Anne & Lynn Wheeler wrote:
the trivial case from nearly 10 years ago was the waiter in nyc
restaurant (something sticks in my mind it was the Brazilian restaurant
just off times sq) that had pda and small magstripe reader pined to the
inside of their jacket. At some opportunity, they would causally pass
the card down the inside of their lapel (doesn't even really have to
disappear anyplace). This was before wireless and 801.11 ... so the
magstripe images would accumulate in the pda until the waiter took a
break ... and then they would be uploaded to a PC and then to the
internet (hong kong was used as example) ... counterfeit cards would be
on the street (opposite side of the world), still within a few hours at
most.
supposedly new?
iPod used to store data in identity theft
http://news.com.com/2061-10789_3-6059128.html
from above ..
April 7, 2006 4:55 PM PDT
A 35-year-old identity theft suspect may have taken Apple Computer's
mandate, "Think Different," a little too far.
... snip ... above article references:
Beware the 'pod slurping' employee
http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html?tag=nl
... from above
Published: February 15, 2006, 10:29 AM PST
A U.S. security expert who devised an application that can fill an iPod
with business-critical data in a matter of minutes is urging companies
to address the very real threat of data theft.
... snip
and some conjecture about a possible MITM-attack ... using counterfeit
card in conjunction with PDA wireless internet connection to a
lost/stolen valid card at some remote location.
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin
http://www.garlic.com/~lynn/aadsm22.htm#29 Mecccano Trojans coming to a
desktop near you
This is scenario where a card may be authenticated separately from its
actual operation. The hypothetical MITM-attack is against a terminal's
willingness to agree with the business rules in a valid card used for
offline transactions. Since the attack is against the offline
transaction business rules in a valid card, it may not even be necessary
to obtain a lost/stolen valid card ... it may just be just necessary to
obtain any valid card (say thru valid application using false
information) ... the MITM counterfeit card uses any valid card for the
authentication exchange ... and then proceeds with the rest of the
transaction using its own business rules.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
