CHIP & SIGNATURE vice CHIP & PIN

Hanky_Panky

chattychappy wrote: »

My guess is that if the bank suspect the technology was compromised in a particular case or the amount is small, they would always settle.

Very true.

I also think we have missed the point a bit. As it states in the paper the responsibility for the transaction has moved away from the bank so - the bank provides a secure tranactional method, chip and pin. The retailer doesn't maintain an online link so due to the technology in the resport a fraudulant transaction occurs. In this case the bank will know that an offline transaction has occured so the responsibility for that will reside with the retailer - not the customer.

Hanky_Panky

Degenerate wrote: »

They've completely defeated it.

Only for offline transactions - nothing else.

Degenerate

Hanky_Panky wrote: »

Very true.

I also think we have missed the point a bit. As it states in the paper the responsibility for the transaction has moved away from the bank so - the bank provides a secure tranactional method, chip and pin. The retailer doesn't maintain an online link so due to the technology in the resport a fraudulant transaction occurs. In this case the bank will know that an offline transaction has occured so the responsibility for that will reside with the retailer - not the customer.

Do you work for the industry or something? Only you seem very determined to ignore the fact that this hack works for online transactions and does not use a cloned card, however many times it is pointed out to you.

Degenerate

Hanky_Panky wrote: »

Only for offline transactions - nothing else.

You're not reading the paper properly. Again, that bit you quoted was out of context, discussing previous attacks, not the new one presented in the paper.

Hanky_Panky

Degenerate wrote: »

PIN verification is now a proven insecure system just like signatures were.

But only within a very narrow window where it would most likely result in the retailer being liable not the customer.
However you like to present this Chip and Pin is more secure than chip and sig even with your report.

I don't really understand why you would argue for a backward step.

Hanky_Panky

Degenerate wrote: »

You're not reading the paper properly. Again, that bit you quoted was out of context, discussing previous attacks, not the new one presented in the paper.

One of us certainly isn't reading it properly

Hanky_Panky

Degenerate wrote: »

Do you work for the industry or something? Only you seem very determined to ignore the fact that this hack works for online transactions and does not use a cloned card, however many times it is pointed out to you.

I think you are quoting out of context - you think I am. As previously stated this transactional method is stil more secure and less likely for a fraudulant transaction than a signature card.

INT1

Degenerate wrote: »

Ok, clearly you have some knowledge here. Would you care you explain the circumstances where a peer-reviewed research paper written by world experts in their field at Cambridge University might be ruled inadmissible?

Exactly, "World Experts"

The typical fraudster is not a world expert and neither would they go to great lengths and expense like what Cambridge university...errrr specialists.... did to "Crack the system"

Any system can be cracked but considering the fraudsters are out to make a quick buck, they won't employ this. And the other muppets that think they can phone their bank disputing monies being withdrawn (with the card still being in their posession) when clearly it is another member of their household or friend etc if it is validated as Chip&PIN need shooting for wasting the banks and in some cases police time.

Degenerate

Hanky_Panky wrote: »

One of us certainly isn't reading it properly

Yes, that would be you, probably getting confused by the difference between online and offline card transactions, and online and offline PIN verification. The vast majority of transactions are online transactions with offline pin verification. This means that the terminal asks the chip in the card to verify the PIN, rather than doing it over the network. Generally only ATMs use online PIN verification. Read it again.

Hanky_Panky wrote: »

But only within a very narrow window where it would most likely result in the retailer being liable not the customer.

Online transactions with offline PIN verification, the type of transaction broken by this hack, are what the banks have been trying to present as secure and pin liability on the customer, not the retailer.

However you like to present this Chip and Pin is more secure than chip and sig even with your report.

I don't really understand why you would argue for a backward step.

I have not made a single argument for a return to signatures. More proof you can't read properly.

Degenerate

INT1 wrote: »

Exactly, "World Experts"

The typical fraudster is not a world expert and neither would they go to great lengths and expense like what Cambridge university...errrr specialists.... did to "Crack the system"

The prospect of making lots of money from fraud is certainly enough to attract unscrupulous people clever enough to use knowledge gained from other people's research. What great expense? They used a £150 netbook, a card terminal and a programmable logic board. I could get all that off Ebay today for a few hundred quid.

Any system can be cracked but considering the fraudsters are out to make a quick buck, they won't employ this.

£500 budget and a bit of technical know-how delivering potentially continuous fraud returns makes this easily a "quick buck" for the right person. Card-skimmers attached to ATMs required a similar level of competence and expenditure, and we know that's been done to death.