CHIP & SIGNATURE vice CHIP & PIN

chattychappy

Degenerate wrote: »

Would you care you explain the circumstances where a peer-reviewed research paper written by world experts in their field at Cambridge University might be ruled inadmissible?

The paper is a scientific view. The bank may choose to accept it in advance of a hearing, in which case it's content would become an agreed fact. Most likely they wouldn't want to accept it - in which case the court would require an expert opinion on it. Expert opinion is governed by Civil Procedure Rule 35 and the practice direction. Both sides could agree a joint expert, or appoint their own experts. Though appointed by the litigants, these guys have a duty to the court. He/she/they would then present their opinion which might be based on this paper - certainly they could be required to assess it, weighed up against any other research in the field. Of course the authors themselves could agree to be "experts" - the principle is that they should be open to cross-examination (though often that's done on paper in advance - questions swapped etc). I accept that this paper may well be peer-reviewed by the most "esteemed" academics in the field - but this is not a process under judicial oversight. Hence the procedure whereby "experts" who owe a duty to the court are called in to assess this kind of work.

Degenerate wrote: »

Well, I think the situation of a bank trying to use a proven insecure technology to pin liability for fraud on a consumer would be likely to influence the judge's decision on costs, don't you?

No, it wouldn't be a criminal trial so fraud doesn't come into it. The conduct of the parties during the trial is the main issue when assessing costs. Costs are not meant to be punitive. Of course in practical terms poor old Mrs Miggins who was done over by her bank might get a sympathetic view. But Mr Chip-n-pin-on-the-shoulder who wants to be a hero and bring the banks down could annoy the court.

It would be tough - the court might doubt whether it is worth the court time to argue over a few hundred quid. (Yep, "it's the principle of thing" but that's not how they work.) The most realistic way to challenge this is through a group litigation (like a class action). These are much rarer than in the US, only 73 since the present system started in 2001 (http://www.hmcourts-service.gov.uk/cms/150.htm).

Now, there could be a criminal trial - that would be interesting. But that would be a matter for the prosecuting authorities, probably the SFO if they believed more than £1M is involved. But the proof of intention would be difficult to overcome. More likely the OFT/FSA would intervene under their regulatory powers.

Degenerate wrote: »

You've moved the goalposts of the debate. The same arguments could be made about a disputed signature transaction - it's not enough to prove the signature can be forged, it has to be judged whether it was likely in the specific case - but you started with the premise that signatures can be disputed but PIN authorizations are very difficult to dispute. PIN verification is now a proven insecure system just like signatures were.

OK, yes "The same arguments could be made about a disputed signature transaction - it's not enough to prove the signature can be forged, it has to be judged whether it was likely in the specific case".

I still think "signatures can be disputed but PIN authorizations are very difficult to dispute".

Agree with "PIN verification is now a proven insecure system just like signatures were", though it is absolutist (suggesting something is either secure or insecure within nothing in between).

Disagree with "moving the goalposts of the debate", but not saying I didn't shift my position within the debate (a little)!

How's that?

INT1

Degenerate wrote: »

The prospect of making lots of money from fraud is certainly enough to attract unscrupulous people clever enough to use knowledge gained from other people's research. What great expense? They used a £150 netbook, a card terminal and a programmable logic board. I could get all that off Ebay today for a few hundred quid.

£500 budget and a bit of technical know-how delivering potentially continuous fraud returns makes this easily a "quick buck" for the right person. Card-skimmers attached to ATMs required a similar level of competence and expenditure, and we know that's been done to death.

What and Cambridge university openly share this knowledge then on the exacy ways and hows to do it?!

Don't talk nonsense, your fighting a losing battle.

Degenerate

chattychappy wrote: »

The paper is a scientific view. The bank may choose to accept it in advance of a hearing, in which case it's content would become an agreed fact. Most likely they wouldn't want to accept it - in which case the court would require an expert opinion on it. Expert opinion is governed by Civil Procedure Rule 35 and the practice direction. Both sides could agree a joint expert, or appoint their own experts. Though appointed by the litigants, these guys have a duty to the court. He/she/they would then present their opinion which might be based on this paper - certainly they could be required to assess it, weighed up against any other research in the field. Of course the authors themselves could agree to be "experts" - the principle is that they should be open to cross-examination (though often that's done on paper in advance - questions swapped etc). I accept that this paper may well be peer-reviewed by the most "esteemed" academics in the field - but this is not a process under judicial oversight. Hence the procedure whereby "experts" who owe a duty to the court are called in to assess this kind of work.

You're talking about this like these it's some debatable scientific point that experts may have differing opinions on, much like as a disputed cause of death etc. It's not. It's something that can be, and has been irrefutably proven by a simple, practical demonstration. Even the lowest calibre of rent-an-expert would not be able to refute that in court. Maybe they could get that Iraqi information minister guy to stand in court and argue the case.

Of course in practical terms poor old Mrs Miggins who was done over by her bank might get a sympathetic view.

That was my point.

But Mr Chip-n-pin-on-the-shoulder who wants to be a hero and bring the banks down could annoy the court.

Mr Chip-and-pin on his shoulder has been done over by his bank too. How could anyone just wanting their money back be viewed as unreasonable by the court?

Agree with "PIN verification is now a proven insecure system just like signatures were", though it is absolutist (suggesting something is either secure or insecure within nothing in between).

The banks have been applying the notion that a PIN-verified transaction must have been carried out with knowledge of the PIN. This is a proven false premise, there are no shades of grey.

Degenerate

INT1 wrote: »

What and Cambridge university openly share this knowledge then on the exacy ways and hows to do it?!

Don't talk nonsense, your fighting a losing battle.

All security research of this kind is indeed openly published. The very point is that a properly secure system should be open to scrutiny for weaknesses, not dependent on secrecy to maintain it's security. It was failure to open the system to academic scrutiny that led to an insecure system being adopted in the first place. "Security by Obscurity", as it is known in research circles, is thoroughly discredited.

chattychappy

Degenerate wrote: »

You're talking about this like these it's some debatable scientific point that experts may have differing opinions on, much like as a disputed cause of death etc. It's not. It's something that can be, and has been irrefutably proven by a simple, practical demonstration. Even the lowest calibre of rent-an-expert would not be able to refute that in court. Maybe they could get that Iraqi information minister guy to stand in court and argue the case.

Courts just don't work like that. Sorry! If you want to bring in your expert evidence, you follow the procedure.

Degenerate wrote: »

Mr Chip-and-pin on his shoulder has been done over by his bank too. How could anyone just wanting their money back be viewed as unreasonable by the court?

If he won the day, he would get his damages. As for costs, that is entirely to do with the conduct of the parties during the litigation and whether any reasonable offers to settle were refused. But it is unusual for someone to get ALL their costs back.

Degenerate

chattychappy wrote: »

Courts just don't work like that. Sorry! If you want to bring in your expert evidence, you follow the procedure.

I wasn't disputing that, I'm just mystified how you seem to think the conclusion could be in doubt. It's an open-and-shut case. What happens if the bank can't find a single expert willing to refute the research (a very likely outcome)?

If he won the day, he would get his damages. As for costs, that is entirely to do with the conduct of the parties during the litigation and whether any reasonable offers to settle were refused. But it is unusual for someone to get ALL their costs back.

What constitutes a "reasonable offer" than one should settle for, if one has been a victim of fraud due to the insecurity of the bank's systems?

chattychappy

Degenerate wrote: »

I wasn't disputing that, I'm just mystified how you seem to think the conclusion could be in doubt. It's an open-and-shut case. What happens if the bank can't find a single expert willing to refute the research (a very likely outcome)?

It will never been open-and-shut case because it will depend on all the circumstances specific to the transaction.

Degenerate wrote: »

What constitutes a "reasonable offer" than one should settle for, if one has been a victim of fraud due to the insecurity of the bank's systems?

In a civil case, "victim of fraud" doesn't enter into it. If you were wrongly billed for something, then it would reasonable to accept that the bank credits it and covers any directly consequential charges (interest etc).

Degenerate

chattychappy wrote: »

It will never been open-and-shut case because it will depend on all the circumstances specific to the transaction.

Moving goalposts again. We were talking about the scientific evidence for the insecurity of PIN verification. That is an open-and-shut case. How that would then factor into the case of a specific disputed transaction may depend on circumstances.

I'm still interested in what happens if the plaintiff submits the research as evidence, supported by expert testimony as required etc, and the bank cannot find any expert to argue against them.

In a civil case, "victim of fraud" doesn't enter into it. If you were wrongly billed for something, then it would reasonable to accept that the bank credits it and covers any directly consequential charges (interest etc).

This is precisely what banks refuse to do for PIN-verified transactions and why this hypothetical lawsuit would be happening.

chattychappy

Degenerate wrote: »

Moving goalposts again. We were talking about the scientific evidence for the insecurity of PIN verification. That is an open-and-shut case. How that would then factor into the case of a specific disputed transaction may depend on circumstances.

Not at all - I accepted the scientific findings. But you talked about how the paper could be given to a court, what a judge would decide and how costs would be awarded.

Degenerate wrote: »

I'm still interested in what happens if the plaintiff submits the research as evidence, supported by expert testimony as required etc, and the bank cannot find any expert to argue against them.

Then it would likely be accepted as uncontested. Of course the bank may still argue it is irrelevant. (Actually since 1999 it's been "claimant" rather than "plaintiff".)

Degenerate wrote: »

This is precisely what banks refuse to do for PIN-verified transactions and why this hypothetical lawsuit would be happening.

I don't understand this bit.

Degenerate

chattychappy wrote: »

I don't understand this bit.

Victim's card is stolen in burglary/pickpocketing etc. As soon as they become aware, victim reports theft to bank. In meantime, transactions are charged to account. Victim has reported theft at earliest opportunity, but bank refuses to refund transactions because they were PIN-verified and therefore victim must have been negligent with their PIN. This is the line that banks have been taking since the introduction of Chip&Pin. This position has been untenable since the system was broken. This is what would lead the victim to file the hypothetical lawsuit we have been discussing.