massive data theft at MasterCard processor

Jörn Schmidt joern2473 at yahoo.com
Sat Jun 25 13:03:32 EDT 2005 

On 6/21/05, Florian Weimer <fw at deneb.enyo.de> wrote:

>> Also there are several attacks on Chip n' PIN as deployed here in 
>> the UK, starting with the fake reader attacks - for
>> instance, a fake reader says you are authorising a payment for 
>> $6.99 while in fact the card and PIN are being used to authorise a
>> transaction for $10,000 across the street.
> 
> In Germany, there's a widely used system based on PIN and a magnetic
> stripe, and you can buy used reader devices on Ebay. 8-( This makes
> it rather easy to mount a MITM attack.

That most certainly is true but you're overlooking a
more practical aspect. All German financial
institutions that processes credit card transactions
contractually require their merchants to offer the
customer a receipt (as does German law in most cases). 
Most, if not all, banks that issue credit cards require their customers
to retain a copy of those receipts for one billing cycle (ie. until
they send you your statement and you have a chance to
review it and compare individual charges that seem
suspect with the data on the receipts you have).

If your receipt says $6.99 but your statement says
$10,000 (classic MITM attack), you have a valid
defense in the eyes of the German law. Legally, the
receipt is the document which authorized the financial
transaction. If you show up in court and present your
$6.99 receipt, you automatically shift the burden of
proof to the bank -- now they have to positively proof
that you indeed authorized $10k, and not just $6.99,
not be transfered. Realistically, the will hardly ever
be able to do that.

That model works fairly well. The weak point is the
customer -- just tossing or blindly signing a receipt
obviously breaks the model. But, personally, I don't
really have a problem with that; the point is to
protect the customer from scammers, and not from his
or her own stupidity.

Sincerely,

  Joern





		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list