Slashdot Mirror


User: Nursie

Nursie's activity in the archive.

Stories
0
Comments
4,686
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 4,686

  1. Re:Dune on Bring Home the Biotech Bacon · · Score: 1

    It was the first thing I thought of. But then I did just read the Dune books last month...

  2. Dude! on UK Parliament to be Made Redundant? · · Score: 1

    "enacted by the Queen's most Excellent Majesty" I'm English and I've never heard this turn of phrase before. Party on Liz!

  3. MOD PARENT UP on Beware Your Online Presence · · Score: 1

    This was my first thought as well - So what? They didn't offer you the job after they seemed interested, it just must be because they read something bad about you on someone else's page on the internet. Nothing to do with finding a better candidate or the other million other reasons you'll be passed over for an offer.

  4. Was that deliberate sarcasm? on Card Processing Software May Store CC Info · · Score: 1

    Or just a really good prediction? We already have these in Europe, the US is just a little behind in the chip-card game.

  5. Why would they swipe it twice? on Card Processing Software May Store CC Info · · Score: 1

    When they can get all the data in the first swipe AND use it for the transaction to the bank?

  6. Don't be retarded on PIN Scandal 'Worst Hack Ever' · · Score: 1

    Checkout emvco.com for the standards on EMV cards and terminals. Ask your bank about how they require merchants who use them to go through accreditation well beyond these standards.

  7. Re:Are you anal retentive? on PIN Scandal 'Worst Hack Ever' · · Score: 1

    Just because I don't carry a balance book doesn't mean I spend irresponsibly, and just because someone uses a debit card doesn't mean they don't still track their balance. This attitude towards debit cards that americans have is weird. In Europe credit cards are now seen as irresponsible (it's debt! people) and debit the way to make sure you only spend your own money.

  8. Re:Strip & PIN on PIN Scandal 'Worst Hack Ever' · · Score: 1

    And then you tell the bank it wasn't you and they have to reimburse you and investigate. This is NO different from what could have happened before.

    Pretty soon ATMs won't use the stripe either.

  9. T&C's on PIN Scandal 'Worst Hack Ever' · · Score: 1

    Usually say "reasonable care" If you take reasonable care and report the card stolen in a timely fashion you should be covered. If you are not then I would challenge it legally. OTOH, I still think having a photograph of the holder on the back of the card is a good idea.

  10. Sorry, but as someone who's worked on PIN Scandal 'Worst Hack Ever' · · Score: 1

    in the credit card industry on both sides of the atlantic, let me just tell you, the US systems are primitive by comparison.

  11. Uses RSA+ SHA-1 on PIN Scandal 'Worst Hack Ever' · · Score: 1

    And various transaction, time and card related data go to make a key which (IIRC) RSA encrypts the whole lot before hashing. I'm satisfied, personally.

  12. No, no they couldn't on PIN Scandal 'Worst Hack Ever' · · Score: 2, Informative

    1 - the swipe data alone is no where near enough to make cloned card. You need a lot more data AND access to the master keys used by the card issuer.
    2 - The link between the PIN Pad and the reader is direct and encrypted.
    3 - With EMV (the UK scheme) no PIN is used in a magnetic transaction. Signature is used and the fraud liability is with the merchant. There is NO way to do a stripe'n'PIN transaction.
    4 - The scenario would not be prevented if there was no strip because there is no scenario.

  13. A couple of problems with that approach on PIN Scandal 'Worst Hack Ever' · · Score: 2, Informative

    If you get the PIN wrong a set number of times (usually three) the card locks itself. The hash is seeded with transaction dependant data. Also, you don't get to see the hash, the link I told you about, between the PIN Pad and the card reader is a direct link and is encrypted itself (think SSL, I think they use certificates for authentication and then key exchange, then an encrypted link much like SSL though I'm not sure of the details.)

  14. How many fucking times!!! on 'No Quick Fix' From Nuclear Power · · Score: 1

    I'M NOT TALKING ABOUT LONDON. I'M TALKING ABOUT THE WHOLE OF THE SOUTHERN UK.

