Chip and Pin "Weakness" Exposed By Cambridge Researchers 133
another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"
Security by obscurity (Score:5, Insightful)
All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.
The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.
And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.
Re:The problem is shifting liability (Score:4, Insightful)
I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.
Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.
From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).
Re:Never trust security through obscurity (Score:4, Insightful)
While thats true, you are forgetting that handling cash is not free for the merchant either.
It has to be handled by staff that can lose or steal it, it has to be transported around the store securely and transported to a bank to be paid in to an account (banks charge businesses for pay cash into an account) so the business can use the money for purchasing of supplies, paying rents and mortgage etc.
Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.
Re:Security by obscurity (Score:3, Insightful)
Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.
Or the government could quit sucking corporate cock, permitting more players into the game to provide some actual competition.