UK Banks Expected To Move To DDA EMV Cards
UK Banks Expected To Move To DDA EMV Cards http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=11497625028614136145&block= ... from above ... Of the 6.2 billion card transactions in the UK each year, one in five occurs offline, which increases the risk of cloned cards being used at a retailer’s POS terminal. In short, a cloned credit or debit card may go unidentified if a transaction is not sent to a bank for approval. ... snip ... re: http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-And-PIN Security Flaw note that the counterfeit "yes card" attack (from the late 90s) isn't on valid cards programmed to do offline (or online) transactions; the counterfeit "yes card" attack (built from skimmed "SDA" data) is on chip&pin terminals programmed to do what any authenticated card tells it to do (part of the chip&pin terminal standard): http://www.garlic.com/~lynn/2006l.html#33 the countermeasure to counterfeit "yes card" attacks on chip&pin terminals is to program the terminal to ignore what the card tells it to do, and always do an online transcation. this makes chip&pin deployments subject to the same "account flagging" countermeasure that has been long used for magstripe cards. The counterfeit "yes card" exploit always doing offline transactions (making it immune to account flagging countermeasures) was somewhat prompted somebody several years ago to make the comment about spending several billion dollars to prove that chips were less secure than magstripe. part of what had prompted the aads chip strawman effort http://www.garlic.com/~lynn/x959.html#aads in the 90s was the frequent comment about deployments being forced into doing "SDA" chip deployments because technology cost for "DDA" chip deployments was too uneconomical. Part of the aads chip strawman was to demonstrate technology doing dynamic data authentication (as countermeasure to skimming, harvesting and replay attacks) at the highest possible integrity ... for less cost than any "SDA" technology (as well as being able to meet transit contactless power and timing profile requirements). http://www.garlic.com/~lynn/aadsm23.htm#56 UK Detects Chip-And-PIN Security Flaw - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV and Re: mother's maiden names...
Thanks for some private comments. What I posted is a short summary of a number of arguments. It's not an absolute position, or an expose' of the credit card industry. Rather, it's a wake- up call -- The time has come to really face the issues of information security seriously, without isolating them with insurance at the cost of the consumers. Why? Because the insurance model will not scale as the Internet and ecommerce do. In other words, "CardSystems Exposes 40 Million Identities" as a harbinger. Now that we know more about the facts in this recent case, expect more to come unless we begin to improve our security paradigm. Yes, public opinion and credit card companies can and will force companies that process credit card data to increase their security. However, as my comments show, how about the "acceptable risk" concept that turns fraud into sales? Do As I Say, Not As I Do? By weakly fighting fraud, aren't we allowing fraud systems to become stronger and stronger, just like any biological threat? The parasites are also fighting for survival. We're allowing even email to be so degraded that fax and snail mail are now becoming atractive again. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV and Re: mother's maiden names...
Well, the "acceptable risk" concept that appears in these two threads has been for a long time an euphemism for that business model that shifts the burden of fraud to the customer. The dirty little secret of the credit card industry is that they are very happy with 10% of credit card fraud, over the Internet or not. In fact, if they would reduce fraud to _zero_ today, their revenue would decrease as well as their profits. So, there is really no incentive to reduce fraud. On the contrary, keeping the status quo is just fine. This is so because of insurance -- up to a certain level, which is well within the operational boundaries of course, a fraudulent transaction does not go unpaid through VISA, American Express or Mastercard servers. The transaction is fully paid, with its insurance cost paid by the merchant and, ultimately, by the customer. Thus, the credit card industry has successfully turned fraud into a sale. This is the same attitude reported to me by a car manufacturer representative when I was talking to him about simple techniques to reduce car theft -- to which he said: "A car stolen is a car sold." In fact, a car stolen will need replacement that will be provided by insurance or by the customer working again to buy another car. While the stolen car continues to generate revenue for the manufacturer in service and parts. Whenever we see continued fraud, we should be certain: the defrauded is profiting from it. Because no company will accept a continued loss without doing anything to reduce it. Arguments such as "we don't want to reduce the fraud level because it would cost more to reduce the fraud than the fraud costs" are just a marketing way to say that a fraud has become a sale. Because fraud is an hemorrage that adds up, while efforts to fix it -- if done