Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Well let's hope the homepay protocol is released for public scrutiny.  By doing so, clever academics and millions of well-intentioned volunteers, can examine it and identify any vulnerabilities so that they are fixed before deployment.

Conversely, if homepay security depends upon keeping the protocol a secret, then I fear it will be intrinsically insecure as 'secrets' have a habit of escaping.

- 7LM

[BritBrat]

We all know that's total garbage, it transpired there were lots of ways villains could find out a PIN number, but it hasn't stopped the banks from 'trying it on'.  Personally I feel quite sure that's what motivated them all along, rather than any genuine wish to make things more secure.  If they REALLY wanted to make things more secure, they could start by spreading the message that villains will always be pursued and prosecuted, no matter what the cost, and no matter what impact it has on senior staff bonuses.   

The onus is on the bank to prove you gave the key out, very hard to do so customers should still get refunded.

I still have a  chip and signature card because of the stance the banks take on chip and pin.

[camallison]

Well let's hope the homepay protocol is released for public scrutiny.  By doing so, clever academics and millions of well-intentioned volunteers, can examine it and identify any vulnerabilities so that they are fixed before deployment.

Conversely, if homepay security depends upon keeping the protocol a secret, then I fear it will be intrinsically insecure as 'secrets' have a habit of escaping.

- 7LM

Already extensively worked on by white hats (well-intentioned volunteers and clever academics) as I understand.

Colin

[sevenlayermuddle]

Already extensively worked on by white hats (well-intentioned volunteers and clever academics) as I understand.

Colin

Then they'll have nothing to fear from publishing it. 

[burakkucat]

Already extensively worked on by white hats (well-intentioned volunteers and clever academics) as I understand.

Colin

Then they'll have nothing to fear from publishing it. 

Absolutely. 

[asbokid]

[sevenlayermuddle]

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

That is really quite a frightening paper   

It would be nice to think the banks would learn from it, but I doubt it.  Only a few months ago, I had mine call me up to discuss an insurance claim.  The call commenced with a request for me to answer their security questions.  I refused of course; you should never answer security questions on an incoming call. I protested vigorously that the call had exposed a security flaw,  they even put me onto a 'supervisor' to rant discuss.  But they genuinely didn't understand what they'd done wrong... their script simply said it was 'for my own protection' ...   

[oldfogy]

I received a letter from my bank Lloyds TSB on Saturday, basically stating they have reimbursing my account and are also in touch with the offending retailers bank.

OK, that's the gist of it but it's still a waiting game until my bank lets me know what if any further action is being taken.