Chip and Pin "Weakness" Exposed By Cambridge Researchers 133
another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"
Never trust security through obscurity (Score:4, Informative)
Re: (Score:2)
Re: (Score:3)
Full specifications [emvco.com] are available. There is no security through obscurity here.
Doh, managed to delete the rest of my post before submitting. I guess I should actually look at the preview.
Anyway, the problem here isn't obscurity, it's just implementation errors. Granted that the systems should have been audited.
Re: (Score:1)
Full specifications [emvco.com] are available. There is no security through obscurity here.
Actually, it is obscurity. The specification you linked to was NOT followed by the device manufacturer, they just assumed since they didn't tell anyone they violated a proper practice that no one would notice. The specifications listed by you requires devices to adhere to the random number generating requirements outlined in ISO 18031, which the machines did not. This standard mandates a unpredictable entropy source be used as the seed for any random number generating function. The devices were implementing
Re:Never trust security through obscurity (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
The ideal RNG collects as much entropy from the real world as there is information in it's output. Second best is a cryptographically secure PRNG. To be cryptographically secure given an arbitary sized sample of the outut it must be computationally infeasible to predict the next bit with an accuracy greater than random chance. This requires both an algorithm that is resistant to reversal and sufficient seed data and internal state to prevent brute forcing of the random number genertor's state.
Re:Never trust security through obscurity (Score:4, Informative)
Re: (Score:2, Informative)
What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.
It's referring to a credit card & a pin number combination for security.
Re: (Score:2, Informative)
credit and debit card too.
Re: (Score:2)
You enter your PIN into the payment terminal at a store and it uses the PIN to form part of the key used for comms with the card.
Whereas magnetic credit cards and PINs (er, I mean personal PIN numbers) have been used since the 1960s without a chip on the card.
Re: (Score:1)
> (er, I mean personal PIN numbers)
You do know that PIN is a TLA that stands for "Personal Identification Number" :-)
Re: (Score:1)
Re: (Score:3, Funny)
Re: (Score:2)
Why do geeks get so bent out of shape about people saying "PIN Number" when we have things like GNU?
Re: (Score:3)
Re: (Score:2)
It's so depressing that it's the 21st century and they can't even get this right yet. It's so bloody simple to make the security perfect (DISCLAIMER: providing physical security is maintained for the device and the bank's servers aren't compromised and also that potentially unprovable truths about cryptography hold true). We have tiny and inexpensive solid state storage that can hold gigabytes. You throw one into the chip and pin device and you fill it up with random strings created on the bank's servers (a
Re: (Score:2, Troll)
Does cash not work over there anymore?
gee - where do you live?
It's "1984" and governments and big corporations want to know what you're doing and where you're doing it.
Can't do that with cash.
Re: (Score:1, Interesting)
> Can't do that with cash.
Are you serious. Scanning devices for bill's serial numbers are ubiquitous. The ATM knows who it gave the bills to, the cash register knows who it got the bills from and so on.
If you want to stay anonymous, pay everything with coins. Those are secure for now.
Re: (Score:1)
yes, but they don't know where the note has been, or who has had it in between those two points.
Therefore, as I long as I don't get cash from the bank, or an ATM, or deposit cash into my own account, they'll never know what I've been up to.
Re: (Score:2)
Re: (Score:2)
Wow...where do you live where you're seen a cash register that scans money put in or taken out of it???
I've only seen the conventional kind with a human teller as the go between myself and my money to the till, which I've not ever seen scan money...??
Re: (Score:2)
surely these scanners can record serial numbers since they scan the bill for denomination anyway.
Surely they don't.
Bill acceptors rely on several attributes to test a piece of paper to ensure it really is money. They shine various lights at it and through it, they run it over a magnetic ink detector, they check the thickness, they measure the dimensions, they match the images to a database of known images, but they do not record the images of the bills they accept. They just keep track of the amount.
Now, the cameras over the cash registers are taking plenty of photos of you. It would be possible to
Re: (Score:2)
Scanning devices for bill's serial numbers are ubiquitous.