correctly -- are mostly an up front cost that is incurred only once. So, to accept fraud debits is to accept that there is also a credit that continuously compensates the debit. Which credit ultimately flows from the customer -- just like in car theft. What is to blame? Not only the twisted ethics behind this attitude but also that traditional security school of thought which focus on risk, surveillance and insurance as the solution to security problems. There is no consideration of what trust really would mean in terms of bits and machines[*], no consideration that the insurance model of security cannot scale in Internet volumes and cannot even be ethically justifiable. "A fraud is a sale" is the only outcome possible from using such security school of thought. Also sometimes referred to as "acceptable risk" -- acceptable indeed, because it is paid for. Cheers, Ed Gerck [*] Unless the concept of trust in communication systems is defined in terms of bits and machines, while also making sense for humans, it really cannot be applied to e-commerce. And there are some who use trust as a synonym for authorization. This may work in a network, where a trusted user is a user authorized by management to use some resources. But it does not work across trust boundaries, or in the Internet, with no common reporting point possible. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
- Original Message - From: "Victor Duchovni" <[EMAIL PROTECTED]> Subject: Re: EMV [was: Re: Why Blockbuster looks at your ID.] Whose loses do these numbers measure? - Issuer Bank? - Merchant? - Consumer? - Total? I'd say that you've fairly well hit the nail on the head. I've actually been meaning to reply to this for about a week now. The truth is that each credit card transaction actually has either 3 or 4 parties; User U, Merchant M, Credit Card Issuer CCI, and Merchant Insurer MI (this is simplified there are generally multiple parties under CCI). Under legitimate circumstances the process is fairly simple; Legitimate User LU agrees to pay CCI, CCI already has an agreement to pay M, and M supplies the product/service to LU. During billing LU pays CCI, CCI pays M, everyone is happy. Things are different in the case of False User FU. FU goes to M, FU agrees for LU to pay CCI, CCI (believing FU is LU) agrees to pay M, M supplies the product/service to FU. During billing is where things get strange. LU reports the bad transaction to CCI. CCI informs M and does not pay M. FU gets the product, M accepts the loss. In the normal case MI and M are the same entity so the buck stops there, if MI is seperate from M, then MI reimburses M for some portion. It's important to understand exactly who loses what when FU is in the picture. CCI loses the commision, generally a small flat fee on the order of $0.35, and a percentage generally <2%, this is not a large amount to lose, and the phone call to report the problem actually costs more than is lost, followed by the filing and tracking of the correct paperwork, this is the ACTUAL loss for CCI. MI loses the cost of the product/service reimbursed. LU loses basically nothing except time. FU obviously gains. The point being that expecting CCI to foot a multi-billion dollar bill to change the process so that MI doesn't lose the money doesn't make sense. CCI will only work to increase CCIs profits. It is up to MI to pay for the upgraded systems by working with CCI towards CCIs goals (fewer losses for MI also means fewer reports to CCI so fewer losses). LU may be willing to foot part of the bill for the perceived improvements, CCI will only foot the portion that is in CCIs favor, MI will have to foot the majority of the bill and will only do so when it is in MIs favor. With credit card fraud decreasing, it is not in MIs favor to examine it at this time. Joe - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
AFAIK, the cards are still the same (Sony FeliCa: http://www.sony.net/Products/felica/): I never changed mine since I got it several years ago. The same card was also adopted in 2002 by EZ-Link in Singapore (http://www.ezlink.com.sg ). Enzo - Original Message - From: "Anne & Lynn Wheeler" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "'Ben Laurie'" <[EMAIL PROTECTED]>; "'Peter Fairbrother'" <[EMAIL PROTECTED]>; "'Florian Weimer'" <[EMAIL PROTECTED]>; "'David Alexander Molnar'" <[EMAIL PROTECTED]>; "'? Schmidt'" <[EMAIL PROTECTED]>; Sent: Wednesday, July 13, 2005 8:55 AM Subject: Re: EMV > ... the original introduction of HK octopus transit card used the > "sony" flavor of iso 14443 with 10cm and transit requirements of > transaction in 100ms. having it in the bottom of a bag and bringing the > bag within 10cm of the reader does the trick. > > there was a transit meeting where the mondex people attended ... they > claimed that they could also be used for transit ... just get a wireless > sleave for the mondex card ... and build 14' long tunnels leading up to > the transit gates ... and have the people walk slowly thru the tunnels. > > Gabriel Haythornthwaite wrote: > > In Hong Kong a lot of people do little more than wave their bags at the > > turnstile. Removing the wallet and revealing its size is unnecessary. > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
