[Cryptography] Insecure Chip 'n' PIN starts tomorrow
Tom Mitchell
mitch at niftyegg.com
Thu Oct 1 16:35:20 EDT 2015
On Thu, Oct 1, 2015 at 9:31 AM, John Levine <johnl at iecc.com> wrote:
> In article <CAB7TAM=86+aXkfzgdax66JPNQ1GKgzpwqJvwrEeCaOfL=
> 5dLmA at mail.gmail.com> you write:
> >-=-=-=-=-=-
> >
> >> With chip+signature, you say that's not my signature, and now it's up
> >> to to the merchant and the bank to produce a signature that looks like
> >> yours.
> >
> >
> >Here in the USA, you're generally asked to sign a digitizer pad, which
> >means.....
>
> I always write "not me" or "fluffy" on the digitizer pad.
>
>
There are two issues here.
-) One is distribution and installation of technology.
Any change that does not have a transition plan would be difficult to
install in a system as large as the bank card system. In this case
policy can change... once technology has been installed.
Now for the crypto part to keep this discussion here.
-) The not-me fluffy digitizer pad trick could be a simple smart phone
generated
code or word.
Consider an application that could use date time and a personal seed
to generate a short code to scribble on the pad. The application
can log the date time and general location.. local, or in the cloud.
Digitized pads are sloppy but, Tom52 (TomXX only the XX is generated
in large easy to see characters) or something close would
be used once at a single date and time that could be logged for audit
by something as simple as an email to self message. Some sufficiently
unpredictable two digit code to add behind a signature word like Fluffy
would set the stage for "show me the signature" no it is not ... 52
was not used at that location and not used within an hour/day of the
reported transaction.
Something like the google + trick for email filters. Where the chars
to the right of + are ignored but useful.
$ date | md5sum | cut -c 7,11
5a
Signed -- Fluffy5A
--
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151001/253bb2f5/attachment.html>
More information about the cryptography
mailing list