Blog‎ > ‎

DNSSEC, Privacy, Credit Card Tokenization PAN, dCVV, etc

posted Oct 24, 2014, 11:34 PM by Sami Lehtinen   [ updated Oct 24, 2014, 11:35 PM ]
Studied Introduction to DNSSEC by CloudFlare
Checked out Kounta, mCASH and reminded my self about features of SEQR (Seamless). Mobile POS, Mobile Payments.

Watched PBS NOVA 2014 Why Planes Vanish? Primary Radar, Secondary Radar, SatCom, Transponder, SQUAWK, Doppler shift, Ping latency, Frequency correction, ADS-B, electric bay, AFIRS, streaming near realtime flight data recorders (blackbox). My comments ADS-B is flawed system, because it's based on information reported by the plane systems and that information can be spoofed or system disabled.
Watched Glenn Greenwald's Why privacy matters and The Virtual Interview: Edward Snowden

Read Even a Golden Key Can Be Stolen by Thieves, how Apple encryption is flawed. "regulating backdoors in cryptography will diminish users’ security". I think there' still a major flaw. What good is getting a warrant for a content of encrypted laptop or desktop, or phone? If it's encrypted and they don't have the key, the warrant is no good. This still means that Apple is still having a backdoor into the system by holding the keys. This is exactly in line with the stuff which I wrote about in earlier posts them lying about not having access to data. If the encryption is done correctly, they don't have any data or keys, which could help the law enforcement in anyway, even if they would have warrant. It's just horrible how many (almost all) systems are insecure by design.

I've been thinking several times about implementing secure P2P client, which wouldn't basically leak any data. Security level would be much better than with Tor or any current existing 'privacy' tool. Of course this would be mostly used by tinfoil hats only, so using it would make you kind of target, but the good thing is that they could tell anything about who you're chatting with, when you're chatting with etc. It would be interesting exercise. I guess I would use existing Bitmessage source and just modify it with required additions, because I've been successfully earlier extending Bitmessage features, but just to attack the network itself. Adding latency and generating corresponding fake traffic, would be basic features, hiding the normal flood casting pattern of messaging Bitmessage currently employs. Of course Freenet (Freenet Project) has been having these features for ages, as well as GNUnet.

Registered to watch: Google Cloud Platform Live

Studied Apple Pay for Developers: Network Level Tokenization Network-Side Token PAN BIN (Tokenization Data security @ Wikipedia)

Read: EMV Payment Tokenisation Specification – Technical Framework

Realted keywords:

Ecosystem Tokenization Environment Payment Token Ecosystem Service Provider Cardholder Card Issuer Merchant Acquirer Payment Network Requestor Specification Data Elements Requirements Vault Generation Issuance Provisioning Security Controls Registration Assurance Domain Restriction ID EMV Technical Framework POS Entry Modes Information Reports Raw ID&V Methods Concepts Performed Account Verification API APIs Participating Endpoints Interface Categories Input Output Level Update De-tokenization Query Lifecycle Management Processing Routing Range Tables Transaction Authorisations During Capture Clearing Exception Flows Mobile NFC Point of Sale Digital Wallet E-Commerce Card-On-File Scan Use Case Flow Overview Authorisation Chargeback Normative Abbreviations Definitions Events Mapping Standard Europay Visa Mastercard

More excellent reading for people interested about payment cards: EMV Specifications

Dynamic changing dCVV / dCVC codes for credit cards, where CVV/CVC is replaced by mini display.
Doesn't basically change anything in Finland. Because many sites are already using Verified by Visa or MasterCard SecureCode which basically uses strong identification to verify identity of the card owner before authorizing any payments. Current implementation is already much stronger than any dynamic card verification value. Even if you have the card, it's useless unless you have also access to card owners  identification codes.

Had some trouble with files saved from Windows Notepad, it seems that Windows is using character set which isn't directly detected by Mousepad Xubuntu default text editor. I guess the main problem is that Microsoft is using non-standard € sign encoding (chr 128) when saving into MS ANSI ASCII 8 bit format. - Got solved by using the Windows-1252 character set encoding. I would personally prefer using UTF-8 always.