Anne & Lynn Wheeler wrote:
the trivial case from nearly 10 years ago was the waiter in nyc
restaurant (something sticks in my mind it was the Brazilian restaurant
just off times sq) that had pda and small magstripe reader pined to the
inside of their jacket. At some opportunity, they would causally pass
the card down the inside of their lapel (doesn't even really have to
disappear anyplace). This was before wireless and 801.11 ... so the
magstripe images would accumulate in the pda until the waiter took a
break ... and then they would be uploaded to a PC and then to the
internet (hong kong was used as example) ... counterfeit cards would be
on the street (opposite side of the world), still within a few hours at

supposedly new?

iPod used to store data in identity theft

from above ..

April 7, 2006 4:55 PM PDT

A 35-year-old identity theft suspect may have taken Apple Computer's mandate, "Think Different," a little too far.

... snip ... above article references:

Beware the 'pod slurping' employee

... from above

Published: February 15, 2006, 10:29 AM PST

A U.S. security expert who devised an application that can fill an iPod with business-critical data in a matter of minutes is urging companies to address the very real threat of data theft.

... snip

and some conjecture about a possible MITM-attack ... using counterfeit card in conjunction with PDA wireless internet connection to a lost/stolen valid card at some remote location. FraudWatch - Chip&Pin Mecccano Trojans coming to a desktop near you

This is scenario where a card may be authenticated separately from its actual operation. The hypothetical MITM-attack is against a terminal's willingness to agree with the business rules in a valid card used for offline transactions. Since the attack is against the offline transaction business rules in a valid card, it may not even be necessary to obtain a lost/stolen valid card ... it may just be just necessary to obtain any valid card (say thru valid application using false information) ... the MITM counterfeit card uses any valid card for the authentication exchange ... and then proceeds with the rest of the transaction using its own business rules.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to