Re: Encrypting basic card data

On 7/9/16 08:52, Adrian Hope-Bailie wrote:
> It would however prevent sniffing data from this channel

Before we add this complication, I think I'd want an existence proof of 
some method whereby an attacker could inject himself in a way that would 
perform passive interception without also allowing active tampering. At 
first blush, it seems like it's adding the illusion of increased 
security without actually making things better.

> Note: I'm leaving talk of a more sophisticated solution where the keys 
> are bound to the merchant and can be verified by the payment app to 
> another discussion, there was a decent size group of volunteers in 
> London interested in exploring that topic.

This seems more worthwhile.


-- 
Adam Roach
Principal Platform Engineer
Office of the CTO

Received on Saturday, 9 July 2016 08:16:44 UTC