[17518] in cryptography@c2.net mail archive
Re: massive data theft at MasterCard processor
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Jun 21 16:01:35 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: Peter Fairbrother <zenadsl6186@zen.co.uk>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
<cryptography@metzdowd.com>
Date: Tue, 21 Jun 2005 07:51:17 +0200
In-Reply-To: <BEDD25DC.A8A89%zenadsl6186@zen.co.uk> (Peter Fairbrother's
message of "Tue, 21 Jun 2005 02:03:09 +0100")
* Peter Fairbrother:
> No, it isn't! A handwritten signature is far better, it gives post-facto
> evidence about who authorised the transaction - it is hard to fake a
> signature so well that later analysis can't detect the forgery,
Apparently, handwritten signatures can be repudiated, at least I've
heard of a few cases where this likely was the case (but naturally,
graphologists didn't agree if the signature was genuine).
You can even use a signature machine to facilitate repudiation at a
later date.
> Also there are several attacks on Chip n' PIN as deployed here in the UK,
> starting with the fake reader attacks - for instance, a fake reader says you
> are authorising a payment for $6.99 while in fact the card and PIN are being
> used to authorise a transaction for $10,000 across the street.
In Germany, there's a widely used system based on PIN and a magnetic
stripe, and you can buy used reader devices on Ebay. 8-( This makes it
rather easy to mount a MITM attack.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
