We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Chip & PaIN - A financial fiasco
Comments
-
But changing the systems to allow this exposes the MK, and therefore every other issued card, to some level of risk. I don't actually agree that the key needs to be made public in any case. The AC verification has to comply with the Visa or MasterCard spec (as appropriate) - as long as you can be sure that the response means 'valid' or 'invalid' you don't need to know the keys involved. I do agree that the bank merely stating "well, the card must have been used" is not sufficient.
It's the fact that you're allowing someone to retrieve a key from the bank's HSM. This is functionality that shouldn't exist in a secure system and would possibly cause the system to fail a Visa/MasterCard audit.
I don't see how it exposes the Issuer Master Key. Nobody is retrieving a key from the HSM - it would need to derive the key for a specific card and output this - exactly the same as it does when generating embossing data. This may not be standard functionality, but its not inherently insecure.
I think the security issue is a red herring. There may be practical problems, but these need to be overcome if the system is to remain trusted by the public. Remember that we are talking about access to primary evidence of non-repudiation in the event that the bank and customer reach a complete impasse - this is a highly exceptional event, and would be even more so if the banks were proven to be right whenever it does reach this stage.
The banks may well be audited by the schemes, but the point is you still have to take their word that the transaction is genuine. In the Cambridge submission it explains that the banks assertion of "chip read" actually meant a number of different things - it did not always mean that a valid TC was generated. The ombudsman, it would seem, was far to easily convinced by the bank's assertions.The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts.0 -
0
-
As the nice policeman says, it has been successful in doing what it was designed to do; the APACS figures back this up. We have to remember that "card fraud" is not a single indivisible area. What's also hardly ever made clear is what EMV was actually intended to do.0
-
I love a good scaremongering horror story.
Next they'll be saying we can get flu from pigs!
0 -
Or birds!
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards