«

Chip used in new credit cards, etc. has been broken by Ross Anderson and
his lads at Cambridge. Hell, I have one of these (my Visa card).

Chip and PIN is Broken
http://www.cl.cam.ac.uk/research/sec...nd10chipbroken
..pdf

Incidentally, I'd still hate these type of credit cards even if the chip
were invulnerable. The PIN now effectively takes the place of a signature.
But digital signatures are a curse - they cause a gigantic shift from
traditional written signatures.

Under the law regarding written signatures as it has stood for centuries
everywhere, it is the person *relying* on the signature who must validate
it and who therefore takes the hit if it is a forgery, etc. With digital
signatures (as the PIN effectively is) the burden shifts from the recipient
to the *issuer* - an outrageous proposition, but one that banks, etc. love.

Regards,

PS It's now up to *me* to prove that some frudulent use of my new chipped
card is indeed fraudulent. But if the current crack had been done by, say,
a Russian hacking group and not published by Cambridge, proving that fraud
would be a burden totally beyond the capacity of any ordinary citizen to
do.

Moreover, the new digital signatures impose a "duty of care" that was never
there with tradtional written signatures. I must safeguard (in principle
forever) my PIN, whereas with traditional signatures all I have to do is
only sign something if I wish to (with no resultant ongoing duty regarding
the signature thereafter).

["Followup-To:" header set to alt.computer.security.]
On 2010-02-12, nemo_outis <> wrote:
> Chip used in new credit cards, etc. has been broken by Ross Anderson and
> his lads at Cambridge. Hell, I have one of these (my Visa card).
>
> Chip and PIN is Broken
> http://www.cl.cam.ac.uk/research/sec...nd10chipbroken
> .pdf
>
> Incidentally, I'd still hate these type of credit cards even if the chip
> were invulnerable. The PIN now effectively takes the place of a signature.
> But digital signatures are a curse - they cause a gigantic shift from
> traditional written signatures.

As the paper says, this is all an attempt by the banks to shuffle off
responsibility for fraud by dumping the responsibility onto the
customers. Instead of the merchant/bank having to verify signatures,
they can simply verfiy a number ( a pin) and can blame the customer if
anything goes wrong.

>
> Under the law regarding written signatures as it has stood for centuries
> everywhere, it is the person *relying* on the signature who must validate
> it and who therefore takes the hit if it is a forgery, etc. With digital
> signatures (as the PIN effectively is) the burden shifts from the recipient
> to the *issuer* - an outrageous proposition, but one that banks, etc. love.
>
> Regards,
>
> PS It's now up to *me* to prove that some frudulent use of my new chipped
> card is indeed fraudulent. But if the current crack had been done by, say,
> a Russian hacking group and not published by Cambridge, proving that fraud
> would be a burden totally beyond the capacity of any ordinary citizen to
> do.
>
> Moreover, the new digital signatures impose a "duty of care" that was never
> there with tradtional written signatures. I must safeguard (in principle
> forever) my PIN, whereas with traditional signatures all I have to do is
> only sign something if I wish to (with no resultant ongoing duty regarding
> the signature thereafter).

Agreed. They claim it makes the cards safer, but I think the primary
thing it does is to offload responsibility.

>
>
>
>

On Fri, 12 Feb 2010 20:53:11 GMT, unruh
<> wrote:

>["Followup-To:" header set to alt.computer.security.]
>On 2010-02-12, nemo_outis <> wrote:
>> Chip used in new credit cards, etc. has been broken by Ross Anderson and
>> his lads at Cambridge. Hell, I have one of these (my Visa card).

>As the paper says, this is all an attempt by the banks to shuffle off
>responsibility for fraud by dumping the responsibility onto the
>customers. Instead of the merchant/bank having to verify signatures,
>they can simply verfiy a number ( a pin) and can blame the customer if
>anything goes wrong.

Your PIN is 4 decimal digits, isn't it ?
So there are --worldwide-- no more than 9.999 different
'signatures' around. Any guess as to with how many folks you
share your 'personal electronic signature' ?

--
met vriendelijke groet,
Gerard Bok

(Gerard Bok) wrote in
news::

> On Fri, 12 Feb 2010 20:53:11 GMT, unruh
> <> wrote:
>
>>["Followup-To:" header set to alt.computer.security.]
>>On 2010-02-12, nemo_outis <> wrote:
>>> Chip used in new credit cards, etc. has been broken by Ross Anderson
>>> and his lads at Cambridge. Hell, I have one of these (my Visa
>>> card).
>
>>As the paper says, this is all an attempt by the banks to shuffle off
>>responsibility for fraud by dumping the responsibility onto the
>>customers. Instead of the merchant/bank having to verify signatures,
>>they can simply verfiy a number ( a pin) and can blame the customer
>>if anything goes wrong.
>
> Your PIN is 4 decimal digits, isn't it ?
> So there are --worldwide-- no more than 9.999 different
> 'signatures' around. Any guess as to with how many folks you
> share your 'personal electronic signature' ?
>

It's not the 4-digit problem that bothers me so much. After all, the
chance that a thief randomly entering a pin guess for a stolen card will
get it right is very slim.

