Re: Creativity and security

2006-04-12 Thread Anne Lynn Wheeler

Anne  Lynn Wheeler wrote:

recent posts mentioning some skimming threats
http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to
desktop near you


re:
http://www.garlic.com/~lynn#aadsm22.htm#30 Creativity and security

Trial starts on swipe-and-go card; A new smartcard could result in 
shorter queues in the shops

http://www.theage.com.au/news/business/trial-starts-on-swipeandgo-card/2006/04/12/1144521400790.html

the above has the quote:

The card never leaves your hand, ... In fact, it need not even be 
taken out of the wallet, and there is no chance information from the 
card can be skimmed, the most common form of card fraud.


... snip ...

while the earlier reference is to a situation where the crook is using 
their own device for extra swipes, a significant portion of skimming

involve compromised devices that harvest information
http://www.garlic.com/~lynn/subpubkey.html#harvest

as part of a normal transaction. The real issue is whether static data 
is used for authentication and therefor the infrastructure is vulnerable 
to any kind of skimming/harvesting/evesdropping and replay attacks.


a few recent comments about static data exploits for replay attacks
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - ChipPin, a new 
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - ChipPin, a new 
tenner (USD10)

http://www.garlic.com/~lynn/2006e.html#10 Caller ID spoofing
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006f.html#39 X.509 and ssh

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-04-08 Thread Anne Lynn Wheeler

Anne  Lynn Wheeler wrote:

the trivial case from nearly 10 years ago was the waiter in nyc
restaurant (something sticks in my mind it was the Brazilian restaurant
just off times sq) that had pda and small magstripe reader pined to the
inside of their jacket. At some opportunity, they would causally pass
the card down the inside of their lapel (doesn't even really have to
disappear anyplace). This was before wireless and 801.11 ... so the
magstripe images would accumulate in the pda until the waiter took a
break ... and then they would be uploaded to a PC and then to the
internet (hong kong was used as example) ... counterfeit cards would be
on the street (opposite side of the world), still within a few hours at
most.


supposedly new?

iPod used to store data in identity theft
http://news.com.com/2061-10789_3-6059128.html

from above ..

April 7, 2006 4:55 PM PDT

A 35-year-old identity theft suspect may have taken Apple Computer's 
mandate, Think Different, a little too far.


... snip ... above article references:

Beware the 'pod slurping' employee
http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html?tag=nl

... from above

Published: February 15, 2006, 10:29 AM PST

A U.S. security expert who devised an application that can fill an iPod 
with business-critical data in a matter of minutes is urging companies 
to address the very real threat of data theft.


... snip

and some conjecture about a possible MITM-attack ... using counterfeit 
card in conjunction with PDA wireless internet connection to a 
lost/stolen valid card at some remote location.

http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - ChipPin
http://www.garlic.com/~lynn/aadsm22.htm#29 Mecccano Trojans coming to a 
desktop near you


This is scenario where a card may be authenticated separately from its 
actual operation. The hypothetical MITM-attack is against a terminal's 
willingness to agree with the business rules in a valid card used for 
offline transactions. Since the attack is against the offline 
transaction business rules in a valid card, it may not even be necessary 
to obtain a lost/stolen valid card ... it may just be just necessary to 
obtain any valid card (say thru valid application using false 
information) ... the MITM counterfeit card uses any valid card for the 
authentication exchange ... and then proceeds with the rest of the 
transaction using its own business rules.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-28 Thread Steven M. Bellovin
On Sun, 26 Mar 2006 19:07:07 -0800, Joseph Ashwood [EMAIL PROTECTED]
wrote:

 - Original Message - 
 From: J. Bruce Fields [EMAIL PROTECTED]
 Subject: Re: Creativity and security
 
 
  On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote:
IOW, unless we're talking about a corrupt employee with a photographic
  memory and telescopic eyes,
 
  Tiny cameras are pretty cheap these days, aren't they?  The employee
  would be taking more of a risk at that point though, I guess.
 
