[Cryptography] cost-watch - the cost of the Target breach
iang at iang.org
Sun Dec 7 14:04:43 EST 2014
On 6/12/2014 07:29 am, Henry Baker wrote:
> At 07:49 PM 12/5/2014, Jerry Leichter wrote:
> "It's also not at all clear that the banks were the ones who resisted on chip and pin. *They* wouldn't be the ones bearing the costs of replacing all the card readers out there - and they stand to gain from the liability shift that leaves merchants who don't get new terminals stuck with any loses. Over all, win/win for the banks."
> Ross Anderson has been analyzing chip&pin for years & found that there are just as many problems with chip&pin as with the magstripe cards.
That would be an exaggeration. Chip&pin is a lot more secure, it's very
hard to clone them . Although, implementations can go badly wrong,
eg., it has recently been found in the USA where some players elected to
ignore the signature checks.
> Ross points out (if I recall his comments correctly) that with chip&pin, the burden of proof moves away from the banks, which is why the banks are so hot for chip&pin.
Well. So, the banks can choose to move the burden of proof across to
the customer. They can also choose other things. It isn't the
technology's fault that the burden of proof moves, but the deliberate
choice of the parties involved.
And the party in direct control is the banks, and it is no surprise that
the banks in Britain have elected to move the liability directly to the
consumer when the consumer has no choice nor capability to deal, because
this rests nicely on a claim by banks that their systems are perfect
. In contrast, European banks are much more ready to assume
liability for things, perhaps because they think more along the lines of
overall service and stability than this quarter's bottom line.
It's also the case that the British courts have bungled the handling of
liability, including one case where they ignored evidence of the bank's
culpability to assign the losses to the victim .
> But don't hold your breath waiting for chip&pin to produce any improvement. I just read that the new US chip&pin system has already been hacked, and it isn't even in real service here yet!
Right, it is entirely possible that the American banks stuff up the
implementation. Or it doesn't make economic sense . Or any of 100
other reasons. It's not really set up for them to do well :)
 Steve Bellovin:
More information about the cryptography