No, the problem is the "moral hazard" regarding the banks (and related
financial institutions) that profit so much from these cards. In the past
the banks have fobbed off the risk onto the merchants; with this latest
twist the banks have fobbed off the risks onro the consumer. But, either
way, risks never "mature' for those who profit most - the banks. The banks
always (cleverly but dishonestly) "displace" the risks. And, aside from the
affront this is to natural justice, it causes a more practical problem: the
banks have little incentive to really strengthen these systems and not do a
slipshod job.

Regards,

On Sat, 13 Feb 2010 00:38:52 GMT, "nemo_outis" <>
wrote:

> (Gerard Bok) wrote in
>news::
>
>> On Fri, 12 Feb 2010 20:53:11 GMT, unruh
>> <> wrote:
>>
>>>["Followup-To:" header set to alt.computer.security.]
>>>On 2010-02-12, nemo_outis <> wrote:
>>>> Chip used in new credit cards, etc. has been broken by Ross Anderson
>>>> and his lads at Cambridge. Hell, I have one of these (my Visa
>>>> card).
>>
>>>As the paper says, this is all an attempt by the banks to shuffle off
>>>responsibility for fraud by dumping the responsibility onto the
>>>customers. Instead of the merchant/bank having to verify signatures,
>>>they can simply verfiy a number ( a pin) and can blame the customer
>>>if anything goes wrong.
>>
>> Your PIN is 4 decimal digits, isn't it ?
>> So there are --worldwide-- no more than 9.999 different
>> 'signatures' around. Any guess as to with how many folks you
>> share your 'personal electronic signature' ?
>>
>
>It's not the 4-digit problem that bothers me so much. After all, the
>chance that a thief randomly entering a pin guess for a stolen card will
>get it right is very slim.

Well, with 3 attempts it is 1 in 3.333. Far better than in most
lotteries. (Do you know a system admin that allows passwords of
less than 8 characters ? 10E14 or more guess rate

>No, the problem is the "moral hazard" regarding the banks

Vital characteristic of a signature is imho it's uniqueness.
There is nothing unique about 4 digits
If it is not unique, don't call it signature as it in now way
identifies someone.

--
met vriendelijke groet,
Gerard Bok

> Chip used in new credit cards, etc. has been broken by Ross Anderson and
> his lads at Cambridge. Hell, I have one of these (my Visa card).
>
> Chip and PIN is Broken
> http://www.cl.cam.ac.uk/research/sec...nd10chipbroken
> .pdf
>
> Incidentally, I'd still hate these type of credit cards even if the chip
> were invulnerable. The PIN now effectively takes the place of a signature.
> But digital signatures are a curse - they cause a gigantic shift from
> traditional written signatures.
>
> Under the law regarding written signatures as it has stood for centuries
> everywhere, it is the person *relying* on the signature who must validate
> it and who therefore takes the hit if it is a forgery, etc. With digital
> signatures (as the PIN effectively is) the burden shifts from the recipient
> to the *issuer* - an outrageous proposition, but one that banks, etc. love.
>
> Regards,
>
> PS It's now up to *me* to prove that some frudulent use of my new chipped
> card is indeed fraudulent. But if the current crack had been done by, say,
> a Russian hacking group and not published by Cambridge, proving that fraud
> would be a burden totally beyond the capacity of any ordinary citizen to
> do.
>
> Moreover, the new digital signatures impose a "duty of care" that was never
> there with tradtional written signatures. I must safeguard (in principle
> forever) my PIN, whereas with traditional signatures all I have to do is
> only sign something if I wish to (with no resultant ongoing duty regarding
> the signature thereafter).

These are very good points in my opinion. I hate promoting
increasing of the multitude of laws we already have, but we probably
need to lobby our representatives for legeslation to protect us here.

(Gerard Bok) writes:
> Vital characteristic of a signature is imho it's uniqueness.
> There is nothing unique about 4 digits
> If it is not unique, don't call it signature as it in now way
> identifies someone.

human signature is used to imply intent, agrees, authorizes, approves.

for pin-debit at check-out counters ... the PIN entry is part of
two-factor authentication; the act of pressing the "yes" button (or
touch screen field) is the part of the transaction that is taken as
implying intent, agrees, authorizes, approves.

an interface might have something like "please re-entry your pin if you
agree" ... the act of PIN-entry is the part of demonstrating human
intent (in response to the interface request).

we had been been brought in to help word-smith the cal. state electronic
signature legislation ... one of the points that the lawyers made was
that there had to be some sort of human interaction to demonstrate human
intent.

there was some issue with the things called "digital signatures"
.... resulting in cognitive dissonance (possibly because "human
signature" and "digital signature" both contained the word "signature")
.... where lots of "digital signatures" were being performed w/o the
necessary corresponding aspect that demonstrated human intent, agrees,
authorizes, approves.

old reference to "yes card" presentation at cartes2002 about trivial to
clone card.
http://web.archive.org/web/200304170...artes2002.html

there were similar presentations at the ATM Integrity Task Force
meetings.

