Citibank e-mail looks phishy

Anne & Lynn Wheeler lynn at
Wed Nov 15 18:15:12 EST 2006

James A. Donald wrote:
> The failures of high finance are more subtle.  They push
> the boundaries of what people can easily comprehend. Not
> one person in a thousand - no regulators, and not many
> accountants, understand what went wrong with Enron,
> though quite a lot of investors and creditors
> understand.

the straight-forward ones are not too bad ... they just require somebody to understand the infrastructure and to do a detailed  vulnerability analysis. the more complex ones are systemic failures ... which can happen in complex, interconnected infrastructures .... whether it is financial infrastructure or the power grid ... or some of the PKI-based scenarios (things that might be considered relatively minor failures, cascade and pull down the whole infrastructure).

some of the straight-forward ones can also happen because of infrastructure and/or paradigm changes ... and there wasn't any forward thinking.

recent thread today in sci.crypt New attack on the financial PIN processing New attack on the financial PIN processing

there is reference to chip&pin and the "yes card" exploit

as referenced, the x9a10 financial standard group was formed to work on x9.59 standard (and given the requirement to preserve the integrity of the financial infrastructure for all retail payments) in the same time frame that work started on chip&pin. chip&pin appeared to come out with a solution that addressed lost/stolen (magstripe) card. however, in the decade preceding that work, there was a big increase in skimming/harvesting static authentication data for the production of counterfeit cards.

there was already a partial countermeasure for lost/stolen card ... that was notifying the issuer and getting the account flagged. however, skimming, harvesting, and/or data breaches involving static authentication information was a much more difficult problem ... since it typically wasn't evident to the card owner that it has happened (and most indications would only be there when the fraudulent transactions started showing up)

so not too long after chip&pin deployments in the 90s, "yes card" exploits started appearing. some have even claimed that chip&pin actually made the situation worse vis-a-vis magstripe card ... because a chip was allowed to tell a terminal to do offline transactions (which a counterfeit "yes card" would always do) ... which negated the countermeasure of flagging the account (since a real time transaction wasn't being done, by the time a terminal found out that an account was flagged, it was way too late).

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list