    We have a good train network over the whole of the UK, especially the south. Yeah, sure, we have a subway system and more buses as you get into London, but THE WHOLE OF THE SOUTH OF ENGLAND HAS A MORE THAN ADEQUATE PUBLIC TRANSPORT SYSTEM. IF YOU THINK THE WHOLE OF THE SOUTH OF ENGLAND IS MORE DENSE THAN LA THEN YOU ARE RETARDED.

  15. Sorry, you're wrong on PIN Scandal 'Worst Hack Ever' · · Score: 1
    That's nonsense. The point was to shore up fraud defences in general and transfer liability for any non chip'n'PIN transaction to the merchant. The merchants are actually worse off (in terms of liability) under this system but hae no choice but to comply.

    And no, you do not take any loss. The moment you contest a transaction with a credit card company or your bank they are required BY LAW to take your word as truth and refund the money pending an investigation. That is the law. Now that doesn't mean they won't try and weasel out of it or fob you off with blame, but if you remind them of their legal requirements they will usually cave.

    Of course the new scheme makes it considerably less likely that this will happen. Basically there's not many situations where a fraudulent chip and PIN transaction can go through -
    • The bank screws up, as in this article and you have your card stolen
    • Someone fits a fraudulent device to an accredited Chip and PIN terminal and records your PIN and steals your card
    • You give away your PIN and have your card stolen
    The cards are cryptographically authenticated by the PoS and the acquiring/issuing bank. The PoS is cryptographically verified by the card and the acquiring/issuing bank. The acquiring/issuing bank is cryptographically verified by the card. You report the card is missing, you have no liability. There is no known way to clone the cards. There is no way to do a chip and PIN transaction without the card. This is why fraud is moving to customer not present and online transactions which can be contested exactly as before.

    Chip and PIN gives very little opportunity for fraud. If you can think of a way to commit cardless Chip and PIN fraud then I'd be pleased to hear it (and talk to my contacts in VISA about it).
  16. Are you anal retentive? on PIN Scandal 'Worst Hack Ever' · · Score: 1

    Balance book ferchissakes? Haysus you must be fun to go out for a night with.

    Debit cards mean I don't have to get cash, I don't have to think ahead for when I'm going to need money and I don't have to worry about paying it off at the end of the month either. It's like using cash, without the need to plan ahead. It's perfect. It also means that I withdraw the exact amount for what I need, not more to make up to what the machines will dispense.

    If that makes me irresponsible then fine. But you sound a little too caught up in thinking about it.

  17. They ain't on PIN Scandal 'Worst Hack Ever' · · Score: 1

    At least on EMV cards they can be up to 12. I doubt they'll ever get used above 4 though, as people have enough trouble remembering already.

  18. Incorrect there. on PIN Scandal 'Worst Hack Ever' · · Score: 1

    In 99% of online transactions there is simply a flag (and a few other bits of data) that say "The PIN verification performed by the card was successful". It could say it failed but then there would be no need for an online transaction as the card would be declined by that stage.

    IF the card is configured to allow online PIN checking, and IF the terminal supports it and IF the acquirer also supports it, and usually IF either the card or the terminal does not support offline PIN verification, then a one-way hash is sent to the issuer. This has two methods of defence - firstly that the hash is generated using the PIN and other tansaction data and a random component, so it is different every time. Secondly it's one-way, so there is no way to find the original PIN from it, even with a key. The remote system then verifies this hash rather than the PIN itself.

  19. You have to trust the card schemes on PIN Scandal 'Worst Hack Ever' · · Score: 1

    Any shop that takes Chip and PIN cards goes through extensive approval processes from their acquiring banks (who are in turn accredited by the card schemes) when they want to take a card type. This includes checks that the devices are properly accredited.

    Now I guess it's possible (though IMHO unlikely) that a rogue employee could bring a dodgy device in and wire it up, but you're protected from fraud by the merchant and the card scheme anyway.