--
42yrs virtualization experience (since Jan6, online at home since Mar1970

(Gerard Bok) wrote in
news::

....
>>> Your PIN is 4 decimal digits, isn't it ?
>>> So there are --worldwide-- no more than 9.999 different
>>> 'signatures' around. Any guess as to with how many folks you
>>> share your 'personal electronic signature' ?
>>>
>>
>>It's not the 4-digit problem that bothers me so much. After all, the
>>chance that a thief randomly entering a pin guess for a stolen card
>>will get it right is very slim.
>
> Well, with 3 attempts it is 1 in 3.333. Far better than in most
> lotteries. (Do you know a system admin that allows passwords of
> less than 8 characters ? 10E14 or more guess rate
>
>>No, the problem is the "moral hazard" regarding the banks
>
> Vital characteristic of a signature is imho it's uniqueness.
> There is nothing unique about 4 digits
> If it is not unique, don't call it signature as it in now way
> identifies someone.
>

First of all the banks just call it a PIN, not a signature (they DON'T
want to draw attention to the change!). Second, in this application the
vital aspect of the PIN is not that it identifies someone but that it
*authorizes* a transaction in the *name* of someone - which is precisely
what a manuscript signature would do. In this context the PIN supplants
the manuscript signature which would ordinarily have been required and
is the *functional equivalent* of that manuscript signature - which is
why it is appropriate to refer to the PIN analogically as a "signature"

As for whether a 4-digit PIN is sufficient for ordinary commerce, it
appears to be. One-shot guessing is not a practical strategy for card
thieves, and certainly does not occur enough (if at all) to constitute a
significant problem. And even 4 digits taxes the memory of a goodly
proportion of the population, with resulting bank costs for resetting,
etc.

What supposedly *uniquely* identifies a person is possession of the card
AND knowledge of the PIN. And, for that, 4 digits are more than
sufficient. (Even, say, a 6-digit PIN might well not be unique among a
large bank's set of cardholders - but, fortunately, uniqueness is an
irrelevant property.)

No, the incremental benefit of a 5, 6 or N-digit PIN would be minuscule.
(And for the banks, not just minuscule, but actually zero or even
negative if reset costs, etc. are considered!)

But, as Anderson et al. and I point out, that is precisely the nature of
the problem - the banks don't give a flying **** whether or not 4 digits
are sufficient because they have displaced this risk (and many others)
onto others and no longer bear it.

Regards,

PS The current PIN problem discussed in the paper arises, not because
of the limited number of PIN digits, but because it is possible to
thwart the overarching validation protocol. And that would be equally
true for a 20-digit PIN!

On Sat, 13 Feb 2010 17:37:36 GMT, "nemo_outis" <> wrote:

<snip>

Although you are right that it shifts responsibility to the
user rather than it being the job of the entity accepting the
card to verify a signature, in practice the signature verification
was often badly done as I found out using someone else's card
by mistake one day and signing with a totally different sig
nobody picked up on it.

Now in the event it was fraudulent of course its harder for the
bank to claim its the card owners fault. However even if th
bank pays the cost of fraud, that cost comes back to the cardholders
by way of charges.

I never understood why photoid on cards never took off. That
provides another security feature.
--
Jim Watt
http://www.gibnet.com

On 2010-02-16, Jim Watt <_way> wrote:
> On Sat, 13 Feb 2010 17:37:36 GMT, "nemo_outis" <> wrote:
>
><snip>
>
> Although you are right that it shifts responsibility to the
> user rather than it being the job of the entity accepting the
> card to verify a signature, in practice the signature verification
> was often badly done as I found out using someone else's card
> by mistake one day and signing with a totally different sig
> nobody picked up on it.

If it was badly done, the persons who did it badly paid ( the mercant or
the bank.) If chip and pin is badly done, the user pays. Since it is the
merchant/bank that has the control, forcing the user to pay for their
incompetence seems a bit rich, and puts the rewards in entirely the
wrong place ( the bank gets rewarded for their own incompetence-- they
collect the fees etc, even if they screwed up).

>
> Now in the event it was fraudulent of course its harder for the
> bank to claim its the card owners fault. However even if th
> bank pays the cost of fraud, that cost comes back to the cardholders
> by way of charges.

Maybe, or maybe it comes out of theprofits. If card company A has
competition from B ( visa from mastercard, amex, diners,...) and if
visa's costs are way out of line they cannot pass it on, or they lose
all their customers. Now however, they screw up and they sue you.


>
> I never understood why photoid on cards never took off. That
> provides another security feature.

Sure, but it makes issuing and reissuing harder.

> --
> Jim Watt
> http://www.gibnet.com