Yes: that's genuinely good, and helps keep the incidence down, discouraging younger (and perhaps smarter) crooks from getting into the field. I like the idea of chip-and-signature, as one can add better and better signature recognition after the fact, as the software gets more reliable.
Even now, a real-time comparison of my signature against a sample during the transaction would be possible, and catch someone who was wildly different.
It was a chip-and-pin transaction, not a swipe, so I suspect either a bad implementation, an unrelated bug that allowed the crook to take over the ATM, or both. I do know that the subsequent use was on the following weekend, at a different location, and was a series of ("deposit cheque" where the cheques was blank paper && "withdraw maximum") for a large number of accounts, one after another, at speed.
I got curious, and got several people talking about what had happened: they were rather nonplussed that this should have been possible. I had previously done some security work (proof schemas for a ministry) and was lucky enough to be able to draw them out by sounding knowledgeable (:-))
If the audit only happens when there is a disputed charge, it's probably suitable: unix has used "do anything but know it's logged" as a norm for years, with arguably better user-facing security than XP/vista/7 etc.
I use chip and pin cards in Canada, and about a month after I got the first one, it was skimmed.
The bank had to replace it (and did, on a weekend no less!)
I suspect the same kind of good math and bad implementation as was documented in http://www.lightbluetouchpaper... I happen to know the ATM that was hacked, and while the Bank was very close-mouthed, the store-owner identified it as an XP-based standalone ATM with no detected mechanical add-ons, suggesting it was a pure software hack.
Another, more recent, attack was via a particular bank-owned ATM, the only one the person used.
We're currently ahead, but my first chip-and-pin card got skimmed in what apparently was a software hack on an XP-based ATM. I think it's an arms race, and in this case the armament is less secure and less protective of the individual card-holder.
Yes, but for who? In have a bank that's good at catching crooks, and would call by voice and tell me to come down and get a new card when someone skimmed my chip-and-pin card with what appeared to have been a software hack on an XP-based ATM. What if I have a UK bank, who wants to blame me so they don't have to pay?
It's security by obscurity and inertia, based on crooks having invested on old swipe-card technology. Here in Canada we have chip-and-pin-equipped crooks hacking the banks.
It allows the Bank to make a good argument for not paying you back, as you must have lost your pin. Previously they had to collect from the merchants, who are much bigger customers of the Bank, and so are listened to more than individuals. This was a problem for years in the UK, until the courts wised up.
One of Ross Anderson's 2010 highlights was a paper on why Chip and PIN is brokenfor which he got coverage on Newsnight and a best paper award. Later, the banks tried to suppress this research.
Ross is a security researcher at University of Cambridge.
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
Specifically, he noted that in http://archive.icann.org/en/co... that it's a simple task to check outbound packets and drop them if the return address is for someone else.
The open question is ISP motivations: I used to work for Canada's first big ISP, and my management would have freaked out if they thought they were frivolously enabling a DDOS attack. See the queue article and comments for more info.
Whereas my experiences were with opponents blatant enough that even the victims knew that it wasn't their fault.
The one in the public record was an employer which we and the Ministry of Labour forced into receivership for non-payment of wages. As it happens, the original investors were able to take the company out of receivership and turn it around under new management.
Other cases are more problematic, but when you have nothing to lose and the other person announces their name is Snidely Whiplash, it makes sense to fight back.
If you once get past the shock of being attacked without a good reason, it feels good to fight back. You know that your opponents have consciously taken up the role of the bad buy, and you're fighting the good fight.
I've only had that feeling twice in my whole life, but it's seriously cool.
Reaching a Proper Balance
by "Abe Edric", guest blogger
Editor’s note: What follows is unique on Slaw, in that it is a pseudonymous post. We have entertained many pseudonymous comments, but not a column or blog entry. I do not expect this rarity to be repeated. The writer is a Canadian public sector litigator who prefers to remain anonymous to emphasize that the views expressed are not purported to be those of his employer. His identity is known to me. The writer and I are aware of the irony in writing pseudonymously about a government spying on its citizens...
You can't get out of beta if you try it, as they removed the link that returns you to classic.
Fortunately, you can delete all the beta cookies and return to normal...
They may get away with dropping support, but if they offer a continuing service and deliberately stop it, it's not just actionable, it's arguably fraudulent.
Actually they had the legal right to provide them to Canadians, and did. It was only in the United States where Amazon feared their supplier didn't have the right to provide the book. They panicked and deleted purchased materials without colour of law from Canadian purchasers' devices. The contract only allowed them to delete material that was improperly sold, which was not the case, In addition, the law requires a refund be paid in such cases in Canada (and probably in the US as well).
The relevance, however, is that they had to publicly apologize to everyone for behaviour that was legal, but repugnant to their customers. That was a significantly bad thing for them, and sensitized Canadian courts and law professors to the problem of a new kind of unconscionable clause in contracts of adhesion.
It may well be a bad thing for Adobe.
Or, as one of my old colleagues used to say, "time wounds all heels".
Slashdot Mirror
It stuck way out, if memory serves: it's been a while!
Yes: that's genuinely good, and helps keep the incidence down, discouraging younger (and perhaps smarter) crooks from getting into the field. I like the idea of chip-and-signature, as one can add better and better signature recognition after the fact, as the software gets more reliable.
Even now, a real-time comparison of my signature against a sample during the transaction would be possible, and catch someone who was wildly different.
