[6257] in cryptography@c2.net mail archive
Re: Debit card fraud in Canada
daemon@ATHENA.MIT.EDU (David Honig)
Mon Dec 13 16:30:30 1999
Message-Id: <3.0.5.32.19991213121242.007e6100@pop.sprynet.com>
Date: Mon, 13 Dec 1999 12:12:42 -0800
To: "Steven M. Bellovin" <smb@research.att.com>,
Steve Reid <sreid@sea-to-sky.net>
From: David Honig <honig@sprynet.com>
Cc: cryptography@c2.net
In-Reply-To: <19991213154941.17F5C41F16@SIGABA.research.att.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
At 10:49 AM 12/13/99 -0500, Steven M. Bellovin wrote:
>true for credit cards? If so, a simple visual recorder -- already used by
>other thieves -- might suffice, and all the tamper-resistance in the world
>won't help. Crypto, in other words, doesn't protect you if the attack is on
>the crypto endpoint or on the cleartext.
Wouldn't a thumbprint reader on the card (to authenticate the meat to the
smartcard) be a tougher thing to shoulder surf?
Does raise the cost over a PIN.
Aren't there protocols where the exchange can't be replayed,
but proof-of-knowledge is demonstrated?
Or would these exchanges require on-line connectivity, thereby defeating
the utility of smartcards some?