Who is Bill and why didn't you capitalize his name? Is his serial number tattooed on his forehead or something?
Re: (Score:3)
Actually, US-issued credit cards can be problematic in the UK because some ignorant shopkeepers and workers think that they cannot accept a card that does not have chip-and-pin.
Re:Never trust security through obscurity (Score:5, Informative)
It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.
Re: (Score:2)
What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.
Guessing it has something to do with a credit card type thing?
Chip and Pin is the brand name for bank card security in the UK. It refers to a PIN (Number) and a chip embedded in the card. Chipped cards are a bit harder to replicate than regular mag stripe cards.
Does cash not work over there anymore?
Yes, cash still works in merry old England,
but much like a lot of fools in the US and Australia they have been brainwashed by their bank overlords to shun cash and pay for everything using credit. This is because the bank overlords get to charge the merchant for accepting credit but not for accepting cash (whic
Re: (Score:1)
Cash can be lost, stolen and devalues through inflation. My bank account is tied to my market account which can not be lost or stolen (FDIC) and does not devalue, often increasing in value over time.
My credit accounts are other peoples money I borrow to pay debts with a float and no interest unless I choose to pay it while my money is increasing more quickly or I can get a better return in an investment.
My money increases slowly but surely. Your cash is a pile of paper with no future.
Re: (Score:2)
Cash can be lost, stolen
And credit cant.
Awaken from your dreamy state
devalues through inflation.
Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.
My credit accounts are other peoples money
The problem with spending other peoples money is that other people are going to want their money back... with interest. Would you lend your money for free ?
A question that no credit addled fool has been able to answer is "why would a bank, a profit oriented business, offer you a
Re: (Score:1)
However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.
The merchant fees are paid by all the merchant's customers though (through higher prices). Also the ones paying in cash.
Re:Never trust security through obscurity (Score:4, Insightful)
While thats true, you are forgetting that handling cash is not free for the merchant either.
It has to be handled by staff that can lose or steal it, it has to be transported around the store securely and transported to a bank to be paid in to an account (banks charge businesses for pay cash into an account) so the business can use the money for purchasing of supplies, paying rents and mortgage etc.
Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.
Re: (Score:3)
You are clueless.
Cash can be lost, stolen
And credit cant.
No. Federal law limits my liability to $50 by law, but every single one of my credit cards actually goes further and limits my liability to $0. No risk to me.
devalues through inflation.
Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.
Not sure how my "credit devalues through inflation". My "credit" has no actual cash value to me. The only effect inflation has is on my spending ability for a given credit line, but given the size of my credit line, I'll never reach that point...especially since lenders tend to increase that credit line over time.
My credit accounts are other peoples money
The problem with spending other peoples money is that other people are going to want their money back... with interest.
Funny. I haven't paid
Re: (Score:2)
If you could get everyone (or at least a very significant number of people) in the country to switch to cash, then maybe prices would go down. Otherwise, me switching to cash isn't going to reduce my costs one bit. All it's going to do is stop earning me cash back and sign up bonuses.
If everyone switched to cash, prices would likely go up, not down. For large merchants, I know the cost of handling cash is substantially higher than the cost of handling credit transactions.
Credit transactions: A cash register has to be on a network, and have a PIN pad attached. A reader has to read a card, and some bits take a few milliseconds to flow through a wire. An occasional piece of paper has to be printed, signed, and collected. Visa and the bank take their cut on the back end. Occasionally,
Re: (Score:3)
Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.
Uh no.
Credit doesn't devalue through inflation because if they think they can drive you into debt someday they will keep raising your limits.
$1000 borrowed is not $1000+interest unless you borrow the money for longer than 30 days. If you repay within the window you don't actually pay any interest. And in the case of hyperinflation, you'd actually make money by not paying, so there are situations where you're even more wrong. Credit has its uses.
Re: (Score:2)
Banks are not going to loose money like that. When there is inflation, the interest rate will be even higher.
