[Cryptography] Insecure Chip 'n' PIN starts tomorrow

[Allen]

> With chip+signature, you say that's not my signature, and now it's up
> to to the merchant and the bank to produce a signature that looks like
> yours.


Here in the USA, you're generally asked to sign a digitizer pad, which
means the CC companies have many digitized copies of you signature stored
on their computers.  Producing one shouldn't be too difficult, and in the
doesn't demonstrate much.

However, you have the sequence wrong.  The correct order do to this is
"show me my signature", then after you see it, say "that's not mine" (if in
fact it is not yours). At least then you have in hand some correspondence
from your bank showing the phony signature in case the bank wants to
dispute it. The bank should not be trying to produce a signature after you
say "that's not mine"--at that point, they should already be bound by the
phony signature they previously produced.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150930/70ba5682/attachment.html>