... the original introduction of HK octopus transit card used the "sony" flavor of iso 14443 with 10cm and transit requirements of transaction in 100ms. having it in the bottom of a bag and bringing the bag within 10cm of the reader does the trick. there was a transit meeting where the mondex people attended ... they claimed that they could also be used for transit ... just get a wireless sleave for the mondex card ... and build 14' long tunnels leading up to the transit gates ... and have the people walk slowly thru the tunnels. Gabriel Haythornthwaite wrote: > In Hong Kong a lot of people do little more than wave their bags at the > turnstile. Removing the wallet and revealing its size is unnecessary. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: EMV
In Hong Kong a lot of people do little more than wave their bags at the turnstile. Removing the wallet and revealing its size is unnecessary. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ben Laurie > Sent: Tuesday, 12 July 2005 8:14 PM > To: Peter Fairbrother > Cc: Florian Weimer; David Alexander Molnar; ? Schmidt; > cryptography@metzdowd.com > Subject: Re: EMV > > Peter Fairbrother wrote: > > Florian Weimer wrote: > > > > > >>* David Alexander Molnar: > >> > >> > >>>Actually, smart cards are here today. My local movie theatre in > >>>Berkeley, California is participating in a trial for "MasterCard > >>>PayPass." There is a little antenna at the window; > apparently you can > >>>just wave your card at the antena to pay for tickets. I haven't > >>>observed anyone using it in person, but the infrastructure > is there right now. > >> > >>If you are interested in useful RFID applications, just visit > >>Singapore. 8-) They use RFID tickets on the subway (MRT) and on > >>busses, and you don't have to worry about buying the right ticket > >>because the system charges you the correct amount. > However, there's > >>one thing that makes me nervous: if you know the card > number (which is > >>printed on the cards), you can go to a web page, enter it, > and obtain > >>the last 20 rides during the last 3 days, without any further > >>authentication. > > > > > > London Underground have a contactless system too, but it isn't used > > much. As I remember it had a similar problem, but they may > have changed that. > > > > You take out your wallet with the card in and wave it over a > > palm-sized yellow blob on the turnstile, but you don't have to open > > your wallet to withdraw a token. > > > > Muggers and pickpockets keep a close eye out to see how fat your > > wallet is and where you keep it ... > > Which, of course, they would never do if you were extracting > money to buy a ticket, or showing your season ticket. Explain > to me how the contactless system alters this risk in any way? > > Cheers, > > Ben. > > -- > >>>ApacheCon Europe<<< http://www.apachecon.com/ > > http://www.apache-ssl.org/ben.html http://www.thebunker.net/ > > "There is no limit to what a man can do or how far he can go > if he doesn't mind who gets the credit." - Robert Woodruff > > - > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
>It appears to be a contactless smart card/RFID that uses the >ISO 14443 standard for the RF interface. There is some documentation >available, unfortunately most of it restricted to licensees. ISO 14443 details can be found at http://www.jayacard.org/14443/ Note that a few of the files are MS Word .doc format (most are .pdf). --Mark - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
Peter Fairbrother wrote: Florian Weimer wrote: * David Alexander Molnar: Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for "MasterCard PayPass." There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. If you are interested in useful RFID applications, just visit Singapore. 8-) They use RFID tickets on the subway (MRT) and on busses, and you don't have to worry about buying the right ticket because the system charges you the correct amount. However, there's one thing that makes me nervous: if you know the card number (which is printed on the cards), you can go to a web page, enter it, and obtain the last 20 rides during the last 3 days, without any further authentication. London Underground have a contactless system too, but it isn't used much. As I remember it had a similar problem, but they may have changed that. You take out your wallet with the card in and wave it over a palm-sized yellow blob on the turnstile, but you don't have to open your wallet to withdraw a token. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... Which, of course, they would never do if you were extracting money to buy a ticket, or showing your season ticket. Explain to me how the contactless system alters this risk in any way? Cheers, Ben. -- >>>ApacheCon Europe<<< http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
