The article has a number of strange assertions. First, only 3 PINs being generated by the card issuing system. I can see this is possible if you hack the application code itself but the HSMs (hardware security modules) that actually do the cryptographic operations wouldn't do this using Visa, IBM or Diebold PIN offset generation calls. It's possible, but it would be an insider job in one bank NOT the whole banking system.
Second, the description of the scam is that one PIN offset on track 2 can be used with multiple account numbers. Again, all the standard PIN methods explicitly prevent this - the account number (PAN) is part of the input data to the PIN verification call.
Third, the description has the crook shoulder surfing for PINs. Why does he need to do this if any known PIN can be used with any account? He only needs one known PIN and the corresponding card to be able to write as many cards as he likes.
I'm sure there's some truth in the story but the technical detail is unconvincing.
"The TPC Benchmark(TM)H (TPC-H) is a decision support benchmark." i.e. for management accountants. "The TPC-C benchmark continues to be a popular yardstick for comparing OLTP performance on various hardware and software configurations." i.e. for me to get cash from an ATM
There's only one <a href="http://www.tpc.org/tpcc/results/tpcc_result_ detail.asp?id=103090501">result</a> for TCP-C, which looks OK but not stunning. The <a href="http://www.tpc.org/results/FDR/TPCC/HP%20Int egrity%20rx5670%20Linux%20FDR.pdf">Full Disclosure Report</a> shows horrendous maximum response times. This would kill a real system.
The 3 digit number on the back of the card is called the Card Verification Value 2 or Card Security Code. AMEX have a similar 4 digit code on the front of the card.
The idea of this value is to cut down on "Cardholder Not Present" fraud i.e. mail order. In theory, if you've skimmed a card or stolen a database you won't know the CVV2 (merchants and acquiring banks are not allowed to hold the value, it's the issuing bank's risk so it's up to them what they do). In the UK, the banks are offering discounts to merchants who use it.
PIN at POS for all card types is coming in at point of sale in the UK using EMV (i.e. smartcards). The pilot starts this spring in Northampton. The PIN will be stored on the card and kept synchronised to the online PIN. This targets counterfeit and stolen cards.
The UK also has an address verification service for Card Not Present. It's different from the US scheme and doesn't depend on "correct" formatting of the address.
Slashdot Mirror
Utter bunk. See http://atomicinsights.blogspot.com/2010/07/gullible-reporting-by-new-york-times-on.html
The article has a number of strange assertions. First, only 3 PINs being generated by the card issuing system. I can see this is possible if you hack the application code itself but the HSMs (hardware security modules) that actually do the cryptographic operations wouldn't do this using Visa, IBM or Diebold PIN offset generation calls. It's possible, but it would be an insider job in one bank NOT the whole banking system. Second, the description of the scam is that one PIN offset on track 2 can be used with multiple account numbers. Again, all the standard PIN methods explicitly prevent this - the account number (PAN) is part of the input data to the PIN verification call. Third, the description has the crook shoulder surfing for PINs. Why does he need to do this if any known PIN can be used with any account? He only needs one known PIN and the corresponding card to be able to write as many cards as he likes. I'm sure there's some truth in the story but the technical detail is unconvincing.
"The TPC Benchmark(TM)H (TPC-H) is a decision support benchmark." i.e. for management accountants.
_ detail.asp?id=103090501">result</a> for TCP-C, which looks OK but not stunning. The <a href="http://www.tpc.org/results/FDR/TPCC/HP%20Int egrity%20rx5670%20Linux%20FDR.pdf">Full Disclosure Report</a> shows horrendous maximum response times. This would kill a real system.
"The TPC-C benchmark continues to be a popular yardstick for comparing OLTP performance on various hardware and software configurations." i.e. for me to get cash from an ATM
There's only one <a href="http://www.tpc.org/tpcc/results/tpcc_result
Linux is good, but 2.6 will be better!
The 3 digit number on the back of the card is called the Card Verification Value 2 or Card Security Code. AMEX have a similar 4 digit code on the front of the card.
The idea of this value is to cut down on "Cardholder Not Present" fraud i.e. mail order. In theory, if you've skimmed a card or stolen a database you won't know the CVV2 (merchants and acquiring banks are not allowed to hold the value, it's the issuing bank's risk so it's up to them what they do). In the UK, the banks are offering discounts to merchants who use it.
PIN at POS for all card types is coming in at point of sale in the UK using EMV (i.e. smartcards). The pilot starts this spring in Northampton. The PIN will be stored on the card and kept synchronised to the online PIN. This targets counterfeit and stolen cards.
The UK also has an address verification service for Card Not Present. It's different from the US scheme and doesn't depend on "correct" formatting of the address.
Yes it does unless you use a text browser.