Netswipe Webcam-Based Card Reading

July 26, 2011

A lot of brilliant people are making some phenomenal progress in credit card processing and card security methods, and this new method of using your webcam to capture credit card data for purchases sounds intriguing.

They have some of the nitty gritty in the press release, but I’ll try to break it down somewhat. Right now when you buy stuff online, you have to manually enter your credit card data. And a lot of personal data. I think most retailers require billing address, CC number, CVV, and blood type. All this data is encrypted a TON and fired off to the retailer, who then runs the card and sends you some coulottes or mustache wax. I buy weird stuff. What’s really unfortunate is that the data can still be compromised/captured en route to the PC via keyloggers and other assorted malware designed to steal your stuff.

Enter Jumio and Netswipe. Rather than hand enter data, your webcam opens a secure connection to an authentication service, and you hold your card in front of the webcam while it gets a read. It might also see your messy apartment, but I don’t think it will judge. You use your mouse to enter the CVV so keyloggers just see some clicks, and the transaction’s complete. They mention that this could be used at businesses as well, my guess would be via a 2D barcode scanner that can also capture images.

I think Netswipe has the potential to minimize a lot of fraud that occurs online. You actually need the card to make the transaction, so you cut back potential users to those who own the card, or may have physically stolen it. Although a well-printed duplicate may also work, I’m not sure how that plays out. Since the CVV is entered by mouse clicks instead of keystrokes, you also eliminate another chunk of data that could be stolen.

My only worry would be malware designers building for this new capture method, where they either capture the video stream, or set the camera to take a still image after the transaction’s complete, so then they get a nice crisp image of the card instead of the keyboard-entered data. But I’m sure the Jumio developers are looking at a variety of ways to minimize abuse.

In the meantime, there are methods to secure transactions at the point of sale. The MagTek Centurion card reader offers hardware encryption that is only decrypted by your credit card processor. I’ve mentioned previously that businesses are starting to get fined for data breaches, so taking steps to secure sensitive data now will definitely save you time and money in the long run.

MagTek Centurion Secure Card Reader

May 18, 2010

I can make up words about most stuff we carry at POSGuys, primarily because the products are pretty similar to each other. Once you’re familiar with the different styles of barcode scanners it’s pretty straightforward to get a bead on where a new one fits. The MagTek Centurion secure card reader authenticator, and other new MagTek MagneSafe products, are a bit outside of my element, so they’ve taken me a lot longer to build up cheeky prose on their capabilities.

These card readers were made in response to the growing importance of PCI compliance and ensuring customer credit card data integrity is maintained. PCI compliance is a standard created by the Payment Card Industry (ooh, PCI) to help businesses identify potential weak points in their data security, and give some best use techniques to avoid data theft. After what happened with TJ Maxx and Heartland Payment, it became even more important to prevent this information from getting into the wrong hands.

For most card readers, the data is sent as plain text to the credit card processing software, which is then encrypted and fired across the internet to the credit card processing company. Unfortunately, the credit card processing software can be on computers used for myriad purposes, including trawling MySpace for new friends. This creates a vector for malware and other assorted nefarious apps to capture this information. The MagneSafe system is a hardware encryption scheme so that, if someone were to steal the data, they get gibberish instead of sweet, sweet credit card numbers.

What’s really great about these units specifically is that you can buy them unencrypted now, and if/when your credit card processor does support encrypted transmission, they can remotely reprogram the reader to match their encryption methods. So you don’t have the downtime of shipping it off to be programmed, and if something happens where you change processors, you’re still in luck.