 The one I find scarier is the US restaurant method of handling cards. For 
 those of you unfamiliar with it, I hand my card to the waiter/waitress, the 
 card disappears behind a wall for a couple of minutes, and my receipt comes 
 back for to sign along with my card. Just to see if anyone would notice I 
 actually did this experiment with a (trusted) friend that works at a small 
 upscale restaurant. I ate, she took my card in the back, without hiding 
 anything or saying what she was doing she took out her cellphone, snapped a 
 picture, then processes everything as usual. The transaction did not take 
 noticably longer than usual, the picture was very clear, in short, if I 
 hadn't known she was doing this back there I would never have known. Even at 
 a high end restaurant where there are more employees than clients no one 
 paid enough attention in the back to notice this. If it wasn't a trusted 
 friend doing this I would've been very worried.

There was a Dilbert strip on that about 10 years ago.  (Jan 11, 1996,
according to my saved copy, but it doesn't seem to be available via
their web archive.)  It shows Dilbert saying that he'd never buy
anything online because he doesn't want his credit card number floating
around the net.  He then hands his credit card to a waitress, who comes
back wearing a fur coat.


--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-28 Thread Matt Blaze


On Mar 26, 2006, at 22:07, Joseph Ashwood wrote:

- Original Message - From: J. Bruce Fields  
[EMAIL PROTECTED]

Subject: Re: Creativity and security



On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote:
  IOW, unless we're talking about a corrupt employee with a  
photographic

memory and telescopic eyes,


Tiny cameras are pretty cheap these days, aren't they?  The employee
would be taking more of a risk at that point though, I guess.


The one I find scarier is the US restaurant method of handling  
cards. For those of you unfamiliar with it, I hand my card to the  
waiter/waitress, the card disappears behind a wall for a couple of  
minutes, and my receipt comes back for to sign along with my card.  
Just to see if anyone would notice I actually did this experiment  
with a (trusted) friend that works at a small upscale restaurant. I  
ate, she took my card in the back, without hiding anything or  
saying what she was doing she took out her cellphone, snapped a  
picture, then processes everything as usual. The transaction did  
not take noticably longer than usual, the picture was very clear,  
in short, if I hadn't known she was doing this back there I would  
never have known. Even at a high end restaurant where there are  
more employees than clients no one paid enough attention in the  
back to notice this. If it wasn't a trusted friend doing this I  
would've been very worried.

   Joe



Heh, that's marvelous.

I touched briefly on the awfulness of restaurant payment protocols in my
2004 paper from the Cambridge Protocols Workshop, which you may enjoy:

   M. Blaze. Toward a broader view of security protocols.
   12th Cambridge International Workshop on Security Protocols.
   Cambridge, UK. April 2004.

   http://www.crypto.com/papers/humancambridgepreproc.pdf

-matt


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread Joseph Ashwood
- Original Message - 
From: J. Bruce Fields [EMAIL PROTECTED]

Subject: Re: Creativity and security



On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote:

  IOW, unless we're talking about a corrupt employee with a photographic
memory and telescopic eyes,


Tiny cameras are pretty cheap these days, aren't they?  The employee
would be taking more of a risk at that point though, I guess.