If your agreement says they can raise your rates without notice, then you deserve what you get.
Re: (Score:2)
However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.
I pay $0 per transaction with my credit card. Your facts are all wrong. Your logic is wrong, and your conclusions are all wrong.
Re: (Score:2)
The entire point of this article is that, due to really stupid cryptographic flaws in debit and credit cards, money can be stolen from your bank account too - and the banks will hold you liable because they've got rock-solid "proof" that the money must've been withdrawn using your card and your PIN.
Re: (Score:2)
If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl. If they handle a lot of cash, then they also have to deal with security - safe, how to get the money deposited etc etc.
Unless a merchants average transactions are less than about 5 pounds, it makes economic sense to do things via electronic transactions rather than by cash.
Re: (Score:2)
If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl. If they handle a lot of cash, then they also have to deal with security - safe, how to get the money deposited etc etc.
Unless a merchants average transactions are less than about 5 pounds, it makes economic sense to do things via electronic transactions rather than by cash.
Please note, I said credit not electronic transactions. Electronic transactions on Debit (I.E. using your own money rather than the banks) attract a much lower service fee in Australia, some as low as A$0.20 here in Oz, most CC transactions cost more even before the interchange fee comes out. I'd be surprised if the UK were different.
Secondly, if it were true that cash costs more than EFT for anything over A$20/GBP 5, why would car yards offer better deals for cash? Every business is different, for a lot
Re: (Score:2)
I assume a Car Yard is what I refer to as a Car Dealership -- a place to purchase cars.......
I think the key is who is taking the risk. A car dealership gives a discount for cash because they don't take any risk. If you take a loan, there's a chance you will default.....and they take a hit for that. A normal shop (i.e. for clothes) doesn't take the hit if you use credit (other than increased transaction fees), so they don't give a discount.
If you were to go in to a car dealership and negotiate as if you
Re: (Score:2)
Oh, the best bet is to negotiate the price and then negotiate the financing. They are two different transactions (one with the dealer and the other with the financing company) and you should treat them as such. But he indicated that there was a cash discount. My point was that paying with a credit card should get the same discount as cash.
Re: (Score:2)
Chip & PIN is an electronic transaction (done via credit card or by debit card as it supports both), indeed I don't think you'd find many places that can do a manual credit card transaction (although it is possible) just beacuse banks don't give out the slips and the streamline machines.
Re: (Score:2)
Not sure where you get that idea. I have a business account with the bank, and I don't pay for any type of deposits (cash or check), nor do I get charged a fee for withdrawals of either.....
Re: (Score:2)
not for accepting cash
Not true ; banks charge merchants for handling cash. So much so that supermarkets here will offer to add some cash to your bill ("cashback"), obviating the need for you to visit an ATM. You benefit from increased convenience and they benefit from reduced cash handling charges.
Re: (Score:2)
not for accepting cash
Not true ; banks charge merchants for handling cash. So much so that supermarkets here will offer to add some cash to your bill ("cashback"), obviating the need for you to visit an ATM. You benefit from increased convenience and they benefit from reduced cash handling charges.
Are you trying to say there is a per transaction charge for handling cash?
If you aren't, it has no baring on what I said.
You need to give this a read and consider the costs to businesses [sba-bc.ca]. When you put everything on credit, you make a dent in that businesses profit and they have to in turn raise prices to compensate. Whilst massive super chains can bury costs like interchange and service fees in huge contracts, franchise owners and small businesses cant. Realistically if you think putting everything o
Re: (Score:2)
Are you trying to say there is a per transaction charge for handling cash?
yes actually there is! the store needs to keep their register stocked with small bills and change in order to make change for customers using cash. At least in the US businesses typically pay a fee to buy large quantities of coins and small bills from banks. sometimes they also need to pay a fee to deposit large quantities of coins, such as if they end up with too many nickels in the register and don't know what to do with them.
you also then have to somehow securely transfer the money to the bank, and th
Re:Never trust security through obscurity (Score:4, Interesting)
I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.
Security by obscurity (Score:5, Insightful)
All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.
