Re: Creativity and security

2006-04-12 Thread Anne Lynn Wheeler
Anne Lynn Wheeler wrote: recent posts mentioning some skimming threats http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to desktop near you re: http://www.garlic.com/~lynn#aadsm22.htm#30 Creativity and security Trial starts on swipe-and-go card; A new smartcard could result

Re: Creativity and security

2006-04-08 Thread Anne Lynn Wheeler
Anne Lynn Wheeler wrote: the trivial case from nearly 10 years ago was the waiter in nyc restaurant (something sticks in my mind it was the Brazilian restaurant just off times sq) that had pda and small magstripe reader pined to the inside of their jacket. At some opportunity, they would

Re: Creativity and security

2006-03-28 Thread Steven M. Bellovin
On Sun, 26 Mar 2006 19:07:07 -0800, Joseph Ashwood [EMAIL PROTECTED] wrote: - Original Message - From: J. Bruce Fields [EMAIL PROTECTED] Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt

Re: Creativity and security

2006-03-28 Thread Matt Blaze
On Mar 26, 2006, at 22:07, Joseph Ashwood wrote: - Original Message - From: J. Bruce Fields [EMAIL PROTECTED] Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt employee with a photographic

Re: Creativity and security

2006-03-27 Thread Joseph Ashwood
- Original Message - From: J. Bruce Fields [EMAIL PROTECTED] Subject: Re: Creativity and security On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: IOW, unless we're talking about a corrupt employee with a photographic memory and telescopic eyes, Tiny cameras are pretty

Re: Creativity and security

2006-03-27 Thread Anne Lynn Wheeler
Joseph Ashwood wrote: The one I find scarier is the US restaurant method of handling cards. For those of you unfamiliar with it, I hand my card to the waiter/waitress, the card disappears behind a wall for a couple of minutes, and my receipt comes back for to sign along with my card. Just to

Re: Creativity and security

2006-03-27 Thread Anne Lynn Wheeler
ref: http://www.garlic.com/~lynn/aadsm22.htm#30 Creativity and security and a more recent skimming news item from this month: Cloned-card scams socking it to bank accounts http://www.mysanantonio.com/news/metro/stories/MYSA030506.09B.atm_theft.27d5322.html the above card mentions pins with

Re: Creativity and security

2006-03-27 Thread brucee
regardingg the XXXing on receipts it turns out that things aren't as grim as i thought. i anlayzed the checksum algorithm and if you are missing n digits there are 10^(n-1) clashes. i verified this with a brute force program. but in the photograph the card scenario ... if one digit is blurry

Re: Creativity and security

2006-03-24 Thread Daniel Carosone
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote: As we all know, when you pay with a credit or debit card at a store, it's important to take the receipt with you [..] So what they've been doing at my local branch of Marks Spencer for the past few weeks is, at the end of the

Re: Creativity and security

2006-03-24 Thread Dave Korn
J. Bruce Fields wrote: On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote: So what they've been doing at my local branch of Marks Spencer for the past few weeks is, at the end of the transaction after the (now always chip'n'pin-based) card reader finishes authorizing your

Re: Creativity and security

2006-03-24 Thread leichter_jerrold
| If all that information's printed on the outside of the card, then | isn't this battle kind of lost the moment you hand the card to them? | | 1- I don't hand it to them. I put it in the chip-and-pin card reader | myself. In any case, even if I hand it to a cashier, it is within my sight

Re: Creativity and security

2006-03-24 Thread J. Bruce Fields
On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote: J. Bruce Fields wrote: If all that information's printed on the outside of the card, then isn't this battle kind of lost the moment you hand the card to them? 1- I don't hand it to them. I put it in the chip-and-pin card reader

Re: Creativity and security

2006-03-23 Thread Dave Korn
Olle Mulmo wrote: On Mar 20, 2006, at 21:51, [EMAIL PROTECTED] wrote: I was tearing up some old credit card receipts recently - after all these years, enough vendors continue to print full CC numbers on receipts that I'm hesitant to just toss them as is, though I doubt there are many

Re: Creativity and security

2006-03-23 Thread J. Bruce Fields
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote: So what they've been doing at my local branch of Marks Spencer for the past few weeks is, at the end of the transaction after the (now always chip'n'pin-based) card reader finishes authorizing your transaction, the cashier at the

Re: Creativity and security

2006-03-23 Thread brucee
Blanking out all but the last 4 digits is foolish. The last is a checksum and the first four are determined by the merchant. This greatly reduces the possibilities for the other 8 digits. I'd rather just Bank Name or even the first 4 digits. (I know that amex use only 15, even worse.) brucee

Re: Creativity and security

2006-03-21 Thread Olle Mulmo
Unfortunately, they haven't. In Europe I get receipts with different crossing-out patterns almost every week. And, with they I mean the builders of point-of-sale terminals: I don't think individual store owners are given a choice. Though I believe I have noticed a good trend in that I