From: Joxroach on
On 14 Jul, 15:47, Daniel James <wastebas...(a)nospam.aaisp.org> wrote:
> In article <news:slrnf99mpl.df6.h(a)realh.co.uk>, Tony Houghton wrote:
>
> > I read somewhere that shifting the blame was the real motivation behind
> > chip & pin.
>
I don't think this was the motive either, but it certainly is a
reality.

The fatal flaw with Chip & PIN, is the PIN. A PIN used with a genuine
stolen Credit OR Debit Card can be used at any CHIP & PIN retailers or
a much more crook friendly ATM without the perpetrator ever being
challenged.A PIN used with a cloned card, then this can be used at
ATMs worldwide and at many ATM's in the UK. The attraction to he crook
is that they are never challenged at ATMs and retail staff don't give
a hoot how uses a Chjip & PIN card. As long as the correct PIN is
entered, the retailer is guaranteed their dosh.

There is an alternative way to elimate the liability issue for so
called PIN negligence.

Read the article in Martin Lewis's Money Saving Expert Forum:

http://forums.moneysavingexpert.com/showthread.html?t=484305



From: Alex Butcher on
On Sat, 14 Jul 2007 16:43:13 +0100, Martin Gregorie wrote:

> Daniel James wrote:
>> In article news:<slrnf99mpl.df6.h(a)realh.co.uk>, Tony Houghton wrote:
>>> I read somewhere that shifting the blame was the real motivation behind
>>> chip & pin.
>>
>> I don't think that's ever been the motivation, but it is to some extent
>> a side-effect.
>>
> I just had a thought while reading this post (snipped the rest).
>
> Does anybody know if there's anything in the card reader that's locked to
> the bank account, or can I use any Natwest card reader with my card and
> generate a valid authorization code?
>
> If the card reader is not account-specific then the activation process
> boils down to a simple check can read your card and that it works
> correctly.

From reading Xiring's blurb it appears it works something like this:

- bank website produces a challenge (this could be an encrypted version of
some or all aspects of the transaction, such as the amount)

- you enter this challenge on the reader (if this was an encrypted version
of the transaction, it uses a key on the card's chip to decrypt and show
you the details of what you're signing)

- the chip on your card encrypts the challenge to produce a response. The
bank/card issuer knows the key on your card's chip, so knows what the
correct response should be.

- you enter the response in your browser and submit it, upon which it is
validated and the transaction is accepted or denied appropriately.

Best Regards,
Alex.
--
Alex Butcher, Bristol UK. PGP/GnuPG ID:0x5010dbff

"[T]he whole point about the reason why I think it is important we go for
identity cards and an identity database today is that identity fraud and
abuse is a major, major problem. Now the civil liberties aspect of it, look
it is a view, I don't personally think it matters very much."
- Tony Blair, 6 June 2006 <http://www.number-10.gov.uk/output/Page9566.asp>

From: Daniel James on
In article news:<mh7nm4-ldu.ln1(a)zoogz.gregorie.org>, Martin Gregorie wrote:
> Does anybody know if there's anything in the card reader that's locked
> to the bank account, or can I use any Natwest card reader with my card
> and generate a valid authorization code?

I've seen it stated (I forget where) that the reader is a generic device.
You will certainly be able to use the same reader with different cards from
the same bank, and probably with cards from other banks.

> If the card reader is not account-specific then the activation process
> boils down to a simple check can read your card and that it works
> correctly.

No, absolutely not. The reader is just an interface, the number that is
generated for you to use to authorize a payment (etc) comes *from* the
card, and will be generated by some secure cryptographic process inside the
card.

> Even if this is the way it works there's a degree of improved
> security because you are in effect supplying an 8 digit PIN rather than
> a 4 digit one and also avoiding playback attacks.

You would never be asked to provide your PIN itself online -- there's far
too much chance of a keylogger or other malware snooping the value. The PIN
will be verified by the card but will not itself play any part in the
calculation of the dynamic password value. The fact that the cardreader
device is not connected to the PC in any way ensured that the reader can't
be infected, coerced or suborned in any way, so your PIN stays safe.

Note, too, that one could use the same reader with telephone banking: the
banking system could (digitally) 'speak' a number which you would enter
into the reader to generate a response, and the response could be entered
on the keypad of a tone-dialing phone and verified automatically by the
system (I don't know whether the banks propose to do this, but the idea
will not have escaped them).

> I've always thought the 4 digit PIN is too short for comfort.

Unfortunately there are a very large number of ATMs and POS terminals
around the world that can't cope with anything longer (at least: not
without a ROM upgrade, which would be difficult to perform on a secure
tamper-resistent box).

Cheers,
Daniel.


