NatWest card reader
in [UK Linux]
|
From: Joxroach on 15 Jul 2007 01:12 On 14 Jul, 15:47, Daniel James <wastebas...(a)nospam.aaisp.org> wrote: > In article <news:slrnf99mpl.df6.h(a)realh.co.uk>, Tony Houghton wrote: > > > I read somewhere that shifting the blame was the real motivation behind > > chip & pin. > I don't think this was the motive either, but it certainly is a reality. The fatal flaw with Chip & PIN, is the PIN. A PIN used with a genuine stolen Credit OR Debit Card can be used at any CHIP & PIN retailers or a much more crook friendly ATM without the perpetrator ever being challenged.A PIN used with a cloned card, then this can be used at ATMs worldwide and at many ATM's in the UK. The attraction to he crook is that they are never challenged at ATMs and retail staff don't give a hoot how uses a Chjip & PIN card. As long as the correct PIN is entered, the retailer is guaranteed their dosh. There is an alternative way to elimate the liability issue for so called PIN negligence. Read the article in Martin Lewis's Money Saving Expert Forum: http://forums.moneysavingexpert.com/showthread.html?t=484305
From: Alex Butcher on 15 Jul 2007 06:11 On Sat, 14 Jul 2007 16:43:13 +0100, Martin Gregorie wrote: > Daniel James wrote: >> In article news:<slrnf99mpl.df6.h(a)realh.co.uk>, Tony Houghton wrote: >>> I read somewhere that shifting the blame was the real motivation behind >>> chip & pin. >> >> I don't think that's ever been the motivation, but it is to some extent >> a side-effect. >> > I just had a thought while reading this post (snipped the rest). > > Does anybody know if there's anything in the card reader that's locked to > the bank account, or can I use any Natwest card reader with my card and > generate a valid authorization code? > > If the card reader is not account-specific then the activation process > boils down to a simple check can read your card and that it works > correctly. From reading Xiring's blurb it appears it works something like this: - bank website produces a challenge (this could be an encrypted version of some or all aspects of the transaction, such as the amount) - you enter this challenge on the reader (if this was an encrypted version of the transaction, it uses a key on the card's chip to decrypt and show you the details of what you're signing) - the chip on your card encrypts the challenge to produce a response. The bank/card issuer knows the key on your card's chip, so knows what the correct response should be. - you enter the response in your browser and submit it, upon which it is validated and the transaction is accepted or denied appropriately. Best Regards, Alex. -- Alex Butcher, Bristol UK. PGP/GnuPG ID:0x5010dbff "[T]he whole point about the reason why I think it is important we go for identity cards and an identity database today is that identity fraud and abuse is a major, major problem. Now the civil liberties aspect of it, look it is a view, I don't personally think it matters very much." - Tony Blair, 6 June 2006 <http://www.number-10.gov.uk/output/Page9566.asp>
From: Daniel James on 15 Jul 2007 07:23 In article news:<mh7nm4-ldu.ln1(a)zoogz.gregorie.org>, Martin Gregorie wrote: > Does anybody know if there's anything in the card reader that's locked > to the bank account, or can I use any Natwest card reader with my card > and generate a valid authorization code? I've seen it stated (I forget where) that the reader is a generic device. You will certainly be able to use the same reader with different cards from the same bank, and probably with cards from other banks. > If the card reader is not account-specific then the activation process > boils down to a simple check can read your card and that it works > correctly. No, absolutely not. The reader is just an interface, the number that is generated for you to use to authorize a payment (etc) comes *from* the card, and will be generated by some secure cryptographic process inside the card. > Even if this is the way it works there's a degree of improved > security because you are in effect supplying an 8 digit PIN rather than > a 4 digit one and also avoiding playback attacks. You would never be asked to provide your PIN itself online -- there's far too much chance of a keylogger or other malware snooping the value. The PIN will be verified by the card but will not itself play any part in the calculation of the dynamic password value. The fact that the cardreader device is not connected to the PC in any way ensured that the reader can't be infected, coerced or suborned in any way, so your PIN stays safe. Note, too, that one could use the same reader with telephone banking: the banking system could (digitally) 'speak' a number which you would enter into the reader to generate a response, and the response could be entered on the keypad of a tone-dialing phone and verified automatically by the system (I don't know whether the banks propose to do this, but the idea will not have escaped them). > I've always thought the 4 digit PIN is too short for comfort. Unfortunately there are a very large number of ATMs and POS terminals around the world that can't cope with anything longer (at least: not without a ROM upgrade, which would be difficult to perform on a secure tamper-resistent box). Cheers, Daniel.
