Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-09-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Risk... in the most obscure places

Published: 2015-09-15
Last Updated: 2015-09-15 14:09:42 UTC
by Tony Carothers (Version: 1)
8 comment(s)

I read an article yesterday about various stores and markets requiring a state-issued driver's license or identification as proof of identification for returns.  When the return is made,  identification is presented to the vendor, and it is scanned into their system to be stored with the transaction.  On the surface, this seems reasonable, except for scanning and *storing* the identification; now it is probably not such a good idea.  The vendor is now collecting more information than we would probably like to give, such as name, address, drivers license#, and other details, depending on the issuing state.

 

The need for identification, whether physical or virtual, is real.  Stores and markets most likely (not getting into the legal here) have some right to ask for a form of identification when conducting certain transactions, and I agree with that requirement.  30 years ago, when using a bank check to make a purchase, vendors would require a valid credit card, which they would write on the check. (youch)  The capture and storage of information, of which the consumer may not even be fully appraised of, is the issue here.

 

So we are here today to discuss ways we can do this better.  My initial thought was that a scan of the identification into the system, to read what is magnetically written, and display it on a screen for the merchant.  Compare that to what is printed and the photograph, and document the verification of ID was valid.  We still trust employees that work for us, so let’s leverage that.  In this we have a solution in which no information is stored, only displayed for the merchant to verify against what is printed.

I open the floor to any comments, questions, queries, quibbles, complaints, or concerns.  Mostly I am hoping for solutions thought.

tony d0t carothers --gmail

Keywords:
8 comment(s)
Diary Archives