The one I find scarier is the US restaurant method of handling cards. For 
those of you unfamiliar with it, I hand my card to the waiter/waitress, the 
card disappears behind a wall for a couple of minutes, and my receipt comes 
back for to sign along with my card. Just to see if anyone would notice I 
actually did this experiment with a (trusted) friend that works at a small 
upscale restaurant. I ate, she took my card in the back, without hiding 
anything or saying what she was doing she took out her cellphone, snapped a 
picture, then processes everything as usual. The transaction did not take 
noticably longer than usual, the picture was very clear, in short, if I 
hadn't known she was doing this back there I would never have known. Even at 
a high end restaurant where there are more employees than clients no one 
paid enough attention in the back to notice this. If it wasn't a trusted 
friend doing this I would've been very worried.
   Joe 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread Anne Lynn Wheeler
Joseph Ashwood wrote:
 The one I find scarier is the US restaurant method of handling cards.
 For those of you unfamiliar with it, I hand my card to the
 waiter/waitress, the card disappears behind a wall for a couple of
 minutes, and my receipt comes back for to sign along with my card. Just
 to see if anyone would notice I actually did this experiment with a
 (trusted) friend that works at a small upscale restaurant. I ate, she
 took my card in the back, without hiding anything or saying what she was
 doing she took out her cellphone, snapped a picture, then processes
 everything as usual. The transaction did not take noticably longer than
 usual, the picture was very clear, in short, if I hadn't known she was
 doing this back there I would never have known. Even at a high end
 restaurant where there are more employees than clients no one paid
 enough attention in the back to notice this. If it wasn't a trusted
 friend doing this I would've been very worried.
Joe

the trivial case from nearly 10 years ago was the waiter in nyc
restaurant (something sticks in my mind it was the Brazilian restaurant
just off times sq) that had pda and small magstripe reader pined to the
inside of their jacket. At some opportunity, they would causally pass
the card down the inside of their lapel (doesn't even really have to
disappear anyplace). This was before wireless and 801.11 ... so the
magstripe images would accumulate in the pda until the waiter took a
break ... and then they would be uploaded to a PC and then to the
internet (hong kong was used as example) ... counterfeit cards would be
on the street (opposite side of the world), still within a few hours at
most.

recent posts mentioning some skimming threats
http://www.garlic.com/~lynn/aadsm22.htm#27 Meccano Trojans coming to
desktop near you

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread Anne Lynn Wheeler
ref:
http://www.garlic.com/~lynn/aadsm22.htm#30 Creativity and security

and a more recent skimming news item from this month:

Cloned-card scams socking it to bank accounts
http://www.mysanantonio.com/news/metro/stories/MYSA030506.09B.atm_theft.27d5322.html

the above card mentions pins with debit cards ... which is typically
required for atm machines for withdrawing cash ... but the new class of
debit cards with logos can also be used w/o pins at pos terminals (aka
at pos, it is option selection to decide whether the debit card is used
with or w/o pin).

various recent postings mentioning skimming attacks:
http://www.garlic.com/~lynn/2006e.html#2 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006e.html#4 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006e.html#10 Caller ID spoofing
http://www.garlic.com/~lynn/2006e.html#21 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#24 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#26 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#30 Debit Cards HACKED now
http://www.garlic.com/~lynn/2006e.html#44 Does the Data Protection Act
of 2005 Make Sense
http://www.garlic.com/~lynn/aadsm22.htm#2 GP4.3 - Growth and Fraud -
Case #3 - Phishing
http://www.garlic.com/~lynn/aadsm22.htm#5 long-term GPG signing key
http://www.garlic.com/~lynn/aadsm22.htm#10 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#11 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#12 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#13 Face and fingerprints swiped
in Dutch biometric passport crack (another card skim vulnerability)
http://www.garlic.com/~lynn/aadsm22.htm#14 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#15 thoughts on one time pads
http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - ChipPin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - ChipPin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - ChipPin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a
desktop near you


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-27 Thread brucee
regardingg the XXXing on receipts it turns out that things aren't
as grim as i thought.  i anlayzed the checksum algorithm and if
you are missing n digits there are 10^(n-1) clashes.

i verified this with a brute force program.

but in the photograph the card scenario ... if one digit is
blurry then you still win because 10^(n-1) is 1.

if two are unknown then mr nasty could try buying stuff from
10 diferent sites.

brucee

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-24 Thread Daniel Carosone
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote:
 
   As we all know, when you pay with a credit or debit card at a store, it's 
 important to take the receipt with you
 [..]
   So what they've been doing at my local branch of Marks  Spencer for the 
 past few weeks is, at the end of the transaction after the (now always 
 chip'n'pin-based) card reader finishes authorizing your transaction, the 
 cashier at the till asks you whether you actually /want/ the receipt or not; 
 [..] 
   ... Of course, three seconds after your back is turned, the cashier can 
 still go ahead and press the button anyway, and then /they/ can have your 
 receipt.
 [..]
 I think the better solution would still be for the receipt 
 to be printed out every single time and the staff trained in the importance 
 of not letting customers leave without taking their receipts with them.

