Limitations of limitations on RE/tampering (was: Re: biometrics)
lynn.wheeler at firstdata.com
lynn.wheeler at firstdata.com
Sun Jan 27 16:49:51 EST 2002
almost all security is cost/benefit trade-off.
hardware token chips are somewhat analogous to bank vaults .... if the bank
vault contains enuf value and somebody is motivated enuf ... they will
attempt to find some way to extract the value. This can be either by
attacking the vault directly ... or by attacking the infrastructure
associated with the vault. I don't believe anybody contends that bank
vaults are absolutely impregnable.
the following are discussion of upgrading a magstrip payment card (debit,
credit, gift, etc) with a chip and requiring (x9.59) digital signed
transactions.
http://www.garlic.com/~lynn/aadsm2.htm#straw
http://www.garlic.com/~lynn/aadsm2.htm#strawm1
http://www.garlic.com/~lynn/aadsm2.htm#strawm2
http://www.garlic.com/~lynn/aadsm2.htm#strawm3
http://www.garlic.com/~lynn/aadsm2.htm#strawm4
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo1
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo2
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo3
http://www.garlic.com/~lynn/aepay3.htm#passwords
http://www.garlic.com/~lynn/aepay3.htm#x959risk1
http://www.garlic.com/~lynn/aepay3.htm#x959risk2
http://www.garlic.com/~lynn/aepay3.htm#x959risk3
http://www.garlic.com/~lynn/aepay3.htm#x959risk4
The issue is that the chip is used to do financial transactions ... which
have some "credit limit" characteristics, various types of fraud pattern
analysis, capable of reporting card lost/stolen within reasonable period of
time, etc.
The position is that even w/o PIN &/or biometric controlled chip .... it is
still better than today's world where counterfeiting magstripe operation is
relatively easy. At least the actual chip card has to be stolen ... as
opposed to being able to harvest several hundred thousand credit card
account numbers from some webserver and execute large number of fraudulent
transactions w/o much additional effort.
With a chip having some form of PIN &/or biometric control, then even
stealing the card isn't sufficient, the chip actually has to be
subverted/compromised. The issue then is 1) the cost of stealing the card,
2) cost of performing the compromise operation 3) can the compromise be
performed before the card has been reported lost/stolen, 4) can a
compromised chip be actually used before the card has been reported
lost/stolen.
Reversing the question, can a chip be added to an existing magstripe card
.... and does the increased effort required to compromise such a chip
(compared to compromise/counterfeit magstripe) reduce fraud sufficiently to
justify the cost of the chip (and any associated chip acceptor device
infrastructure).
misc. card fraud discussion
http://www.garlic.com/~lynn/aadsm6.htm#terror7 [FYI] Did Encryption Empower
These Terrorists?
http://www.garlic.com/~lynn/aadsm6.htm#terror14 [FYI] Did Encryption
Empower These Terrorists? (addenda to chargebacks)
http://www.garlic.com/~lynn/aadsm7.htm#pcards4 FW: The end of P-Cards?
http://www.garlic.com/~lynn/aadsm7.htm#auth2 Who or what to authenticate?
(addenda)
http://www.garlic.com/~lynn/aadsm7.htm#rubberhose Rubber hose attack
http://www.garlic.com/~lynn/aadsm7.htm#rhose4 Rubber hose attack
http://www.garlic.com/~lynn/aadsm7.htm#rhose5 when a fraud is a sale, Re:
Rubber hose attack
http://www.garlic.com/~lynn/aadsm9.htm#carnivore Shades of FV's Nathaniel
Borenstein: Carnivore's "Magic Lantern"
http://www.garlic.com/~lynn/aadsm10.htm#risks credit card & gift card fraud
(from today's comp.risks)
http://www.garlic.com/~lynn/aadsmore.htm#debitfraud Debit card fraud in
Canada
http://www.garlic.com/~lynn/aepay6.htm#fraud Online Card Fraud Thirty Times
That Offline
http://www.garlic.com/~lynn/aepay6.htm#ccfraud2 "out of control credit card
fraud"
http://www.garlic.com/~lynn/aepay6.htm#ccfraud3 "out of control credit card
fraud"
http://www.garlic.com/~lynn/aepay8.htm#ccfraud Almost Half UK E-Shopper's
Fear Card Fraud (CC fraud increased by 50% in 2k)
http://www.garlic.com/~lynn/aepay8.htm#ccfraud2 Statistics for General and
Online Card Fraud
http://www.garlic.com/~lynn/aepay8.htm#x959paper Credit Card Fraud and
E-Commerce: A Case Study
http://www.garlic.com/~lynn/aepay9.htm#risks credit card & gift card fraud
(from today's comp.risks)
http://www.garlic.com/~lynn/aepay9.htm#skim High-tech Thieves Snatch Data
>From ATMs (including PINs)
http://www.garlic.com/~lynn/aepay10.htm#3 High-tech Thieves Snatch Data
>From ATMs (including PINs)
http://www.garlic.com/~lynn/aepay10.htm#6 credit card & gift card fraud
(from today's comp.risks)
http://www.garlic.com/~lynn/2001c.html#73 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001f.html#40 Remove the name from credit
cards!
http://www.garlic.com/~lynn/2001g.html#38 distributed authentication
http://www.garlic.com/~lynn/2001h.html#67 Would this type of credit card
help online shopper to feel more secure?
http://www.garlic.com/~lynn/2001h.html#68 Net banking, is it safe???
http://www.garlic.com/~lynn/2001h.html#75 Net banking, is it safe???
http://www.garlic.com/~lynn/2001j.html#9 E-commerce security????
http://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip
Market
random refs:
http://www.garlic.com/~lynn/2001h.html#61 Security Proportional To Risk
http://www.garlic.com/~lynn/subtopic.html#fraud Risk, Fraud, Exploits
http://www.garlic.com/~lynn/index.html#x959 X9.59 financial industry
standard digital signed transactions
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list