It was a chip-and-pin transaction, not a swipe, so I suspect either a bad implementation, an unrelated bug that allowed the crook to take over the ATM, or both. I do know that the subsequent use was on the following weekend, at a different location, and was a series of ("deposit cheque" where the cheques was blank paper && "withdraw maximum") for a large number of accounts, one after another, at speed.
I got curious, and got several people talking about what had happened: they were rather nonplussed that this should have been possible. I had previously done some security work (proof schemas for a ministry) and was lucky enough to be able to draw them out by sounding knowledgeable (:-))
According to another commentator, the US will be using chip-and-sign, hopefully with a good implementation (:-))
If the audit only happens when there is a disputed charge, it's probably suitable: unix has used "do anything but know it's logged" as a norm for years, with arguably better user-facing security than XP/vista/7 etc.
Another commentator said the US is going to chip-and-signature cards, skipping pins entirely.
I use chip and pin cards in Canada, and about a month after I got the first one, it was skimmed. The bank had to replace it (and did, on a weekend no less!)
I suspect the same kind of good math and bad implementation as was documented in http://www.lightbluetouchpaper... I happen to know the ATM that was hacked, and while the Bank was very close-mouthed, the store-owner identified it as an XP-based standalone ATM with no detected mechanical add-ons, suggesting it was a pure software hack.
Another, more recent, attack was via a particular bank-owned ATM, the only one the person used.
--dave
Thank you, kind sir! That's wonderful news.
Leap-frog over the bad ideas to a good (well, less bad (:-)) one.
--dave
We're currently ahead, but my first chip-and-pin card got skimmed in what apparently was a software hack on an XP-based ATM. I think it's an arms race, and in this case the armament is less secure and less protective of the individual card-holder.
Yes, but for who? In have a bank that's good at catching crooks, and would call by voice and tell me to come down and get a new card when someone skimmed my chip-and-pin card with what appeared to have been a software hack on an XP-based ATM. What if I have a UK bank, who wants to blame me so they don't have to pay?
It's security by obscurity and inertia, based on crooks having invested on old swipe-card technology. Here in Canada we have chip-and-pin-equipped crooks hacking the banks.
The bank only cares if your account gets cleaned out and they need to prove you were at fault. They don't care about your signature otherwise (;-))
It allows the Bank to make a good argument for not paying you back, as you must have lost your pin. Previously they had to collect from the merchants, who are much bigger customers of the Bank, and so are listened to more than individuals. This was a problem for years in the UK, until the courts wised up.
In the UK, the Banks famously collected from the cardholder, arguing that they had lost their pin. This took years to overturn...
Ross is a security researcher at University of Cambridge.
In practice, it is far more secure to use a written signature than a 4-digit password that is exposed to eavesdroppers, video cameras, interception devices and a plethora of other attacks. That's secure for the person, you understand: it prevents the bank from saying "you must have lost your pin".
See right here, at http://tech.slashdot.org/story...
Specifically, he noted that in http://archive.icann.org/en/co... that it's a simple task to check outbound packets and drop them if the return address is for someone else.
The open question is ISP motivations: I used to work for Canada's first big ISP, and my management would have freaked out if they thought they were frivolously enabling a DDOS attack. See the queue article and comments for more info.
Whereas my experiences were with opponents blatant enough that even the victims knew that it wasn't their fault.
The one in the public record was an employer which we and the Ministry of Labour forced into receivership for non-payment of wages. As it happens, the original investors were able to take the company out of receivership and turn it around under new management.
Other cases are more problematic, but when you have nothing to lose and the other person announces their name is Snidely Whiplash, it makes sense to fight back.
This is a standard trope in every epic novel from middle-earth to outer space: the bad guys want you to hunker down. To hell with that!
Smiert Spionam!
If you once get past the shock of being attacked without a good reason, it feels good to fight back. You know that your opponents have consciously taken up the role of the bad buy, and you're fighting the good fight.
I've only had that feeling twice in my whole life, but it's seriously cool.
http://queue.acm.org/detail.cfm?id=2578510
Complaints about beta go here (;-))
Sure: http://www.slaw.ca/2013/07/30/...
Reaching a Proper Balance
by "Abe Edric", guest blogger
Editor’s note: What follows is unique on Slaw, in that it is a pseudonymous post. We have entertained many pseudonymous comments, but not a column or blog entry. I do not expect this rarity to be repeated. The writer is a Canadian public sector litigator who prefers to remain anonymous to emphasize that the views expressed are not purported to be those of his employer. His identity is known to me. The writer and I are aware of the irony in writing pseudonymously about a government spying on its citizens...
It's also hard to turn beta off, as that link was removed. Ah well, ^X-delete-cookies
You can't get out of beta if you try it, as they removed the link that returns you to classic. Fortunately, you can delete all the beta cookies and return to normal...
My personal copy is quite broken at the moment
They may get away with dropping support, but if they offer a continuing service and deliberately stop it, it's not just actionable, it's arguably fraudulent.
Actually they had the legal right to provide them to Canadians, and did. It was only in the United States where Amazon feared their supplier didn't have the right to provide the book. They panicked and deleted purchased materials without colour of law from Canadian purchasers' devices. The contract only allowed them to delete material that was improperly sold, which was not the case, In addition, the law requires a refund be paid in such cases in Canada (and probably in the US as well).
The relevance, however, is that they had to publicly apologize to everyone for behaviour that was legal, but repugnant to their customers. That was a significantly bad thing for them, and sensitized Canadian courts and law professors to the problem of a new kind of unconscionable clause in contracts of adhesion.
It may well be a bad thing for Adobe.
Or, as one of my old colleagues used to say, "time wounds all heels".