Creativity and security

J. Bruce Fields bfields at fieldses.org
Thu Mar 23 16:59:41 EST 2006


On Thu, Mar 23, 2006 at 08:15:50PM -0000, Dave Korn wrote:
>   So what they've been doing at my local branch of Marks & Spencer for the 
> past few weeks is, at the end of the transaction after the (now always 
> chip'n'pin-based) card reader finishes authorizing your transaction, the 
> cashier at the till asks you whether you actually /want/ the receipt or not; 
> if you say yes, they press a little button and the till prints out the 
> receipt same as ever and they hand it to you, but if you say no they don't 
> press the button, the machine doesn't even bother to print a receipt, and 
> you wander away home, safe in the knowledge that there is no wasted paper 
> and no leak of security information  ...
> 
>   ... Of course, three seconds after your back is turned, the cashier can 
> still go ahead and press the button anyway, and then /they/ can have your 
> receipt.  With the expiry date on it.  And the last four digits of the card 
> number.  And the name of the card issuer, which allows you to narrow the 
> first four digits down to maybe three or four possible combinations.  OK, 
> 10^8 still aint easy, but it's a lot easier than what we started with.

If all that information's printed on the outside of the card, then isn't
this battle kind of lost the moment you hand the card to them?

--b.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list