Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: Undelivered Goods  (Read 32233 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Undelivered Goods
« Reply #15 on: January 05, 2012, 10:49:16 AM »

Well let's hope the homepay protocol is released for public scrutiny.  By doing so, clever academics and millions of well-intentioned volunteers, can examine it and identify any vulnerabilities so that they are fixed before deployment.

Conversely, if homepay security depends upon keeping the protocol a secret, then I fear it will be intrinsically insecure as 'secrets' have a habit of escaping.

- 7LM
Logged

BritBrat

  • Kitizen
  • ****
  • Posts: 1359
Re: Undelivered Goods
« Reply #16 on: January 05, 2012, 11:55:03 AM »


We all know that's total garbage, it transpired there were lots of ways villains could find out a PIN number, but it hasn't stopped the banks from 'trying it on'.  Personally I feel quite sure that's what motivated them all along, rather than any genuine wish to make things more secure.  If they REALLY wanted to make things more secure, they could start by spreading the message that villains will always be pursued and prosecuted, no matter what the cost, and no matter what impact it has on senior staff bonuses.   >:(

The onus is on the bank to prove you gave the key out, very hard to do so customers should still get refunded.

I still have a  chip and signature card because of the stance the banks take on chip and pin.
Logged

camallison

  • Kitizen
  • ****
  • Posts: 1357
Re: Undelivered Goods
« Reply #17 on: January 05, 2012, 12:00:47 PM »

Well let's hope the homepay protocol is released for public scrutiny.  By doing so, clever academics and millions of well-intentioned volunteers, can examine it and identify any vulnerabilities so that they are fixed before deployment.

Conversely, if homepay security depends upon keeping the protocol a secret, then I fear it will be intrinsically insecure as 'secrets' have a habit of escaping.

- 7LM

Already extensively worked on by white hats (well-intentioned volunteers and clever academics) as I understand.

Colin
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Undelivered Goods
« Reply #18 on: January 05, 2012, 12:35:01 PM »

Already extensively worked on by white hats (well-intentioned volunteers and clever academics) as I understand.

Colin

Then they'll have nothing to fear from publishing it.  :)
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Undelivered Goods
« Reply #19 on: January 05, 2012, 06:43:06 PM »

Already extensively worked on by white hats (well-intentioned volunteers and clever academics) as I understand.

Colin

Then they'll have nothing to fear from publishing it.  :)

Absolutely.  ;D
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Undelivered Goods
« Reply #20 on: January 05, 2012, 09:08:30 PM »

The onus is on the bank to prove you gave the key out, very hard to do so customers should still get refunded.

The Chip & Pin scheme has nothing to do with improving security.

It is the Banks' attempt to shift the burden of proof onto the Customer in cases of fraud.

Quote
Liability shift

Canadian Imperial Bank of Commerce (CIBC) spokesman Rob McLeod said in relation to a $81,276 fraud case: “our records show that this was a chip-and-PIN transaction. This means [the customer] personal card and personal PIN number were used in carrying out this transaction. As a result, [the customer] is liable for the transaction.
The Globe and Mail, 14 Jun 2011

https://media.defcon.org/dc-19/presentations/Barisani-Bianco-Laurie-Franken/DEFCON-19-Barisani-Bianco-Laurie-Franken.pdf

To avoid liability for fraudulent transactions, the Banks are routinely telling the courts that Chip & Pin is uncrackable. Any frauds, say the Banks, must, by definition, be due to customer negligence.

But that is manifestly untrue.

There are countless weaknesses in Chip & Pin, and in its implementations.

Here's another published paper from 2010, from Professor Anderson's team working on Chip & Pin flaws:

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf


Many more flaws remain hidden, thanks to the Banks themselves.  The Courts are often used to gag academics like Anderson who were going to reveal more weaknesses in the scheme.

Nothing to hide, nothing to fear?

Embedded devices are inherently untrustworthy. They offer numerous vectors of attack. Who makes the final build of the embedded firmware? Who audits the firmware images for "inconsistencies" before they are rolled out? Who burns the firmware to ROM?  Where is that done? In some faceless fab facility, out of sight and away from scrutiny?

Many software backdoors are deliberately introduced by organised criminals who have weaseled their way into the build process. These backdoors are left dormant to be exploited only rarely to minimise detection.

This is not a problem that is unique to banking.  Politics also has a magnetic quality for criminals.

The electronic voting machines introduced in the 2001 US Presidential Election were highly dubious.  The directors of Diebold, the makers of one machine, were openly stating their support for presidential candidate George W. Bush.

And indeed, the Diebold machine was found to be riddled with flaws. Some of the flaws were almost certainly introduced deliberately.

Ultimately, it was shown that an attacker could log into the machine over 802.11 where the vote tallies for the candidates could be altered without leaving any audit trail.

In 2006, academics in the Netherlands made a mockery of the flaws in their voting machines by reflashing the firmware over a hacked wireless connection to the machine.  Instead of TouchScreen Voting Software, voters were presented with a chess game on the screen!

It would be funny if it wasn't so serious.

http://wijvertrouwenstemcomputersniet.nl/English
« Last Edit: January 05, 2012, 09:26:13 PM by asbokid »
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: Undelivered Goods
« Reply #21 on: January 05, 2012, 10:52:47 PM »

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

That is really quite a frightening paper    :o

It would be nice to think the banks would learn from it, but I doubt it.  Only a few months ago, I had mine call me up to discuss an insurance claim.  The call commenced with a request for me to answer their security questions.  I refused of course; you should never answer security questions on an incoming call. I protested vigorously that the call had exposed a security flaw,  they even put me onto a 'supervisor' to rant discuss.  But they genuinely didn't understand what they'd done wrong... their script simply said it was 'for my own protection' ...    :no:


Logged

oldfogy

  • Helpful
  • Kitizen
  • *
  • Posts: 3568
  • If it ain't broke....... I'll soon fix it.
Re: Undelivered Goods (Update)
« Reply #22 on: January 08, 2012, 12:38:08 AM »

I received a letter from my bank Lloyds TSB on Saturday, basically stating they have reimbursing my account and are also in touch with the offending retailers bank.

OK, that's the gist of it but it's still a waiting game until my bank lets me know what if any further action is being taken.
Logged
Pages: 1 [2]