Two observations:

 - your preferred solution to a problem of fraudulent cashier staff
   doing the wrong thing ... relies on the cashier staff doing the right
   thing.  Training fraudulent and creative cashiers on the importance
   of this action probably encourages them to come up with other ways
   to do the same thing.

 - even when they've handed you a receipt, on many systems there's a
   good chance they can get a reprint those same three seconds later.
   Paper jams or gets torn, ribbons run out, and sometimes you
   legitimately need a duplicate.

--
Dan.

pgpwSsJTGLOWq.pgp
Description: PGP signature


Re: Creativity and security

2006-03-24 Thread Dave Korn
J. Bruce Fields wrote:
 On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote:
   So what they've been doing at my local branch of Marks  Spencer
 for the past few weeks is, at the end of the transaction after the
 (now always chip'n'pin-based) card reader finishes authorizing your
 transaction, the cashier at the till asks you whether you actually
 /want/ the receipt or not; if you say yes, they press a little
 button and the till prints out the receipt same as ever and they
 hand it to you, but if you say no they don't press the button, the
 machine doesn't even bother to print a receipt, and you wander away
 home, safe in the knowledge that there is no wasted paper and no
 leak of security information  ...

   ... Of course, three seconds after your back is turned, the
 cashier can still go ahead and press the button anyway, and then
 /they/ can have your receipt.  With the expiry date on it.  And the
 last four digits of the card number.  And the name of the card
 issuer, which allows you to narrow the first four digits down to
 maybe three or four possible combinations.  OK, 10^8 still aint
 easy, but it's a lot easier than what we started with.

 If all that information's printed on the outside of the card, then
 isn't this battle kind of lost the moment you hand the card to them?

1-  I don't hand it to them.  I put it in the chip-and-pin card reader 
myself.  In any case, even if I hand it to a cashier, it is within my sight 
at all times.

2-  If it was really that easy to memorize a name and the equivalent of a 
23-digit number at a glance without having to write anything down, surely 
the credit card companies wouldn't need to issue cards in the first place?

  IOW, unless we're talking about a corrupt employee with a photographic 
memory and telescopic eyes, the paper receipt I leave behind is the only 
place they could get any information about my card details.  This was of 
course not the case in the old days when your card was rolled over a receipt 
with multiple carbons, one of which was the retailer's copy that they needed 
to deposit with their bank, but things are a lot more secure now: a debit 
card transaction, authorised and completed online, leaves a lot less 
exposure; so nowadays I reckon that it is worth worrying about the remaining 
risks, that /were/ relatively speaking lower risks back then when compared 
to the fact of the retailer's retaining a hard copy of your card details, 
but that (now /that/ particular risk has been eliminated) are relatively 
higher risks.

  Of course, a corrupt employee could conceivably replace the card reader 
with a corrupt one of their own, but since it would take major carpentry to 
detach them from the cashtills and counters to which they are firmly fixed, 
I think that's a lot more likely to be noticed than an employee craftily 
pressing a little button and palming a receipt.  YMMV!

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-24 Thread leichter_jerrold
|  If all that information's printed on the outside of the card, then
|  isn't this battle kind of lost the moment you hand the card to them?
| 
| 1-  I don't hand it to them.  I put it in the chip-and-pin card reader 
| myself.  In any case, even if I hand it to a cashier, it is within my
sight 
| at all times.
| 
| 2-  If it was really that easy to memorize a name and the equivalent of a 
| 23-digit number at a glance without having to write anything down, surely 
| the credit card companies wouldn't need to issue cards in the first place?
| 
|   IOW, unless we're talking about a corrupt employee with a photographic 
| memory and telescopic eyes, the paper receipt I leave behind is the only 
| place they could get any information about my card details
You're underestimating human abilities when there is a reward present.
Back in the days when telephone calling cards were common, people used
to shoulder surf, watching someone enter the card number and
memorizing it.  A traditional hazing in the military is to give the new
soldier a gun, then a few seconds later demand that he tell you the
serial number from memory.  Soldiers caught out on this ... only get
caught out once.