  20. Correct sir on PIN Scandal 'Worst Hack Ever' · · Score: 1

    Staff training was it exactly, there is a chip reader below the swipe in a so called swipe and park reader, done so that all cards, chipped or chipless, can be processed the same way.

    In seperate PIN pad and reader systems there is a secure link between the two, otherwise the system would fail accreditation. The PIN hash that passes along these is unknown to the PoS or the rest of the system.

  21. It's even more secure than that on PIN Scandal 'Worst Hack Ever' · · Score: 1

    The PIN pad generates a hash of the PIN you have entered using a pre-generated (during the transaction) key. This hash is then presented to the processor on the card for verification. The card merely replies yes or no.

    And before anyone shouts "I'll just use a fake card that always says yes then!" let me inform you that there are cryptographic checks performed between the card and the PAD, the card and the issuer, tha PAD and the issuer etc etc so that each piece of the puzzle (card, PoS, issuer) can verify the identity of the other whilst the transaction is in progress.

  22. Cards still have a mag stripe on PIN Scandal 'Worst Hack Ever' · · Score: 2, Informative

    However there is a code on there to say that it should be a chip card, however the strip is still there in case the chip or the reader breaks. This is the only real exploit I know of (and I coded the tesco system and I think my software runs sainsbury's now too), that you can break (or cover in something like nail varnish) the chip and then it is at the merchant's discretion as to whether they accept the transaction or not. In the case of fraud the liability is then with the merchant and not the card issuer/scheme.

    Conceivably then, you could clone the stripe and put a dummy chip on a card and get away with it at some places, but not all. The chip itself cannot (at present) be cloned with anything other than an electron microscope, AFAICT.

  23. I coded Tesco's system on PIN Scandal 'Worst Hack Ever' · · Score: 5, Informative
    Or at least I coded 50% of the chip and PIN software on Tesco's Point of Sale machines. You couldn't be more wrong.

    In order to pass accreditation there were many many security requirements, the most important of which is that the PIN never leaves the EMV hardware. There is a secure link between the little pad there and the swipe/park reader on the side of the PoS display. The PIN is hashed on the pin pad and the hash sent to the reader. It does not go any further. Ever. All the till software I wrote gets is a (secure) result code for whether verification was succesful.

    The sotre does not get your PIN.

    As for the rest, The store gets all the info from the stripe ANYWAY. The chip has all the same info encoded on it, and a lot more. They don't need to swipe your card (and I must admit it mystified me why they would for a while) precisely because they have that data from the chip!

    The reason for the swipe is simple -
    • The staff don't have to change their action dependant upon whether it's a chip card or not, they just swipe it, sit it in the endof the reader and the transaction processes
    • The staff don't have to change their action from Pre-Chip'n'PIN days, they just swipe it and away we go.

    You appear to be worked up about very little.

    If you have any more questions I'd be more than pleased to answer them.
  24. Not talking about London, or the rural US on 'No Quick Fix' From Nuclear Power · · Score: 1

    The whole of the south of England, rural and otherwise, has train stations dotted all over and decnet bus services too. Sure there may be places where the village has only one bus, but if there are then they're WAAAAAY out in the remote areas of cornwall, wales or scotland. The south of England has a viable urban/suburban/rural transport network and is in no way uniformly dense like London.

    I think there's a few things keeping the US from doing the same in metropolitn areas like LA - Cost, disturbance and love of cars. This "It could never work" crap is just that last one there, love of cars and refusal to contemplate a change, manifesting itself as denial.

  25. Please don't presume my ignorance on 'No Quick Fix' From Nuclear Power · · Score: 1

    I'm well aware of that, my post was in reference to LA, a sprawling mass of suburbs which the original posterseemed to think ruled LA out of having a public transport system. Unless you seriously think LA is less densely populated than the rural parts of the UK where we have bus and train services then you are in denial.

    Sure there's a whole lot of nothing in the US, just not in LA. Ferchrissakes.....