[oclug] A credit/debit card reader for the home ??

Bill Strosberg oclug at strosberg.com
Fri Sep 25 14:58:14 EDT 2009


William Case wrote:
> Hi;
>
> Just had a thought!  But it has probably been thought before.
>
> I was about to buy a magazine article from Scientific American.  They
> wanted $7.95 which I was willing to pay.  Of course when I clicked on
> the appropriate screen button to purchase it, they wanted credit card
> info.  I have used my Visa to purchase online before but I am always
> very reluctant to do so.  In this case I cancelled my purchase.
>
> What I think would work for me is having a personal card reader attached
> to my computer.  If I wanted to make an online purchase, the
> communication of account numbers and passwords would be directly between
> me and my bank with only the purchase amount and name and some kind of
> purchased item ID being transferred to the vendor by my bank.
>
> Similarly, I could then use a 'cash' card.  A cash card would be a
> swipe-able card to which I could transfer an amount from a bank account
> from home using my home card reader, debit/credit card and the cash
> card.  While I am out at a restaurant, bar, store etc., any vendor would
> have access only to the amount of money registered on the cash card and
> would deduct the amount spent from the cash card total.  If the cash
> card were lost or stolen, only the remaining amount on the cash card,
> plus the cash card passwords would be at risk.  I would have to keep
> topping up the amount on the cash card, but I could do that safely from
> home.
>
> Of course, I don't understand all the security problems this might
> introduce, but on the surface, it would make me feel as if I was in more
> control of my money and transaction security.
>
> I would really like to see any thoughts, criticisms or comments anyone
> might have.
>
>   
Credit and debit payment processing is very complex.  The readers are 
simple (I've designed, built and sold many different variations in the 
past).

You can get keyboard "wedge" readers that will read track 2 and track 3 
magnetic stripe reader (MSR) data from your cards very cheaply.  You 
swipe the card, and the reader converts it to keystrokes on the keyboard 
interface as if it has been typed.  Cheaper readers do not implement the 
CRC (cyclical redundancy check) or checksums incorporated in the card.  
Cheap readers generally do not work bi-directionally as well.

MSR devices are on the way out - smart card "chip" technology is slowly 
gaining momentum here - it already is pervasive in Europe.  MSR data is 
easily duplicated with an inexpensive card writer and there is no 
technical difference between the original and a cloned card.  The rate 
at which technology is incorporated into the banking industry here is 
controlled by the volume of fraudulent activity the banks/card issuers 
are willing to accept.  If fraud is low, why bother instituting new 
technology at great expense? 

In Canada our pinpad technology is controlled by the banks - approved 
vendors incorporate bank-injected encryption chips in the pin pads to 
generate the checksum values from your "PIN" when you enter it.  This 
checksum value changes every transaction, and is compared to a similarly 
generated checksum for the transaction at the bank end.  At no time is 
your "PIN" ever sent across the Internet (or direct processing 
connection via telephone).  There are multiple factors used to generate 
the checksum.  The Canadian debit handling is far more secure & 
consistent than the American version, as the US Federal Reserve system 
is far more confused and fragmented than Canadian banking.

The encryption chips are self destructing in the event of tampering, and 
are serialized.  Hack attempts at point of sale generally attack the pin 
pan keyboard interface well in front of the actual encrypted 
communication stream.

All this to say, the banking community is not willing to accept high 
risk transaction data from card-not-present transactions.  Paypal is a 
reasonable buyer alternative, but their fees are ridiculous to the 
seller.  Don't look for this feature on home computers in the near future.

--
Bill



More information about the OCLUG mailing list