Slashdot Mirror


User: Nursie

Nursie's activity in the archive.

Stories
0
Comments
4,686
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,686

  1. Re:I simply don't understand ... on Samsung's UpStage Looks To Trump iPhone · · Score: 1

    What's visual voice mail? Video voice mail? So downloading videos... That's a network feature.

    Real web access has been around on windows smartphones for years and I have Opera on my Nokia N73. If you lot in the US haven't got real web access it's the network's fault.

    Many phones have 4 gig capacity now, with memory cards.

    I don't know about the UI, I don't care about iPods, lots of phones sync nice and easily and many, many phones have photo apps.

    The iPhone is nothing new. Really. But we're going to see the same mp3 player phenomenon again aren't we - The tech and the devices are around for ages. Apple comes along and makes it slightly shinier and everyone credits them with inventing the whole damned thing.

    I for one am not impressed with any of it.

  2. Why would they need supporting data? on Germany Wants EU to Ban Violent Games · · Score: 1

    Politicians never bother with it, they go with what they think, and they got elected so they must be right.

    For examples of this behaviour see the war on drugs. Whenever new studies come out, even if they were funded by the government, if they don't fit the ideology they are discarded.

    We do not currently have a society based on evidence or reason. More's the pity.

  3. Re:Doesn't everything? Not as bad as it sounds on Chip & PIN terminal playing Tetris · · Score: 1

    That happened to me recently too, when I bought a PS3 in singapore. As a UK resident for some reason my bank thought the transaction was somewhat suspect. Can't blame them for checking.

  4. Re:Doesn't this assume hardware integrity? on Chip & PIN terminal playing Tetris · · Score: 1

    Sweet FA, in an all chip and PIN environment.

    In a mixed environment (which we're in) he can make a card with a fake (broken) chip on it and your magstripe details and use it anywhere that chip is not required. Which is most places as if the chip is broken the logic is that the stripe is used. For the time being, until that is switched off. Can't remember the UK date for that.

  5. Fair enough on Chip & PIN terminal playing Tetris · · Score: 1

    As I say, the major push behind this was to seal a gap in the banks' liability for fraud anyway, despite what the public message might be.

    I do think that's pretty far fetched and by that point we're talking about a serious criminal organisation and not "casual" fraud. The bar is sufficiently raised in my opinion, for now.

  6. They do on Chip & PIN terminal playing Tetris · · Score: 1

    Which is why that will be phased out over time.

    A merchant accepting swipe cards assumes the liability for it. Which means that after they get hit a couple of times they'll stop accepting fallback.

    Banks will (slowly) phase out ATMs using magnetic data, hopefully.

    But yes, your summation is correct, the real security hole is the fallback mechanism.

  7. Re:Well true on Chip & PIN terminal playing Tetris · · Score: 1

    Have you tried to remove the chip from a card? It's not easy, they usually break first (I have tried). I'm pretty sure they're designed that way. And half the point of chip and PIN is that you're not supposed to hand your card to anyone. You put it in the reader, you press the buttons. You take it out again.

    The common fraud scenario - of the magnetic stripe being read quickly and easily by fraudsters - goes away, as do inadequate signature checks. Signatures are easy to forge and seldom actually checked.

    EMV makes fraud a lot more difficult. Not impossible, but a lot more difficult.

    the mag strip on the card will not be disabled, but as more places use EMV it will become useless.

  8. I wrote a proper reply to this on Chip & PIN terminal playing Tetris · · Score: 1

    But either slashdot ate it or I posted too many too quickly and didn't notice the error.

    Suffice it to say it comes down to my own irrationality.

  9. Yes they can on Chip & PIN terminal playing Tetris · · Score: 1

    All EMV cards are issued with a magnetic stripe on them for now.

    Hopefully the USA is going to pick up EMV sometime though - Much of the rest of the world (Europe and far east) have adopted the scheme.

  10. You can in most places on Chip & PIN terminal playing Tetris · · Score: 1

    I'm not familiar with any legislation on this matter, I wasn't aware it existed, the scheme is a bank mandate. I also find it odd that they would give you a non chip card if you requested. Even odder that someone would request it, this story highlights a security hole but there still aren't half as many as there are with non-chip cards.

