[Wolves] credit card signatures etc

[sparkes]

On Tue, 2004-04-06 at 16:07, Old Dan wrote:

> I do think the idea of completely replacing signatures is a stupid one. 
> The problem with signatures not being checked is a simple one of - well -
> signatures not being checked rather than a fundamental flaw in the
> signature system itself.

I think the idea is to stop card cloning rather than theft.  The idea of
using the card number and the pin number online would prevent theft is
probably bogus.  If you can sniff an insecure form or spoof a popular
website then the same form that collects the card number would also
collect the pin.  Grab one grab them both.  Stupid developers would
still store both online and then thousands of people would have their
details, cc numbers and pins comprimised in one fell swoop.

The pin is only good when it is part of the key, the other part is in
the chip and together they validate against another key held in the bank
computers.  Take the chip, the pin or the bank out of the equation and
the chip and pin is not only not better than the old trust and signature
it could be even more shaky.  Don't underestimate the power of the
advertising (chip and pin is safer, chip and pin is safer, etc) people
will be more trusting of someone who holds a card and knows the pin than
they would have previously been.

Online fraud can't be stopped by this system unless every pc has a chip
reader and a secure(ish) connection to the banking system.  And once
that happens the system will fall foul of replay attacks.  Banks
security involves a few inches of steel, alarms and time locks they
don't understand computers just like most of their clients don't
understand how the APR is worked out on their loans.

> 
> ::shrug::
me too, I try to use cash ;-) paranoid is more than a great record it's
a way of life ;-)

sparkes