[Cryptography] Insecure Chip 'n' PIN starts tomorrow
Phillip Hallam-Baker
phill at hallambaker.com
Thu Oct 1 08:27:44 EDT 2015
On Thu, Oct 1, 2015 at 12:57 AM, Tony Arcieri <bascule at gmail.com> wrote:
> On Wed, Sep 30, 2015 at 7:38 AM, Henry Baker <hbaker1 at pipeline.com> wrote:
>
>> FYI -- More like Bait 'n' Switch... This isn't about fraud at all, but
>> about shifting liability away from the banks.
>
>
> Do you really think a 4 digit number is the difference between a secure
> and insecure system?
>
> The liability shift is only for magstripe cards, not for EMV. Their goal
> is to push people onto EMV.
>
> EMV has a ton of issues and attacks against EMV are already commonplace.
> But magstripe cards are effectively a 16-digit + 3-digit CVV1 "password"
> you give to anyone you can transact business with, who with that knowledge
> can thereafter impersonate you on the network. That's clearly not the
> greatest authentication scheme in the world.
>
> EMV has a ton of problems, but magstripe cards are a technology that has
> outlived its usefulness.
>
Are there any attacks against EMV that don't involve using the payment
mechanisms that only require the card number?
If the magstripe transactions go away, how much card present fraud is left?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151001/5c3cb9b6/attachment.html>
More information about the cryptography
mailing list