Perils of misusing identifiers as authenticators, or the cold case of credit card numbers

One of the most widely known and publicised types of security incidents is theft and misuse of credit card numbers (PANs, as they are also known in the industry). Millions are spent on measures such as PCI DSS, tokenisation, pentests and so on in the efforts to prevent criminals from getting their hands on our credit card numbers and enjoying themselves at the expense of banks and merchants – and sometimes the card holders. One obvious question however is not usually asked, and it’s this one: what is the root cause? Why is getting that long number across the front of your card which you show every time you make a purchase (along with few other numbers and your name – all printed on the card itself) constitute a security problem?

And the problem of course is this: many years ago, long before credit card fraud has become a profitable business a very wrong security design decision with momentous consequences has been made – a decision to use identifiers as authenticators – a decision that banks, merchants and card holders are having to live with decades later, a decision that has proven to be so difficult to undo that we spend millions on trying to address the consequences.

If there is anything to be learnt from this lesson it is that it’s difficult to overestimate the importance of engineering security from the very beginning – and of course getting it right.