http://www.atmmarketplace.com/news_story_23530.htm
Keeping an eye on ATM fraud What happened to the good ole days when the magnetic stripe was king? Remember … those were the days when you didn’t have to worry about ATM devices that skim or trap. In today’s techie world, those days are long gone, and the mag-stripe’s life is nearing its end. ... snip ... note, as in previous posts ... it isn't just the skimming of static data from the magstripe (as well as pin-hole cameras that capture any pin) .... but it is being able to capture the static data at any point in the infrastructure http://www.garlic.com/~lynn/subpubkey.html#harvest and use that static data in any kind of subsequent fraudulent transactions. For the *enforced* PIN-debit and *enforced* x9.59 operations, it also means that normal static data is *never* sufficient to perform a transaction .... that authentication is always required. The specific issue for PIN-debit is that technology advances are making it easier to skim both the magstripe as well as the PIN ... and then reproduce them for fraudulent transactions. *Enforced* PIN-debit does improve situation (compared to regular credit magstripe) that harvesting static data from transaction logs is normally not sufficient to perform fraudulent transactions. *enforced* PIN-debit has somewhat higher resistance to the data breaches that have been in the press ... since the necessary PIN won't be found in the standard log and accounting files for standard business process (but PIN-debit is still vulnerable to the skimming exploits at transaction origin). ecdsa on x9.59 transactions http://www.garlic.com/~lynn/index.html#x959 http://www.garlic.com/~lynn/subpubkey.html#privacy won't expose any of the information to originate a fraudulent transaction (the specific account number and digital signature may be exposed ... but not the private key). A PIN on digital signature transactions can act as a countermeasure for lost/stolen token exploits. The issue is that the PIN doesn't make a lot of difference on point-of-origin skimming exploits ... since the PIN will nominally be captured (but not the private key). Digital signature with private key (that is never divulged) for *enforced* x9.59 transactions (i.e. the related static information can never be used succesfully for a non-x9.59 transaction) is sufficient countermeasure against both skimming and harvesting vulnerabilities. A lot has been made of two-factor authentication as being necessary as countermeasure for majority of the current threats and vulnerabilities. A majority of the current threats and vulnerabilities are authentication infrastructures that use static data for authentication (and the static data can be skimmed and used for fraudulent transactions). Simple (static data) two-factor authentication isn't a countermeasure for the skimming exploits, while (dynamic data, like digital signature) single factor authentication is a countermeasure for the skimming and harvesting exploits. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]