The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.
And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.
Re:Security by obscurity (Score:5, Interesting)
If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?
The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.
Re: (Score:3, Insightful)
Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.
Or the government could quit sucking corporate cock, permitting more players into the game to provide some actual competition.
Re: (Score:2)
WTF, moderators? I don't care that drinkypoo is on my freaks list, that was in no way flamebait. He should be modded insightful, not flamebait.
Please, slashdot, bring back the old style metamoderation! He's right, the CC companies need better regulatulation (in this case, more regulation) and more competetion.
Re: (Score:3)
Re: (Score:2)
With something as crucial as the nation's payment infrastructure, one might think engineers or computer scientists would have a thing or two to say about it.
Perhaps they should have a professional body to ensure some level of quality and system review.
Perhaps they should be regulated like the FDA approves drugs.
Or perhaps the system works as is and the costs shifted and paid around.
Presumed secure = blame the user (Score:5, Informative)
Re: (Score:3, Informative)
Re: (Score:2)
Hah, yep. I noticed my "agreement of the services" with visa states that if chip authentication is used, it's assumed I authorized it - i.e. there are no fraudulent transactions that use the chip, I'm liable.
Makes you want to rip the contacts off the card...
Re: (Score:2)
This might be true if 'you' used the chip authentication. However, if someone else has cloned your card (however they managed to do it), then 'you' haven't agreed to that transaction, and thus 'you' never used any kind of authentication, let alone "chip and pin".
Re: (Score:1)
lmfao, good fuckin luck getting your card company to buy into that one. Chip & pin is a scam designed solely to remove *ALL* liability of fraud from the card company, after all, its *your* fault you let your chip get cloned ; )
Re: (Score:2)
Makes you want to rip the contacts off the card...
buy a UV-curing clear coat repair pen, $3 or so, the rest is obvious
Re: (Score:2)
That's why I no longer use a debit card, or indeed, any kind of card. Someone watched me enter my PIN, stole the card and some checks, cashed forged checks and withdrew money with the card. I was reimbursed by the bank for the fraudulent checks, but the card cost me hundreds of dollars -- if you have the card and PIN, then you have the right to use it, even if you've stolen both. Worse, it made a check for a downpayment on a car bounce and I almost was liable for a felony. REAL pain in the ass, that cost hu
no liability for banks (Score:2, Informative)
Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.
Re: (Score:2)
Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.
Citation please.
The problem is shifting liability (Score:5, Interesting)
The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.
With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.
Re: (Score:2)
The way I understood it is that the liability shift does not work that way. The least secure is liable. See http://en.wikipedia.org/wiki/EMV [wikipedia.org]
The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.[2]
If a merchant does not support chip and the issuer (your bank) and the acquirer (bank of the merchant do), the merchant is liable.
If the acquirer does not support EMV (aka Chip and pin), that bank is liable. Etc.
So only when the merchant keeps an old terminal that only supports magswipe despite his bank and the bank (/card issuer) of the customer supporting EMV and the
Re:The problem is shifting liability (Score:4, Insightful)
I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.
Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.
From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).
Re: (Score:2)
Chip and PIN might not be perfect, but at least it makes it more than entirely trivial to use a card that you've just found somewhere in a store.
Re: (Score:2)
I was asked ONCE while on holiday in the UK because the signatures don't match. I usually draw a circle, square, triangle.
Re: (Score:2)
Re: (Score:2)
my card is almost never checked
That's because signing the receipt is not for authentication. Read the receipt: you're signing a contract to pay the bank back for the stuff you're buying.
Its worse - Liability is shifted to the CARDHOLER (Score:5, Informative)
Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.
By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!
I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.
