[Info-vax] One possible market for VMS: secure credit card
JF Mezei
jfmezei.spamnot at vaxination.ca
Sun Mar 22 22:08:09 EDT 2015
On 15-03-22 19:26, johnwallace4 at yahoo.co.uk wrote:
> E.g.
> http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
Thanks. Very interesting read. However, this proof of concept assumes
newer cards do not block transactions unless PIN authentication has been
performed by them.
(in short: man in middle intercepts the PIN authentication request being
sent to the card, responds with "PIN OK", so the terminal thinks the
user enterered the right PIN, and the card never was asked to veryfy the
PIN and so is unaware a bad PIN was entered.
> What C+P is 'helpful' for is shifting the liability from the card
> processors to someone else (the customer, the trader).
This depends on countries and banks. In Canada, there hasn't been such a
shift. However. I suspect most fraud transactions are now down with
"card not present" over the internet.
Not that VISA does offer a fairly basic form of authentication on the
Internet. When I buy train tickets for instance, I am sent to a VISA
page where I have to enter either personal info or a passopwrd I had
registered with VISA. VISA then tells Via Rail that the transaction has
been accepted.
More information about the Info-vax
mailing list