[Cryptography] Insecure Chip 'n' PIN starts tomorrow
John Levine
johnl at iecc.com
Thu Oct 1 12:31:32 EDT 2015
In article <CAB7TAM=86+aXkfzgdax66JPNQ1GKgzpwqJvwrEeCaOfL=5dLmA at mail.gmail.com> you write:
>-=-=-=-=-=-
>
>> With chip+signature, you say that's not my signature, and now it's up
>> to to the merchant and the bank to produce a signature that looks like
>> yours.
>
>
>Here in the USA, you're generally asked to sign a digitizer pad, which
>means the CC companies have many digitized copies of you signature stored
>on their computers. Producing one shouldn't be too difficult, and in the
>doesn't demonstrate much.
I always write "not me" or "fluffy" on the digitizer pad. A while ago
there was an amusing web site in which a guy wrote ever more egregious
non-signatures to try to get clerks' attention, with negligible success.
It's clear that the actual security model of chip+signature or for
that matter swipe+signature is rather unlike the nominal one, but as
far as I can tell other than the hidden cost of the banks or merchants
eating the fraud, it works to the benefit of card users.
R's,
John
More information about the cryptography
mailing list