest common denominator  (the web) must be supported .

Obviously the entire authentication space is in a poor condition compared to the rest of the web.

Anders
Received on Sunday, 4 May 2014 06:11:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:09:13 UTC