[Cryptography] cost-watch - the cost of the Target breach

Phillip Hallam-Baker phill at hallambaker.com
Sat Dec 6 20:28:08 EST 2014

On Sat, Dec 6, 2014 at 2:29 AM, Henry Baker <hbaker1 at pipeline.com> wrote:

> At 07:49 PM 12/5/2014, Jerry Leichter wrote:
> "It's also not at all clear that the banks were the ones who resisted on
> chip and pin.  *They* wouldn't be the ones bearing the costs of replacing
> all the card readers out there - and they stand to gain from the liability
> shift that leaves merchants who don't get new terminals stuck with any
> loses.  Over all, win/win for the banks."
> ---
> Ross Anderson has been analyzing chip&pin for years & found that there are
> just as many problems with chip&pin as with the magstripe cards.

No he really didn't.

Chip and PIN is really difficult to defeat if the legacy magstripe channel
is disabled. Card present fraud is virtually non existent on chip and pin
and in particular large scale breaches like Target are not an issue.

If they were, it would be fixable.

> Ross points out (if I recall his comments correctly) that with chip&pin,
> the burden of proof moves away from the banks, which is why the banks are
> so hot for chip&pin.  But don't hold your breath waiting for chip&pin to
> produce any improvement.  I just read that the new US chip&pin system has
> already been hacked, and it isn't even in real service here yet!

There is a difference between going to sea in a boat that takes on some
water and going to sea in a boat with a giant hole in the bottom. Ross
greatly overstates his case.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141206/1154dbd4/attachment.html>

More information about the cryptography mailing list