Mod parent up! (Score:1)
The main problem with chip-and-pin, from the consumer's perspective, is that it shifts the liability onto the CARDHOLDER, not the merchant. The issuers insist that merchants bear the liability for old magstripe transactions, but for chip-and-pin transactions it is presumed that you, the CARDHOLDER, are responsible unless you can *prove* otherwise. That's why the merchants were all so eager to get the chip-and-pin hardware deployed... it reduces their fraud costs (shifting them onto the victim cardholders
Re: (Score:2)
The flip side of this is that the processing fees for Chip & PIN cards are significantly lower. The fact is that fraud is vastly reduced by using Chip & PIN, so the fees charged can account for that.
Re: (Score:3)
As one who worked for a processing gateway in the US, the liability was on the merchant first. When a chargeback is initiated by the cardholder, the funds are taken from the merchant's account and credited to the cardholder's account. If the merchant doesn't have the funds (gateways or processors are pretty strict on them having the funds incase of chargebacks and will hold funds or institute a rolling reserve if the merchant doesn't have the funds or is has a higher risk of potential chargebacks), it is on
damn right they do (Score:2)
Yeah, they pass it along to sellers like me. Almost all fraud gets taken straight out of the pockets of the business owner but hey, we've got money, right? Total bullshit. Well guess what I'm refusing to accept ever under any circumstances.
Re: (Score:3)
So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?
Re: (Score:2)
So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?
The answer to that question is: The party that has control over the implementation of the financial transaction system.
Anything less and there's no incentive for the financial institutions to improve security and reduce overall losses in the system. There is no way a merchant or a consumer has any control over this. The most they can do is refuse to accept 'plastic', but due to the ubiquitous nature of credit based transactions, that would be akin to closing the door on a large portion of their income.
Re: (Score:2)
Counterpoint : What motive do banks have to secure their system if they are not liable for its insecurity
Nothing has changed with your scenario because its based on the faulty premise that someone other than the consumer will pay the cost. The consumer is the side of the trade that has the money, and all costs must be definition by paid for out of that money.
Re: (Score:2)
But, those costs would never have occurred if the banks secured (or continue to secure) their system properly. Thus the 'losses' that end up being paid for by the consumer end up being negligible.
Re: (Score:2)
The liability should be with the party that has the power to do something about it: the card companies.
So neither person at the point of sale has the power to do something about it? Its the institution that is by definition not at the point of sale?
Re: (Score:2)
The liability should be with the party that has the power to do something about it: the card companies.
So neither person at the point of sale has the power to do something about it? Its the institution that is by definition not at the point of sale?
The best the consumer and/or merchant can do is complain to the 'authorities' that their bank just sucked a huge chunk of cash out of their account. Maybe they could sue the bank for losses incurred due to a poorly secured transaction system. But, all that does is send the responsibility back to where it belongs in the first place: with the banks.
Re: (Score:2)
There is not much consumers can do about having their card numbers stolen. They could never let the card leave their sight, only use Linux for online purchases, and use temporary card numbers for purchases from merchants they are not certain of, but even then their number could still be stolen. This problem is not one that the cardholder has created and it is not one that the cardholder can fix.
I think chip and pin was a great idea. Relying on it as perfect security and holding the user responsible for ever
Re: (Score:2)
So, aside from the thief, who is to blame for a fraudulent transaction? Almost never the cardholder or the merchant.
The merchant is often [at least partly] at fault. It used to be poor control over carbons; you could steal CC numbers just by strolling into the local drug store in between busy times and raiding a checkstand's trash can while someone else occupied the checkers. Now it's poor control over readers, permitting criminals to install skimmers, or outright complicity.
Re: (Score:2)
Out of everybody involved, the merchant is almost the least at fault. In order to accept a few dollars worth of a transaction, the merchant is forced to handle these things called "account numbers" and "credit cards" that represent tremendous potential value, even though the merchant might be a dollar store with transactions never worth more than a few dollars. Imagine a two-buck shrimp shack on the beach, where half the customers pay with thousand dollar bills, and they each expect $998 in change. That'
Re: (Score:1)
I think chip and pin was a great idea. Relying on it as perfect security and holding the user responsible for every transaction however was stupid. If Iived in the UK or another chip and pin EU country I would be way too paranoid to ever use my card. Instead of a credit card I'd probably use a debit card and transfer the exact amount needed from another account for every purchase. Thieves can't steal from you if there is nothing to steal.