Besides, there's a lot less to remember than you think.  I don't know
how your chip-and-pin card encoding is done, but a credit card number is
16 digits, with the first 4 (6?) specifying the bank (with a small
number of banks covering most of the market - if you see a card from
an uncommon bank, you can ignore it) and the last digit a check digit.
So you need to remember one of a small number of banks, a name, and
11 digits - for the few seconds it takes for the customer to move on
and give you the chance to scrawl it on a piece of paper.  Hardly very
challenging.
-- Jerry


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-24 Thread J. Bruce Fields
On Fri, Mar 24, 2006 at 06:47:07PM -, Dave Korn wrote:
 J. Bruce Fields wrote:
  If all that information's printed on the outside of the card, then
  isn't this battle kind of lost the moment you hand the card to them?
 
 1-  I don't hand it to them.  I put it in the chip-and-pin card reader 
 myself.

Oh, right, sorry, I missed that.

 In any case, even if I hand it to a cashier, it is within my sight 
 at all times.

 2-  If it was really that easy to memorize a name and the equivalent of a 
 23-digit number at a glance without having to write anything down, surely 
 the credit card companies wouldn't need to issue cards in the first place?

Well, obviously there's some gap between what you need to make use of
the card convenient, and what you'd need if you were an attacker willing
to spend some minimum of effort.

   IOW, unless we're talking about a corrupt employee with a photographic 
 memory and telescopic eyes,

Tiny cameras are pretty cheap these days, aren't they?  The employee
would be taking more of a risk at that point though, I guess.

--b.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-23 Thread Dave Korn
Olle Mulmo wrote:
 On Mar 20, 2006, at 21:51, [EMAIL PROTECTED] wrote:

 I was tearing up some old credit card receipts recently - after all
 these years, enough vendors continue to print full CC numbers on
 receipts that I'm hesitant to just toss them as is, though I doubt
 there
 are many dumpster divers looking for this stuff any more - when I
 found
 a great example of why you don't want people applying their
 creativity
 to security problems, at least not without a great deal of review.

 You see, most vendors these days replace all but the last 4 digits of
 the CC number on a receipt with X's.  But it must be boring to do the
 same as everyone else, so some bright person at one vendor(*) decided
 they were going to do it differently:  They X'd out *just the last
 four
 digits*.  After all, who could guess the number from the 10,000
 possibilities?

 Ahem.
  -- Jerry

 (*) It was Build-A-Bear.  The receipt was at least a year old, so for
 all I know they've long since fixed this.

 Unfortunately, they haven't. In Europe I get receipts with different
 crossing-out patterns almost every week.

 And, with they I mean the builders of point-of-sale terminals: I
 don't think individual store owners are given a choice.

 Though I believe I have noticed a good trend in that I get receipts
 where *all but four* digits are crossed out more and more often
 nowadays.

  In the UK, that is now the almost universal practice.  And it's equally 
almost universally the /last/ four digits across all retailers.  Which is 
good.

  What is not so good, however, is another example of 
not-as-clever-as-it-thinks-it-is clever new idea for addressing the problem 
of receipts.

  As we all know, when you pay with a credit or debit card at a store, it's 
important to take the receipt with you, because it contains vital 
information - even when most of the card number is starred out, the expiry 
date is generally shown in full.  So we're all encouraged to take them with 
us, take them home, and shred or otherwise securely dispose of them under 
our own control.

  Of course, this is a) a nuisance and b) wasteful of paper.  And obviously 
enough, someone's been trying to come up with a 'bright idea' to solve these 
issues.