  11. NO on Chip & PIN terminal playing Tetris · · Score: 1

    It happened due to a bank mandate. Anyone that tells you it's illegal to use a non chip card is stupid/misinformed.

  12. Well true on Chip & PIN terminal playing Tetris · · Score: 1

    But that hole is impossible to get around, which is why we have fraud protection and the banks have come up with this whole chip and PIN malarkey to shift the liability for it onto the merchant.

    Also, as pointed out previously, even if you get the PIN, you can't clone the card.

  13. Their mad choice I guess on Chip & PIN terminal playing Tetris · · Score: 1

    I never worked for Tesco's, just the people who sold them their system. That sounds like lunacy to me, especially seeing as one of the major points about chip/PIN was more secure unattended payments!

    I never quite got why they like the swipe and park thing so much, I know at attended tills it was so there was no change in arm action for the till staff, they just take any old card, chip or otherwise, swipe it down the reader and leave it sat in the bottom.

    I try to avoid using it by sticking my card directly into the pinpad at supermarkets rather than handing it over to be swiped AND stuck in the reader. I think it's to do with data mining, ie so they ca track purchases even if you don't have a clubcard. I instinctively bristle against that.

    Not that they couldn't do it with the Chip data, but nobody seems to have told them that!

  14. The card does authenticate the bank on Chip & PIN terminal playing Tetris · · Score: 1

    The bank sends a cryptogram which the card decodes and verifies. This is the two way auth. Actually it's three way because the terminal is cryptographically verified too. There's just no tamper resistance built into the spec.

    I know a 4 digit number isn't the height of security, but what would you suggest that cardholders do to identify themselves?

    Remember that old people and idiots have to use the system.

    Also it is futureproofed to allow for Fingerprint/Iris recognition or other methods in coming years.

  15. Hold on, memory not what it was.... on Chip & PIN terminal playing Tetris · · Score: 1

    You're right, depending upon the supported verification methods in the card then plaintext PIN presentation was an option. As I say, depends on the card.

  16. Umm, yes there is! on Chip & PIN terminal playing Tetris · · Score: 1

    "For a start, there is no encryption of the PIN between card and pinpad"

    Yes there is! You present the card with an encrypted PIN block in ISO (8583? it's been a while) format. The Shiv would get you that but nothing else of any use.

    ATMs *should* be getting upgraded to chip and pin by the banks. Whether they are or not is anyone's guess.

    And yes, a lot of terminals do have RS232, if the keys leak then that's a security vulnerability.

    I said in a another post - this is more about shifting liability from the bank to the merchant in cases of fraud than it is about protecting you or I, we just get a little more security out of it as a byproduct.

  17. Yeah, that legacy security hole again on Chip & PIN terminal playing Tetris · · Score: 1

    Though try buying anything major with it and you ought to get refused or phonecalls from your bank.

    They likely haven't got around to replacing a large part of the ATM estate, banks are good like that. Everyone has to jump to theiur tune but they don't always follow it themselves.

  18. Re:I wrote Tesco's system you should all listen to on Chip & PIN terminal playing Tetris · · Score: 1

    Hopefully I've answered that here

    Basically even a dodgy merchant can't clone your card.

  19. Legacy on Chip & PIN terminal playing Tetris · · Score: 1

    It's a handover thing, until all cards are EMV and all merchants are EMV enabled then cards require a magnetic stripe so that the customer can still use them everywhere. This is a bit of a security hole.

    I don't know which country you're in but the legacy magnetic stripe behaviour differs by country. In the UK we never had a system of Stripe + PIN, it was Stripe + Signature, whereas I noticed in the US that PIN was prevalent.

  20. Re:In other words: Chip and Pin is a scam! on Chip & PIN terminal playing Tetris · · Score: 1

    See my longer, parallel response to this, but: even if the merchant gets your PIN it's of limited use to him as cloning chip cards is pretty much impossible at this point, due to the cards producing cryptograms using bank signed keys as part of the transaction process.

    This hole is bad, but not that bad.

