Peter Fairbrother <[EMAIL PROTECTED]> writes: >Steven M. Bellovin wrote: >> Designing a system that deflects this sort of attack is challenging. >> The right answer is smart cards that can digitally sign transactions > >No, it isn't! A handwritten signature is far better, it gives post-facto >evidence about who authorised the transaction - it is hard to fake a >signature so well that later analysis can't detect the forgery, and few >people would bother to do it that well anyway, while it is easy enough to >enter a PIN with "digital reproducibility".
Not only that, you can mess up the transaction without even wanting to do it fraudulently. With PIN-based authentication (at least every one I've ever seen), you insert your card, enter your PIN to authorise the transaction, and then it prints your receipt. As you point out, there's no link between the paper trail and the authorisation, and by the time you get to see the paper trail it's too late to do anything about it. Running a two-phase commit to fix this is unworkable (it'd double the number of transactions and require holding state at the acquirer gateway), and even then it doesn't tie the authorisation to the paper trail. Consider a recent example, in which a hotel inadvertently charged me twice for one stay. The first time they ran the transaction on the handheld card terminal the built-in printer ran out of paper, so they reversed the charge and charged me a second time with a new roll of paper in the printer. Since I didn't trust them to get this right, I asked for both printouts, wrote "VOID" on the first one, and signed the second one. As it turned out, they didn't get it right, and I have a pretty clear paper trail to prove that the first transaction wasn't authorised. If I'd done this with a PIN, both would have been authorised, because I can only take the merchant's word for it that they've cleared up the first transaction for me - the client has to go to some lengths to prove their credentials, but the merchant only has to claim that they've sorted it out. In fact I don't think there's any way for them to prove to a client that they've reversed a transaction short of phoning their bank and getting them to fax out a statement. So I'll stick with printouts and signatures for the foreseeable future. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]