  So what they've been doing at my local branch of Marks  Spencer for the 
past few weeks is, at the end of the transaction after the (now always 
chip'n'pin-based) card reader finishes authorizing your transaction, the 
cashier at the till asks you whether you actually /want/ the receipt or not; 
if you say yes, they press a little button and the till prints out the 
receipt same as ever and they hand it to you, but if you say no they don't 
press the button, the machine doesn't even bother to print a receipt, and 
you wander away home, safe in the knowledge that there is no wasted paper 
and no leak of security information  ...

  ... Of course, three seconds after your back is turned, the cashier can 
still go ahead and press the button anyway, and then /they/ can have your 
receipt.  With the expiry date on it.  And the last four digits of the card 
number.  And the name of the card issuer, which allows you to narrow the 
first four digits down to maybe three or four possible combinations.  OK, 
10^8 still aint easy, but it's a lot easier than what we started with.

  The risk could perhaps be fixed with an interlock which makes it 
impossible to print the receipt out after the card has been withdrawn from 
the reader, but I think the better solution would still be for the receipt 
to be printed out every single time and the staff trained in the importance 
of not letting customers leave without taking their receipts with them.

cheers,
  DaveK
-- 
Can't think of a witty .sigline today 




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-23 Thread J. Bruce Fields
On Thu, Mar 23, 2006 at 08:15:50PM -, Dave Korn wrote:
   So what they've been doing at my local branch of Marks  Spencer for the 
 past few weeks is, at the end of the transaction after the (now always 
 chip'n'pin-based) card reader finishes authorizing your transaction, the 
 cashier at the till asks you whether you actually /want/ the receipt or not; 
 if you say yes, they press a little button and the till prints out the 
 receipt same as ever and they hand it to you, but if you say no they don't 
 press the button, the machine doesn't even bother to print a receipt, and 
 you wander away home, safe in the knowledge that there is no wasted paper 
 and no leak of security information  ...
 
   ... Of course, three seconds after your back is turned, the cashier can 
 still go ahead and press the button anyway, and then /they/ can have your 
 receipt.  With the expiry date on it.  And the last four digits of the card 
 number.  And the name of the card issuer, which allows you to narrow the 
 first four digits down to maybe three or four possible combinations.  OK, 
 10^8 still aint easy, but it's a lot easier than what we started with.

If all that information's printed on the outside of the card, then isn't
this battle kind of lost the moment you hand the card to them?

--b.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-23 Thread brucee
Blanking out all but the last 4 digits is foolish.  The last is a checksum
and the first four are determined by the merchant.  This greatly reduces
the possibilities for the other 8 digits.  I'd rather just Bank Name or even
the first 4 digits.  (I know that amex use only 15, even worse.)

brucee

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-03-21 Thread Olle Mulmo


Unfortunately, they haven't. In Europe I get receipts with different  
crossing-out patterns almost every week.


And, with they I mean the builders of point-of-sale terminals: I  
don't think individual store owners are given a choice.


Though I believe I have noticed a good trend in that I get receipts  
where *all but four* digits are crossed out more and more often  
nowadays.


/Olle

On Mar 20, 2006, at 21:51, [EMAIL PROTECTED] wrote:


I was tearing up some old credit card receipts recently - after all
these years, enough vendors continue to print full CC numbers on
receipts that I'm hesitant to just toss them as is, though I doubt  
there
are many dumpster divers looking for this stuff any more - when I  
found
a great example of why you don't want people applying their  
creativity

to security problems, at least not without a great deal of review.

You see, most vendors these days replace all but the last 4 digits of
the CC number on a receipt with X's.  But it must be boring to do the
same as everyone else, so some bright person at one vendor(*) decided
they were going to do it differently:  They X'd out *just the last  
four

digits*.  After all, who could guess the number from the 10,000
possibilities?

Ahem.
-- Jerry

(*) It was Build-A-Bear.  The receipt was at least a year old, so for
all I know they've long since fixed this.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to  
[EMAIL PROTECTED]



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]