Read on Twitter
Credit card companies have a golden opportunity to takeover another industry- the two-factor authentication industry.
Explanation of why and how:
-Two factor authentication requires something the user knows (e.g. password) and something they have (e.g. phone to receive a code).
Explanation of why and how:
-Two factor authentication requires something the user knows (e.g. password) and something they have (e.g. phone to receive a code).
-The problem with using a phone number (for a text msg) or an app on your phone in order to receive the second factor element of 2-factor auth is that you are placing trust in the phone device to not be compromised itself or stolen by a third party or transmission intercepted.
-That last part is very nearly impossible to fully protect against due to the very complex nature of any device allowing a wide variety of software to be run on it (apps apps apps).
-Text messaging is not secure enough for 2-factor. This has been well documented. (SS7 related)
-Text messaging is not secure enough for 2-factor. This has been well documented. (SS7 related)
SOLUTION:
Credit card manufacturers should add an additional "chip" on the opposite end of credit cards being issued which contains a type of PGP private key (that is not actually readable by a human).
Credit card manufacturers should add an additional "chip" on the opposite end of credit cards being issued which contains a type of PGP private key (that is not actually readable by a human).
This private key chip (embedded on this new chip at the other end of a credit card) can receive a string of input from a log-in portal platform, "sign" that arbitrary string with the on-chip private key...
...and then send the result back out in verifiably signed format. This evidences the consistent holder of that physical card.
Because it's embedded on a plastic rectangle that people already carry around and guard carefully, it's a great 2nd factor "something you have" item.
Because it's embedded on a plastic rectangle that people already carry around and guard carefully, it's a great 2nd factor "something you have" item.
Because the private key never needs to be known or memorized or even readable outside of the single card-embedded chip, their is an additional layer of procedural safeguard in creation and use.
Malware cannot be installed on it, it cannot be seen visually but works the same way. Because it's built into your credit card you naturally are decently aware of where it is at all times and tend to keep it near you for use.
Ta-daaaaaa! *change_the_world.gif*
Ta-daaaaaa! *change_the_world.gif*
