[Cryptography] Insecure Chip 'n' PIN starts tomorrow

John Levine johnl at iecc.com
Wed Sep 30 20:33:43 EDT 2015

>'Visa and MasterCard could have resolved this problem by forcing card issuers to use chip ‘n’ PIN only; but they never did.'

The security issues with chip+signature are different from chip+pin
but not necessarily worse.  With chip+pin, if the bank asserts that
someone entered your PIN, you lose.  Ross Anderson has been dealing
with this issue in the UK for many years, finding that there are a
variety of ways that the bank's system treats a transaction as PIN
validated while actually it's not.

With chip+signature, you say that's not my signature, and now it's up
to to the merchant and the bank to produce a signature that looks like
yours.  I realize that the number of merchants who check the signature
these days is approximately zero, but that's not my problem.


More information about the cryptography mailing list