Topic: Yet another chip&pin vulnerability (Read 3261 times)

sevenlayermuddle · « **on:** August 04, 2016, 12:01:36 AM »

http://www.bbc.co.uk/news/technology-36971832

Will the UK banks now come clean, and admit chip & pin is not perfect after all, and will they change their T&C to shift liability for chip & pin fraud to themselves?

Of course they won't. The insist upon complex passwords with mix of upper and lower case, which makes them experts on IT security, hence chip & pin cannot fail. All losses are attributable to customer error, such as failure to use strong passwords and keep their Pin secret.

Their reasoning, not mine.

broadstairs · « **Reply #1 on:** August 04, 2016, 07:38:56 AM »

If I read this correctly this is what has happened here in the past and the Banks say they have taken action to prevent such devices being easily implanted into the car reader, plus most of these devices can be seen by a user if they look carefully. So I dont believe this is new news for the UK.

Stuart

sevenlayermuddle · « **Reply #2 on:** August 04, 2016, 08:22:26 AM »

It sounds like a new twist. I'd heard of modified terminals that could capture the customer's pin, but that doesn't get the villain home and dry, he needs the chip too. This one seems to overcome that, if I read it right.

They did say...

Quote

The team said it had not seen any effort to rectify the problem, but that it hoped the firms were looking into the vulnerability.

My own opinion is that chip&pin is a big improvement over traditional cards, but the banks imho seem to place far too much trust in it, whereas nothing is truly invulnerable I visited the US recently and didn't find chip&pin in use anywhere I went, the Americans do seem to be treading more cautiously. Not sure if it's the banks or the customers that are resisting, or there maybe different laws regarding liability for fraud?

kitz · « **Reply #3 on:** August 04, 2016, 09:04:04 AM »

After reading the above I too wondered why the USA hadnt adopted chip and pin. Theres an article here which summarises some of the points:

Why is the US a decade behind Europe on 'chip and pin' cards?

What ever technology is used someone will attempt to exploit the system at some point. I guess we all want easy access to our money.
Not sure what future alternatives could bring retina or fingerprint technology? Buy online and look close at the screen?
... or we could go backwards and have to visit the bank each week, where the cashier either knows you or had to physically go check your signature against the card you signed when you opened the account.

niemand · « **Reply #4 on:** August 04, 2016, 09:49:16 AM »

Haven't seen the talk yet, I'm sure it'll be online soon, however I fully imagine that at least some of these issues were
presented in a talk in 2011 and nothing was done.

EMVCo are pretty cavalier. Joys of having a monopoly and not being responsible for losses.

sevenlayermuddle · « **Reply #5 on:** August 04, 2016, 09:59:43 AM »

Quote from: kitz on August 04, 2016, 09:04:04 AM

... or we could go backwards and have to visit the bank each week, where the cashier either knows you or had to physically go check your signature against the card you signed when you opened the account.

Ah yes, the old days, when banking security depended on having an honest face.

And of course, you had to be personally interviewed by the branch manager before being offered a cheque book and (if you had that honest face) a cheque guarantee card.

But at least in those days it was accepted that signatures could be forged, for which banks generally accepted liability. Nowadays, I'm alarmed by the number of stories I read where C&P fraud has occurred and the banks insist that because the thief used the pin, the customer must have disclosed it, and so the customer is liable.

PS: Ignitionnet, I see our posts have crossed, not ignoring your point that just that I'd already composed reply and don't think it contradicts.

kitz · « **Reply #6 on:** August 04, 2016, 03:22:24 PM »

Quote

And of course, you had to be personally interviewed by the branch manager before being offered a cheque book and (if you had that honest face) a cheque guarantee card.

haha, how true that was. Before the days of computer says no, a vast majority of lending was done on gut instinct or if your "family" knew the bank manager. I went on a business lending course sometime very early 90's where a whole afternoon was devoted to body language and risk. There was even an expert on body language who came in and did a talk of signs to look for. Wearing a suit and tie for interviews often went a long way.

When I first joined the bank very few 18 y/o's had a cheque guarantee card unless your parents had a good known history to the bank manager.
There was one staff advantage of working for a bank, I had a cheque guarantee card at 17; which proved useful on at least one occasion as proof of id

Don't think they re allowed to do that any more.

Chrysalis · « **Reply #7 on:** August 04, 2016, 04:12:15 PM »

this made me giggle.

Quote

The governor said that banks have "no excuse" not to pass on the lower borrowing costs to customers and will be charged a penalty if they fail to do so.

Take note ofcom on how to enforce passing savings onto customers

This is good news for people like me who like to use credit services (why not as it is cheap), I think the 0% credit card era is great. I also remember the days of yeah the bank manager deciding who gets credit and the terms of that credit.

However the UK has now come across as panicking, only a month or so ago they decided to freeze interest rates, and I expected that decision to stick for at least half a year, not be reviewed again only 4 weeks later. Goldman Sachs who's boss was buddies with osborne I suspect are going to punish the UK for sacking his buddy by shifting some banking to paris.

Oh yeah, sorry I realised I am taling about the rate cut, because after reading the linked article I strayed onto the rate cut news.

sevenlayermuddle · « **Reply #8 on:** August 04, 2016, 06:31:26 PM »

I have the dubious distinction of once having had my cheque guarantee card 'Declined', late 1980s.

Staying at a remote hotel on remote Scottish Island, owned by a rather wonderful but slightly eccentric hotelier. He spoke rather posh, public school Accent to the point of being almost a speech impediment. On checkout, I handed him cheque and card. He sniffed at the card, then handed it back and declared...

'Sorry Sir, this is no good to me'

I stuttered apologies, and asked why?

'Well' he said, 'People who write bouncing cheques go to places like The Mediterranean. Those who visit Scottish Islands can simply be trusted.'

A great fellow, splendid hotel, and one day I'd like to revisit. I know he was still there a couple of years ago, at least.

licquorice · « **Reply #9 on:** August 04, 2016, 06:33:29 PM »

Brilliant!!!

News:

Author Topic: Yet another chip&pin vulnerability (Read 3261 times)

sevenlayermuddle

Yet another chip&pin vulnerability

broadstairs

Re: Yet another chip&pin vulnerability

sevenlayermuddle

Re: Yet another chip&pin vulnerability

kitz

Re: Yet another chip&pin vulnerability

niemand

Re: Yet another chip&pin vulnerability

sevenlayermuddle

Re: Yet another chip&pin vulnerability

kitz

Re: Yet another chip&pin vulnerability

Chrysalis

Re: Yet another chip&pin vulnerability

sevenlayermuddle

Re: Yet another chip&pin vulnerability

licquorice

Re: Yet another chip&pin vulnerability