On 6/21/05, Florian Weimer <[EMAIL PROTECTED]> wrote:
>> Also there are several attacks on Chip n' PIN as deployed here in
>> the UK, starting with the fake reader attacks - for
>> instance, a fake reader says you are authorising a payment for
>> $6.99 while in fact the card and PIN are being us
Charles M. Hannum wrote:
> As long as the "credit card" has no display, you're still trusting the
> terminal to give the purchaser correct information. If you're using a smart
> "credit card" that participates directly in the transaction, storing
> transaction data, signed by the processor's sy
Anne & Lynn Wheeler wrote:
> For pure authentication operations ... this model eliminates the whole
> digtital certificate paradigm ... since the model assumes that the
> originator of the authentication request already has the recipient's
> public key recorded someplace.
> http://www.garlic.com/~l
James A. Donald wrote:
> Rather the server should send out some encrypted random
> data which the end user decrypts. End user should then
> prove knowledge of that encrypted data.
so the random data is sent encrypted with the person's public key ...
they can decrypt it with their private key. so
--
On 22 Jun 2005 at 8:39, Anne & Lynn Wheeler wrote:
> the dual-use attack ... is possibly a person-centric
> digitally signing token (in contrast to
> institutional-centric token where each institution
> might issue a unique token for every use) ... that can
> be registered for use in multipl
Anne & Lynn Wheeler wrote:
> so one of the AADS chip strawman suggestions for x9.59 from the 90s
> http://www.garlic.com/~lynn/index.html#aads
>
> was the same protocol and transaction whether it was with the merchant
> terminals ... or with a consumer owned pda/cellphone device (any kind of
> wir
Steven M. Bellovin wrote:
MasterCard reported the exposure of up to 40,000,000 credit card
numbers at CardSystems Solutions, a third-party processor of credit
card data. CardSystems was infected with a script that targeted
specific data. In other words, this wasn't the usual carelessness,
th
Anne & Lynn Wheeler wrote:
> as referenced in the above ... x9.59
> http://www.garlic.com/~lynn/index.html#x959
>
> has countermeasure against the harvesting vulnerability (w/o
> requiring any encryption) which is so attractive to attackers because
> the return is so enormous for the amount of eff
Peter Fairbrother <[EMAIL PROTECTED]> writes:
>Steven M. Bellovin wrote:
>> Designing a system that deflects this sort of attack is challenging.
>> The right answer is smart cards that can digitally sign transactions
>
>No, it isn't! A handwritten signature is far better, it gives post-facto
>evide
Peter Fairbrother wrote:
> Also there are several attacks on Chip n' PIN as deployed here in the UK,
> starting with the fake reader attacks - for instance, a fake reader says you
> are authorising a payment for $6.99 while in fact the card and PIN are being
> used to authorise a transaction for $1
* Peter Fairbrother:
> No, it isn't! A handwritten signature is far better, it gives post-facto
> evidence about who authorised the transaction - it is hard to fake a
> signature so well that later analysis can't detect the forgery,
Apparently, handwritten signatures can be repudiated, at least I
Steven M. Bellovin wrote:
> MasterCard reported the exposure of up to 40,000,000 credit card
> numbers at CardSystems Solutions, a third-party processor of credit
> card data. CardSystems was infected with a script that targeted
> specific data. In other words, this wasn't the usual carelessne
Steven M. Bellovin wrote:
> Designing a system that deflects this sort of attack is challenging.
> The right answer is smart cards that can digitally sign transactions
No, it isn't! A handwritten signature is far better, it gives post-facto
evidence about who authorised the transaction - it is h
On Fri, 17 Jun 2005, Steven M. Bellovin wrote:
> Designing a system that deflects this sort of attack is challenging.
> The right answer is smart cards that can digitally sign transactions,
> but that would require rolling out new readers to all the merchants.
I was amazed to hear of the UK's fast
MasterCard reported the exposure of up to 40,000,000 credit card
numbers at CardSystems Solutions, a third-party processor of credit
card data. CardSystems was infected with a script that targeted
specific data. In other words, this wasn't the usual carelessness,
this was enemy action, and of
15 matches
Mail list logo