Anne & Lynn Wheeler wrote:
some of the straight-forward ones can also happen because of
infrastructure and/or paradigm changes ... and there wasn't any forward
thinking.
recent thread today in sci.crypt
http://www.garlic.com/~lynn/2006u.html#40 New attack on the financial PIN
processing
http://www.garlic.com/~lynn/2006u.html#43 New attack on the financial PIN
processing
past posts in this thread
http://www.garlic.com/~lynn/aadsm26.htm#3 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#4 Citibank e-mail looks phishy
http://www.garlic.com/~lynn/aadsm26.htm#5 ATMs harcked using MP3 player
couple more in sci.crypt thread:
http://www.garlic.com/~lynn/2006u.html#47 New attack on the financial PIN
processing
http://www.garlic.com/~lynn/2006u.html#48 New attack on the financial PIN
processing
elsewhere in the "PIN processing" thread somebody mentions that ATM standards
require encryption for the PIN but not the rest of the message. This could be considered
sufficient prior to the introduction of signature-debit ... since up until that time all
debit transactions required the associated PIN.
However, the introduction of signature-debit makes the rest of the
(unencrypted) message attractive targets, since attackers can skim the
information and create counterfeit cards and use them in (PINless)
signature-debit transactions.
or can you say security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
or using the "naked payments" metaphor, consistent requirement for a debit
transaction to have a PIN ... and the PIN was given at least some level of protection ...
would imply that the payment transaction had some degree of armoring ... which eliminated
the rest of the transaction as useful to the attacker (and therefor didn't need
encryption since it wasn't sufficient to perform fraudulent transactions). With the
introduction of signature-debit, it removes the transaction armoring and creates a
vulnerability for the rest of the transaction information (the armoring of the
transaction information was removed, leaving it naked and exposed, making the information
vulnerable to skimming, harvesting, data breach, etc attacks).
as mentioned in numerous times in the past, the x9a10 financial standard
working group was given the requirement to preserve the integrity of the
integrity of the financial infrastructure for all retail payments
http://www.garlic.com/~lynn/x959.html#x959
http://www.garic.com/~lynn/subpubkey.html#x959
part of the of the standard was to specify an environment were the transactions were
always consistently "armored" and never left naked and vulnerable. misc. past
posts mentioning
the naked payment/transaction metaphor
http://www.garlic.com/~lynn/aadsm24.htm#5 New ISO standard aims to ensure the
security of financial transactions on the Internet
http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#9 Naked Payments IV - let's all go naked
http://www.garlic.com/~lynn/aadsm24.htm#10 Naked Payments IV - let's all go
naked
http://www.garlic.com/~lynn/aadsm24.htm#12 Naked Payments IV - let's all go
naked
http://www.garlic.com/~lynn/aadsm24.htm#14 Naked Payments IV - let's all go
naked
http://www.garlic.com/~lynn/aadsm24.htm#22 Naked Payments IV - let's all go
naked
http://www.garlic.com/~lynn/aadsm24.htm#26 Naked Payments IV - let's all go
naked
http://www.garlic.com/~lynn/aadsm24.htm#30 DDA cards may address the UK
Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#31 DDA cards may address the UK
Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#32 DDA cards may address the UK
Chip&Pin woes
http://www.garlic.com/~lynn/aadsm24.htm#38 Interesting bit of a quote
http://www.garlic.com/~lynn/aadsm24.htm#41 Naked Payments IV - let's all go
naked
http://www.garlic.com/~lynn/aadsm24.htm#42 Naked Payments II - uncovering
alternates, merchants v. issuers, Brits bungle the risk, and just what are MBAs
good for?
http://www.garlic.com/~lynn/aadsm24.htm#46 More Brittle Security -- Agriculture
http://www.garlic.com/~lynn/aadsm25.htm#20 Identity v. anonymity -- that is not
the question
http://www.garlic.com/~lynn/aadsm25.htm#28 WESII - Programme - Economics of
Securing the Information Infrastructure
http://www.garlic.com/~lynn/2006m.html#15 OpenSSL Hacks
http://www.garlic.com/~lynn/2006m.html#24 OT - J B Hunt
http://www.garlic.com/~lynn/2006o.html#35 the personal data theft pandemic
continues
http://www.garlic.com/~lynn/2006o.html#37 the personal data theft pandemic
continues
http://www.garlic.com/~lynn/2006o.html#40 the personal data theft pandemic
continues
http://www.garlic.com/~lynn/2006t.html#40 Encryption and authentication
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]