[6253] in cryptography@c2.net mail archive
Re: Debit card fraud in Canada
daemon@ATHENA.MIT.EDU (Greg Rose)
Mon Dec 13 16:29:53 1999
Message-Id: <4.2.0.58.19991214064723.00c58290@127.0.0.1>
Date: Tue, 14 Dec 1999 06:52:26 +1100
To: "Steven M. Bellovin" <smb@research.att.com>
From: Greg Rose <ggr@qualcomm.com>
Cc: cryptography@c2.net
In-Reply-To: <19991213154941.17F5C41F16@SIGABA.research.att.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 10:49 13/12/1999 -0500, Steven M. Bellovin wrote:
> If so, a simple visual recorder -- already used by
>other thieves -- might suffice, and all the tamper-resistance in the world
>won't help. Crypto, in other words, doesn't protect you if the attack is on
>the crypto endpoint or on the cleartext.
This doesn't work. The PIN is derived by adding a "PIN Offset" which is
stored on the magstripe to the "Real PIN" which is cryptographically
derived from the account information. If you can't duplicate the magstripe
the pin you have shoulder-surfed is useless. (To caveat my own words...
this is one of the internationally standardised and widely deployed
methods. I don't know how the other ones handle this problem.)
Greg.
Greg Rose INTERNET: ggr@Qualcomm.com
Qualcomm Australia VOICE: +61-2-9181-4851 FAX: +61-2-9181-5470
Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
