[6263] in cryptography@c2.net mail archive
Re: Debit card fraud in Canada
daemon@ATHENA.MIT.EDU (Lynn.Wheeler@firstdata.com)
Mon Dec 13 22:39:09 1999
From: Lynn.Wheeler@firstdata.com
To: David Honig <honig@sprynet.com>
Cc: "Steven M. Bellovin" <smb@research.att.com>,
Steve Reid <sreid@sea-to-sky.net>, cryptography@c2.net
Message-ID: <85256846.00808D39.00@lnsunr02.firstdata.com>
Date: Mon, 13 Dec 1999 15:25:24 -0800
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
The NACHA pilot announced about a month ago .... specifies an AADS based
transaction.
The combined press release last week at BAI (something like cebit for the world
retail banking industry) ... specifies AADS/X9.59 digital signing.
The AADS strawman proposes an online paramerterized risk management
infrastructure that can be software, hardware, bin-activated hardware,
bio-sensor activated hardware, etc (i.e. integrity level of the compartment
doing the digital signing). The issue isn't that the chip enables offline ...
but that a chip with various characteristics can improve the integrity of online
(non-face-to-face) transactions.
misc. references.
http://internetcouncil.nacha.org/
http://www.garlic.com/~lynn/
and specific ...
http://www.garlic.com/~lynn/99.html#224
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo1
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo2
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo3
David Honig <honig@sprynet.com> on 12/13/99 12:12:42 PM
To: "Steven M. Bellovin" <smb@research.att.com>, Steve Reid
<sreid@sea-to-sky.net>
cc: cryptography@c2.net (bcc: Lynn Wheeler/CA/FDMS/FDC)
Subject: Re: Debit card fraud in Canada
At 10:49 AM 12/13/99 -0500, Steven M. Bellovin wrote:
>true for credit cards? If so, a simple visual recorder -- already used by
>other thieves -- might suffice, and all the tamper-resistance in the world
>won't help. Crypto, in other words, doesn't protect you if the attack is on
>the crypto endpoint or on the cleartext.
Wouldn't a thumbprint reader on the card (to authenticate the meat to the
smartcard) be a tougher thing to shoulder surf?
Does raise the cost over a PIN.
Aren't there protocols where the exchange can't be replayed,
but proof-of-knowledge is demonstrated?
Or would these exchanges require on-line connectivity, thereby defeating
the utility of smartcards some?