Florian Weimer wrote: > * David Alexander Molnar: > >> Actually, smart cards are here today. My local movie theatre in Berkeley, >> California is participating in a trial for "MasterCard PayPass." There is >> a little antenna at the window; apparently you can just wave your card at >> the antena to pay for tickets. I haven't observed anyone using it in >> person, but the infrastructure is there right now. > > If you are interested in useful RFID applications, just visit > Singapore. 8-) They use RFID tickets on the subway (MRT) and on > busses, and you don't have to worry about buying the right ticket > because the system charges you the correct amount. However, there's > one thing that makes me nervous: if you know the card number (which is > printed on the cards), you can go to a web page, enter it, and obtain > the last 20 rides during the last 3 days, without any further > authentication. London Underground have a contactless system too, but it isn't used much. As I remember it had a similar problem, but they may have changed that. You take out your wallet with the card in and wave it over a palm-sized yellow blob on the turnstile, but you don't have to open your wallet to withdraw a token. Muggers and pickpockets keep a close eye out to see how fat your wallet is and where you keep it ... -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
> > > On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: > >> less attractive to commit credit card fraud. You are, however, not >> making it harder. That's why I believe the credit cards companies will >> indeed have a good, long look at smartcards. Probably not tomorrow or >> next week but in the near future. > > Actually, smart cards are here today. My local movie theatre in Berkeley, > California is participating in a trial for "MasterCard PayPass." There is > a little antenna at the window; apparently you can just wave your card at > the antena to pay for tickets. I haven't observed anyone using it in > person, but the infrastructure is there right now. Interesting, they have a card (smart card)? and key fob version. I hope their key fob version is not as insecure as the SpeedPass RFID transponder token used by Exxon/Esso, which has recently been broken http://rfidanalysis.org/ The SpeedPass implemented an authentication algorithm (I think it was a CRC-like challenge response based on a secret that defined the polynomial used) based on a 40-bit key. Bono & al. figured out the algorithm (based on a patent, which described the algorithm generically, they figured out the constants that were chosen). The question is why did they use a 40-bit secret? Is there some technological constraint preventing the use of something better? The other thing is that many of the smart cards also have a magnetic strip, so your security level is as strong as the weakest point (magnetic stripe type payments). Untill all the cards are smart cards, readers will accept both type. --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
* David Alexander Molnar: > Actually, smart cards are here today. My local movie theatre in Berkeley, > California is participating in a trial for "MasterCard PayPass." There is > a little antenna at the window; apparently you can just wave your card at > the antena to pay for tickets. I haven't observed anyone using it in > person, but the infrastructure is there right now. If you are interested in useful RFID applications, just visit Singapore. 8-) They use RFID tickets on the subway (MRT) and on busses, and you don't have to worry about buying the right ticket because the system charges you the correct amount. However, there's one thing that makes me nervous: if you know the card number (which is printed on the cards), you can go to a web page, enter it, and obtain the last 20 rides during the last 3 days, without any further authentication. It's a system where contactless readers make a lot of sense, though. > Here's the MasterCard fact sheet about PayPass: > http://www.paypass.com/fact_sheet.html In Germany, we have got something even better: digital cash (Geldkarte). The system is rather old, so it doesn't use contactless smartcards, and it was never accepted by customers and merchants. I'm not even sure if it's still usable. I own one or two of the smartcards, but I don't think I've ever used them. 8-/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV
David Alexander Molnar <[EMAIL PROTECTED]> writes: > On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: > >> less attractive to commit credit card fraud. You are, however, not >> making it harder. That's why I believe the credit cards companies will >> indeed have a good, long look at smartcards. Probably not tomorrow or >> next week but in the near future. > > Actually, smart cards are here today. My local movie theatre in > Berkeley, California is participating in a trial for "MasterCard > PayPass." There is a little antenna at the window; apparently you can > just wave your card at the antena to pay for tickets. I haven't > observed anyone using it in person, but the infrastructure is there > right now. The contactless systems provide almost zero added user convenience. They're a nice marketing hack by the RFID crowd, but nearly nothing more. Users do not mind withdrawing a token from their wallet and inserting it momentarily into a reader. However, the contactless systems also provide a nice new mechanism for fraud, and with the increasing feasibility of phased array systems, that fraud may soon be possible at considerable distances. So, we've gained very little, other than a nice new app for RFID (RFID being a large scale solution waiting for problems), but at the same time we've lost quite a bit. