I was visiting an airline site today, and when prompted to enter my credit card details to book the flight, and whether or not I wanted to store my card details for future transactions, saw the note:
“It's safer to store your payment card details in our secure vault than it is to send them over the internet each time (why?)”
When clicking on “why” I got:
Why is it safer to save my payment details on XX.com?
“By saving your payment details on XX.com, you won't have to send them over the internet each time you make a purchase. That means there's less opportunity for your information to be obtained through a computer virus and used fraudulently.
If there's a virus on your computer (sometimes called a ‘trojan'), it can record your payment details as you type them. Those details are sent to the person controlling the virus, who can then use them for fraudulent purposes. This can happen even if the web page uses a secure address (i.e. one that starts ‘https://').”
It kind of got me thinking, as these things do, but presumably this airline made a risk assessment on the client's behalf and decided it actually would be safer for clients to store card details on their systems, as opposed to having to enter them each and every time.
I agree and disagree. Â By storing card details on a central system, it might well be more secure than a user's home PC, but unfortunately it's also a bigger and better target for criminals. Â Criminals will always be looking at ways to crack open the huge opportunity of limitless credit card information stolen from an airline site, whereas when it comes to specific home PCs, they're not really that bothered. Â So why is that?
* Home PCs aren't online 100% of the time, and will hop IP addresses and change state. Â A moving target is difficult for a criminal to attack. Â However, a well known airline will have it's web pages online 100% of the time, with a fixed IP address and fixed state. Â It's doors are always open to traffic, be it legitimate, or nefarious.
* If a criminal gets access to a home PC, then he or she might get access to a single credit card. Â These can be bought on the black market at $5 a time, and full identities go for around $20. Â Is it really worth a criminal's effort? Â Not if it's just the one PC, but Yes if the criminal has automated exfiltration on a wide scale basis. Â 10,000 controlled PCs in theory should generate at least $50,000 in revenue on the black market, assuming that credit card information can be scraped from each.
..but then back to the airline scenario, they don't appear to have considered that consumers will be buying things on other websites, whom perhaps don't offer repeat transactions, plus of course the consumer's PC might already be infected by a trojan and the criminal will have got the card number anyway.
So in short, unless consumers secure their card data by using the secure vaults of ALL shopping sites they visit, this strategy won't work, and even if consumers DO secure their card data in this manner, then ultimately they'll need to type in another card number when the cards expire anyway, which counters the suggestion that storage on a secure vault reduces the threat of key loggers to zero.