From: Daniel James on 15 Jul 2007 07:23 In article news:<1184476357.555906.176450(a)n2g2000hse.googlegroups.com>, Joxroach wrote: > The fatal flaw with Chip & PIN, is the PIN. I tend to agree. The biggest problem is that the customer is responsible for keeping his own PIN secret, but has no say in the sorts of precautions that are available for safeguarding that secret. Point-of-sale terminals with hard-to-conceal keypads in plain view (sometimes right under security cameras) don't help at all! It would be nice if the card issuers could require the retailers to provide a more easily securable environment for PIN-entry. > A PIN used with a genuine stolen Credit OR Debit Card can be used at > any CHIP & PIN retailers or a much more crook friendly ATM without the > perpetrator ever being challenged. Yes (I made that point) ... but ONLY if the perpetrator knows the PIN. > A PIN used with a cloned card, then this can be used at > ATMs worldwide and at many ATM's in the UK. To all practical intents and purposes the chip in a card cannot be cloned, so Chip & PIN is actually quite secure against this sort of attack. The problem lies in the fact that most ATMs read the magstripe and not the chip, and magstripes are easy to copy. Unfortunately, there are still huge numbers of ATMs (in particular) and POS terminals that can't read the chip, so we're stuck with the copyable, insecure, magstripe for a long time to come. However, this is not a shortcoming of C&P, ATMs had been reading magstripe cards, accepting PINs, and handing out cash for a long time before C&P came in. > There is an alternative way to elimate the liability issue for so > called PIN negligence. There would be no liability "issue" if people managed to keep their PIN secret. You're talking about thumbprint biometrics ... that's not a complete solution but it certainly has different problems. The biggest problem with any biometric method is that it is imprecise; it's very difficult for a human expert to look at two thumbprints and say that they definitely belong to the same individual and much harder to teach a computer to compare the digitized "edited highlights" of the same two prints and make the same comparison. Biometrics specialist talk about comparing the "insult rate" with the "fraud rate" of any technique -- that is: comparing the proportion of people who will be offended by being told incorrectly that they are imposters with the proportion of people who will be mistakenly recognized as someone that they are not. A lot of work goes into fine-tuning the matching process to give an acceptable balance between the insults and the frauds. In order for any biometric technique to be acceptable at the point of sale the "insult rate" must be essentially zero because neither customers nor retailers will accept a mechanism that only accepts payment most of the time. The problem with thumbprints is that in order to get the insult rate low enough to be acceptable the fraud rate has to be allowed to be quite high. It would also be quite easy for a fraud to smudge his thumbprint enough that the reader could not make a reliable authentication, and the retailer would then be in the position of having to refuse the transaction or of making the transaction with a paper voucher ... eliminating the security that might have been achieved by the use of the thumbprint. There have also been a number of quite well-documented studies in which thumbprint readers have been fooled by false thumbprints (from simple photographs of the thumbprint of the legitimate cardholder to gelatin films bearing an impression of the cardholder's thumbprint being worn over the fraud's thumb). There is also considerable resistance to any method that uses fingerprints because people associate the process of fingerprinting with criminal investigation and feel that giving a fingerprint -- even for the purposes of protecting access to their own money -- in some way demeans them. Such resistance may be irrational, but it makes it hard for the banks to sell thumbprinting to their customers. Much better success rates can be achieved by biometrics based on the recognition of patterns in the iris of the eye, and although some early iris recognition devices could be fooled using photographs modern devices are more reliable. I think iris recognition as a means of establishing identity at point of sale is more likely to be workable than thumbprint checking, but I don't think we'll see either for the next five years or more. Cheers, Daniel.
From: Tony Houghton on 15 Jul 2007 13:48
In <VA.00001118.059e55be(a)nospam.aaisp.org>, Daniel James <wastebasket(a)nospam.aaisp.org> wrote: > There have also been a number of quite well-documented studies in which > thumbprint readers have been fooled by false thumbprints (from simple > photographs of the thumbprint of the legitimate cardholder to gelatin films > bearing an impression of the cardholder's thumbprint being worn over the > fraud's thumb). One of the most amusing was an episode of Mythbusters. An unnamed security company submitted their "unbeatable" reader which was supposed to be able to detect fake thumbs by measuring conductivity etc. IIRC they defeated it by printing a copy of the thumbprint on plain paper and licking it. An off-the-shelf reader connected to a laptop was rather harder to crack, requiring something like a latex moulding. OTOH the off-the-shelf reader would probably be more prone to the sorts of "insults" you described. -- TH * http://www.realh.co.uk |