[Cryptography] Insecure Chip 'n' PIN starts tomorrow

Paul Ferguson fergdawgster at mykolab.com
Wed Sep 30 22:00:52 EDT 2015

Hash: SHA256

On 9/30/2015 5:33 PM, John Levine wrote:

>> 'Visa and MasterCard could have resolved this problem by forcing
>> card issuers to use chip �n� PIN only; but they never did.'

> The security issues with chip+signature are different from
> chip+pin but not necessarily worse.  With chip+pin, if the bank
> asserts that someone entered your PIN, you lose.  Ross Anderson has
> been dealing with this issue in the UK for many years, finding that
> there are a variety of ways that the bank's system treats a
> transaction as PIN validated while actually it's not.
> With chip+signature, you say that's not my signature, and now it's
> up to to the merchant and the bank to produce a signature that
> looks like yours.  I realize that the number of merchants who check
> the signature these days is approximately zero, but that's not my
> problem.

Also: U.S. consumer protection laws.

At some point, the chickens in these liability on these issues will
come home to roost.

- - ferg

- -- 
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
Version: GnuPG v2


More information about the cryptography mailing list