From: Daniel James on
In article news:<1184476357.555906.176450(a)n2g2000hse.googlegroups.com>,
Joxroach wrote:
> The fatal flaw with Chip & PIN, is the PIN.

I tend to agree.

The biggest problem is that the customer is responsible for keeping his own
PIN secret, but has no say in the sorts of precautions that are available
for safeguarding that secret. Point-of-sale terminals with hard-to-conceal
keypads in plain view (sometimes right under security cameras) don't help
at all!

It would be nice if the card issuers could require the retailers to provide
a more easily securable environment for PIN-entry.

> A PIN used with a genuine stolen Credit OR Debit Card can be used at
> any CHIP & PIN retailers or a much more crook friendly ATM without the
> perpetrator ever being challenged.

Yes (I made that point) ... but ONLY if the perpetrator knows the PIN.

> A PIN used with a cloned card, then this can be used at
> ATMs worldwide and at many ATM's in the UK.

To all practical intents and purposes the chip in a card cannot be cloned,
so Chip & PIN is actually quite secure against this sort of attack. The
problem lies in the fact that most ATMs read the magstripe and not the
chip, and magstripes are easy to copy. Unfortunately, there are still huge
numbers of ATMs (in particular) and POS terminals that can't read the chip,
so we're stuck with the copyable, insecure, magstripe for a long time to
come.

However, this is not a shortcoming of C&P, ATMs had been reading magstripe
cards, accepting PINs, and handing out cash for a long time before C&P came
in.

> There is an alternative way to elimate the liability issue for so
> called PIN negligence.

There would be no liability "issue" if people managed to keep their PIN
secret.

You're talking about thumbprint biometrics ... that's not a complete
solution but it certainly has different problems. The biggest problem with
any biometric method is that it is imprecise; it's very difficult for a
human expert to look at two thumbprints and say that they definitely belong
to the same individual and much harder to teach a computer to compare the
digitized "edited highlights" of the same two prints and make the same
comparison.

Biometrics specialist talk about comparing the "insult rate" with the
"fraud rate" of any technique -- that is: comparing the proportion of
people who will be offended by being told incorrectly that they are
imposters with the proportion of people who will be mistakenly recognized
as someone that they are not. A lot of work goes into fine-tuning the
matching process to give an acceptable balance between the insults and the
frauds.

In order for any biometric technique to be acceptable at the point of sale
the "insult rate" must be essentially zero because neither customers nor
retailers will accept a mechanism that only accepts payment most of the
time.

The problem with thumbprints is that in order to get the insult rate low
enough to be acceptable the fraud rate has to be allowed to be quite high.
It would also be quite easy for a fraud to smudge his thumbprint enough
that the reader could not make a reliable authentication, and the retailer
would then be in the position of having to refuse the transaction or of
making the transaction with a paper voucher ... eliminating the security
that might have been achieved by the use of the thumbprint.

There have also been a number of quite well-documented studies in which
thumbprint readers have been fooled by false thumbprints (from simple
photographs of the thumbprint of the legitimate cardholder to gelatin films
bearing an impression of the cardholder's thumbprint being worn over the
fraud's thumb).

There is also considerable resistance to any method that uses fingerprints
because people associate the process of fingerprinting with criminal
investigation and feel that giving a fingerprint -- even for the purposes
of protecting access to their own money -- in some way demeans them. Such
resistance may be irrational, but it makes it hard for the banks to sell
thumbprinting to their customers.

Much better success rates can be achieved by biometrics based on the
recognition of patterns in the iris of the eye, and although some early
iris recognition devices could be fooled using photographs modern devices
are more reliable. I think iris recognition as a means of establishing
identity at point of sale is more likely to be workable than thumbprint
checking, but I don't think we'll see either for the next five years or
more.

Cheers,
Daniel.


From: Tony Houghton on
In <VA.00001118.059e55be(a)nospam.aaisp.org>,
Daniel James <wastebasket(a)nospam.aaisp.org> wrote:

> There have also been a number of quite well-documented studies in which
> thumbprint readers have been fooled by false thumbprints (from simple
> photographs of the thumbprint of the legitimate cardholder to gelatin films
> bearing an impression of the cardholder's thumbprint being worn over the
> fraud's thumb).

One of the most amusing was an episode of Mythbusters. An unnamed
security company submitted their "unbeatable" reader which was supposed
to be able to detect fake thumbs by measuring conductivity etc. IIRC
they defeated it by printing a copy of the thumbprint on plain paper and
licking it. An off-the-shelf reader connected to a laptop was rather
harder to crack, requiring something like a latex moulding.

OTOH the off-the-shelf reader would probably be more prone to the sorts
of "insults" you described.

--
TH * http://www.realh.co.uk