[Cryptography] Insecure Chip 'n' PIN starts tomorrow
Paul Ferguson
fergdawgster at mykolab.com
Wed Sep 30 22:00:52 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 9/30/2015 5:33 PM, John Levine wrote:
>> 'Visa and MasterCard could have resolved this problem by forcing
>> card issuers to use chip �n� PIN only; but they never did.'
> The security issues with chip+signature are different from
> chip+pin but not necessarily worse. With chip+pin, if the bank
> asserts that someone entered your PIN, you lose. Ross Anderson has
> been dealing with this issue in the UK for many years, finding that
> there are a variety of ways that the bank's system treats a
> transaction as PIN validated while actually it's not.
>
> With chip+signature, you say that's not my signature, and now it's
> up to to the merchant and the bank to produce a signature that
> looks like yours. I realize that the number of merchants who check
> the signature these days is approximately zero, but that's not my
> problem.
Also: U.S. consumer protection laws.
At some point, the chickens in these liability on these issues will
come home to roost.
- - ferg
- --
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iF4EAREIAAYFAlYMk9QACgkQKJasdVTchbJ4uwD/fXAuvD2q0gx3D4D2YxKRIV3Z
J15E8LpdWuQ/xMUKlXUBAIH4WmStVx68vOlM+fX34+W2fGrmzAoz3k9StZXhoKGE
=CriK
-----END PGP SIGNATURE-----
More information about the cryptography
mailing list