  21. Yes on Chip & PIN terminal playing Tetris · · Score: 1

    As the card has to produce a cryptogram using a bank signed key.

  22. Doesn't everything? Not as bad as it sounds on Chip & PIN terminal playing Tetris · · Score: 1

    I'm not as familiar with the hardware requirements of EMV certification but yes, it rather does assume hardware integrity and retailer integrity.

    Chip and PIN is designed to card cloning and to some degree theft. Now card cloning was rife with magnetic strip cards because they were extremely easy to clone. A shop assistant or a waiter could easily pass your card through an extra reader and take the details, pass them on to someone else and then the card could be used all over town. This is eliminated as cards are impossible* to clone.

    EVEN if the crooked retailer gets your PIN, he can't use it effectively as he can't make a copy of your card without access to the keys in the card that are never revealed. He can't run more transactions on your card through his system either because the transaction amount/number/date is part of the data encrypted by the card and sent to the bank.

    He couldn't use it for more than a couple of purchases in other Chip and PIN enabled premises even if he copied the magstripe info onto a blank card with no/broken chip as the transactions would be flagged as suspect.

    He couldn't use it in an ATM as they are chip enabled more often than not (in Chip'n'PIN) countries. I know this as I was involved in the design and implementation of an ATM auth system too a couple of years ago.

    What he could do is make a copy and use it abroad in a non Chip'n'PIN country or he could use it for internet purchases.

    The key here, as I said above but I wish to reiterate, is that even if the merchant is crooked, he doesn't get the ability to make new cards and his avenues for fraud are severly limited.

    Shall I let you all in on a secret though?
    Chip and PIN is less about security for us (though it does help) than it is about security for the banks. Because fraud is now limited to merchants that either haven't upgraded to Chip and PIN or accept non Chip and PIN transactions, they are liable for any fraud through their systemes.

    That's the crux of it. Compromised terminal? Not the bank's fault. Accept a cloned card? Not the bank's fault. They'll still have to refund you immediately but they then get to penalise the merchant immediately where before they would have to prove the merchant's negligence in order to fine them.

    *very hard anyway, as we all know, nothing's impossible in terms of security

  23. Re:Hold on a sec here... on Chip & PIN terminal playing Tetris · · Score: 1

    Chip cards are impossible* to clone in that way, and if someone clones the strip part of it under EMV then the PIN is not used and the transaction is flagged for attention as a possible fraud.

    (*yeah, ok, very difficult!)

  24. I wrote Tesco's system you should all listen to me on Chip & PIN terminal playing Tetris · · Score: 5, Informative

    Sorry for the pompous post heading, but the first part is true, I wrote a large part of Tesco's system including about half of the EMV processing component. It's a customised version of what was the world's first integrated EMV system (ie card reader + PC + store level auth servers + central connection to VISAnet, LINK etc).

    Whether you should listen to me or not is another matter.

    The chip controls the transaction. That's how it goes. The chip decides if it can trust the terminal or the bank based on cryptographic signing operations. The terminal is verified by a process in which it concatenates various pieces of data, performs a crypto op on them and presents the result to the card. The card compares this to its own result (depending on the card it either has one precalculated and uses the same one each time (low security) or does the same calculation itself on a set of data including some session data (better security)).
    PIN is encrypted as soon as it is entered and should never leave the device it's entered on in plaintext form, it is presented to the card as a cryptogram for validation.
    When a transactioon is presented to the bank for authorisation it is presented with yet another cryptogram so that the bank can validate the card. The response also comes in the form of a cryptogram so that the card can validate the bank.

    However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof. Your PIN doesn't ever even get to the PC that's running the transaction.

    If you want to know more then the actual standards are available at EMVco, but they're the nearest thing to legalese I've ever encountered as a software Dev. I'm out of the payments game now, but my knowledge should still be pretty relevant, I hope.

  25. Nintendo? Plx. SEGA roots here on Sony Promises 1M PS3s This Year · · Score: 1

    Don't forget those of us who have been gaming for 20 or more years and have never owned a Nintendo system and don't really intend to start here. Sega all the way until the PS2.

    I'll be buying a PS3, as soon as Sony start to sell the damned things here that is.