A great idea, BUT...
Some institutions in the UK allow certain vendors (and there are quite a few of these) a "floor limit" for debit card transactions where, if the value of the transaction is below this threshold the transaction is automatically authorised at point-of-sale even without checking the account's available balance.
This is also the system used for "offline" transactions, where the vendor's card reader has no network access and instead batches the transactions for subsequent communication wit
Re: (Score:2)
If you, as a merchant, are accepting Chip & PIN transactions, then you're paying significantly lower fees to reflect the significantly lower risk . If you're accepting mag-strip & signature, then you're paying more for the transaction because there's a much higher risk that it's a fraud. If you're doing a card-not-present transaction (i.e. online) then you're paying even more because the risk is even higher.
This technique, which is a result of insecure hardware on the devices, is very hard and requ
Re: (Score:3)
In my storefront if a card holder chips a card and types their pin, there is no way they can charge back.
That sounds incorrect to me, since (at least under UK law) there are various reasons why a credit card transaction may be subject to a chargeback even if it was a legitimate transaction at the time.
In an online transaction does "verified by visa" / "mastercard securcode" not effectively provide you as a merchant the same protections?
3Dsecure is, frankly, a joke and does nothing to increase security (in fact it actually decreases security). It was introduced as yet another way of pushing the liability away from the bank rather than actually being secure.
Unfortunately, my experience with banks is that, when it comes to digital security, they
Re: (Score:3)
Re: (Score:2)
It may not seem like much of a benefit to you, but merchants benefit a lot by requiring VBV (reread your post from the point of view of a merchant).
Why the quotes? (Score:3)
BBC is a "news" provider.
Re: (Score:1)
The BBC "always" puts lots of "quotes" around "words" in their titles. I don't know why; it "doesn't" change the meaning "of" the words, it's like the heavy-metal umlaut:.. http://en.wikipedia.org/wiki/Metal_umlaut
Re: (Score:3)
The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.
If you read the full article of any headline t
Re: (Score:2)
For example: She had some huge "eyes".
It usually doesn't work, but it causes enough hilarity not to change it.
Re: (Score:1)
I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?
BBC is a "news" provider.
It simply means the BBC is reporting but not necessarily endorsing the claim. Journalistic integrity many other more sensationalist outlets could learn from!
Re: (Score:3)
Chip & Pin was already broken no later than 20 (Score:2)
This appears to be something new, however
Re: (Score:2)
Exaggeration (and a bit of scandal mongering) (Score:2)
Re: (Score:1)
...So the title here, in the BBC website and some of the comments are way off.
I think your analysis makes some valid points but is somewhat complacent. Firstly, I am not convinced that the concept of a corner case is valid in security matters; attackers do not randomly stumble upon vulnerabilities, they assiduously seek them out, and a great many exploits are based on 'corner cases'. If you were ripped off to the extent of your credit limit, would you dismiss it as just a corner case?
The fact that 'card-not-present' fraud went up is hardly surprising, and not much of
Serge Humpich, anyone??? (Score:2)
I know it happened 12 years ago, but come on, the chip cards with pin have been cracked and crackable for a long time. In 2000, Serge Humpich, a french hacker found a flaw in the chip design and used Japanese algorithm to factorize the prime used in the chip card.
In French:
https://fr.wikipedia.org/wiki/Serge_Humpich [wikipedia.org]
http://www.bibmath.net/crypto/moderne/cb.php3 [bibmath.net]
In English:
http://www.theregister.co.uk/2000/02/26/french_credit_card_hacker_convicted/ [theregister.co.uk]
http://www.amazon.com/Serge-Humpich/e/B001K7H3DE [amazon.com]
I remember my r
Re:Wasn't this already covered (Score:4, Informative)
European Credit and Debit Card Security Broken
http://news.slashdot.org/story/10/02/11/2129212/european-credit-and-debit-card-security-broken [slashdot.org]