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for "MasterCard PayPass." There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. Here's the MasterCard fact sheet about PayPass: http://www.paypass.com/fact_sheet.html It appears to be a contactless smart card/RFID that uses the ISO 14443 standard for the RF interface. There is some documentation available, unfortunately most of it restricted to licensees. https://mbe2stl101.mastercard.net/hsm2stl101/public/login/ebusiness/mobile_commerce/paypass/documentation/index.jsp You can do some Google searching to find MasterCard's involvement in standards-setting for EMV via smart cards over the years. From that it is possible to guess what PayPass might be doing, but I would prefer to know for sure. By the way, Visa is doing it too: http://usa.visa.com/personal/cards/contactless/ Chase appears to be issuing them now; you can apply for one online. www.chaseblink.com From what I understand, contactless transactions are currently limited to $25 or less. This should reduce the incentive for someone to carry out the kind of relay/chess grandmaster attack described by Gerhard Hancke "A Practical Relay Attack on ISO 14443 Proximity Cards" http://www.cl.cam.ac.uk/~gh275/relay.pdf Hancke and Markus Kuhn have a paper on "distance bounding" protocols to combat this kind of relay attack. Unfortunately it does not appear to be on Hancke's web page yet. One of the nice things about these cards is that they also support the standard card number on the front and magstripe. So you could imagine a situation where the number is used as normal until fraud is detected, then revoked, but the contactless pay capability is not revoked. I have no idea if that is what they actually do, though. -David Molnar
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
--- [EMAIL PROTECTED] wrote: [decline in credit card fraud] > Interesting statistics. [...] > But these are still considerable numbers, [...] I totally agree. And I would just like to make a quick point: the credit card companies (especially Visa/Mastercard) have been very agressive in fraud prevention in the last ten years. And I don't mean algorithms that detect unusual activity and flag a card, thereby prompting your bank to call and verify that that the charges are good. They've been doing that for years, if not decades. No, I mean literally detective work -- tracking people down, having their sites closed and bank accounts freezed and actually pushing to have people prosecuted. They have been quite active, trying to recruite people in the law enforcement community and offering handsome salaries. The whole thing works based on the premise that there are a lot of small-time gangsters at any given time but only a few big fish. And if you can increase the cost of doing business (either in terms of making credit fraud more expensive or in terms of increasing the likelihood to get caught) you can basically justify the expense of running a big anti-fraud unit. But, in a way, that's only dealing with the symptoms, whilst at the same time ignoring the root cause of the problem. You're only making it less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. -Jörn __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Fri, Jul 08, 2005 at 03:48:30PM -0400, [EMAIL PROTECTED] wrote: > > We're on the order of 4.7 cents on the $100. > > > Interesting statistics. > Seems like it's the same thing in Canada > http://www.rcmp.ca/scams/ccandpc_e.htm > Reported $227M in credit card fraud in 1999, droped at $200M in 2003. > Whose loses do these numbers measure? - Issuer Bank? - Merchant? - Consumer? - Total? -- /"\ ASCII RIBBON NOTICE: If received in error, \ / CAMPAIGN Victor Duchovni please destroy and notify X AGAINST IT Security, sender. Sender does not waive / \ HTML MAILMorgan Stanley confidentiality or privilege, and use is prohibited. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
EMV [was: Re: Why Blockbuster looks at your ID.]
> > Dan Kaminsky <[EMAIL PROTECTED]> writes: >> Credit card fraud has gone *down* since 1992, and is actually falling: >> >> 1992: $2.6B >> 2003: $882M >> 2004: $788M >> >> We're on the order of 4.7 cents on the $100. Interesting statistics. Seems like it's the same thing in Canada http://www.rcmp.ca/scams/ccandpc_e.htm Reported $227M in credit card fraud in 1999, droped at $200M in 2003. But these are still considerable numbers, and the thinking that Banks manage the risk and it's not worth them going over to smart card technology so they won't, which was mentioned in a few replies, I think no longer holds (probably because of the falling cost of the technology, so even if fraud $ is down as mentioned, ratio of fraud cost / cost of technology that is more secure still leads financial institutions to want to go to a more secure technology). Europe already has EMV, and Canada plans to have an infrastructure (card readers) that support it by 2007. Probably U.S. will follow http://www.atmmarketplace.com/news_story_23380.htm http://www.atmmarketplace.com/news_story_22849.htm http://www.kioskmarketplace.com/news_printable.htm?id=23380 And here, for example, is a quote from Visa Canada http://www.visa.ca/en/about/mc_article.cfm?pid=2 "Visa Canada Member financial institutions will implement chip at their own pace. It is expected that within seven years, almost every Visa card in Canada will feature chip technology and most merchants will have the equipment to accept and fully benefit from these cards." That was written in June 2003. --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]