what if the attacker knows about the token (in the video it's 4545 ...) and then just sends that to the merchant payment server so then it goes step 6 and 7 to gain approval, wouldn't that allow the attacker to use the person's credit card by knowing his/her token is?
so tokenization can only be used with a phone or similar device to interact with the token service server? It won't work when using the chip or slide on a plastic card itself, for example?
With tokenization, does the token server give a new token once it is used, or does it wait for you to attempt a purchase?
I’m pretty sure it works the same as a DUO token.
Tokens are one time use
what if the attacker knows about the token (in the video it's 4545 ...) and then just sends that to the merchant payment server so then it goes step 6 and 7 to gain approval, wouldn't that allow the attacker to use the person's credit card by knowing his/her token is?
The tokens are only good for one use, so any transactions using a previous token would be rejected.
so tokenization can only be used with a phone or similar device to interact with the token service server? It won't work when using the chip or slide on a plastic card itself, for example?
That's correct, the card is going to use the actual card numbers for the transaction instead of a token.
After learning about these attacks from your videos, it seems like Target is quite the target!
We love to hate Target
@@reversed5552 FR FR
ROFLMAO!!🤣
when it comes to IRM, deos this relate to the Zero-trust, RBAC and other similar access control concepts ?
Is the process of tokenization the same if we used the credit card directly to pay instead of our phones?
Nope. If you use your credit card, then you're sending your actual credit card information through the system.
@@professormesser Thank you Professor!
so is tokenization, spoofing the plain text basically ?, because its still plain text and its not encrypted but it is just something else
@ 9:14, couldn't you just capture the token and replay it? What prevents that from being successful? Or is it a new token every time?
A token can't be reused, so even if it was somehow captured it would be worthless.
Thanks for vid!
Thanks
Professor Messer... you gotta do cissp one day