[Gllug] security check

James Laver gllug at jameslaver.com
Tue Aug 11 08:12:56 UTC 2009 

On 11 Aug 2009, at 08:25, JLMS wrote:
>
> Your Linux computer is the least likely place where your information
> can be compromised.
>
> Poorly paid or disgruntled workers are known to sell credit card
> information that they manage to extract in call centers or badly
> administered IT departments. There is precious little you can do about
> this, checking your statements is the only measure that ensures bogus
> transactions are spotted.

And yet with chip and pin, the liability rests on you.

> Another source of fraud is the establishments accepting cards. Every
> time you lose sight of your card you are giving the opportunity to
> somebody to obtain your card details.

Again, as a chip and signature user my bank is forced to protect me  
from this. Not that I let people walk away with my card etc.

> Another potential problem is cash machines. Sophisticated thieves
> install card readers or  cameras to get as much information as
> possible from your card, or the card itself. Every time I need to use
> a cash machine I make sure there are no strange devices. I pull and
> push the slot where the car is read and check manually for any cameras
> or strange objects. Then I cover the keypad when I type my pin in case
> somebody is behind me "rubber necking".

But what about residual heat on the keypad? Are you touching all of  
the numbers for random periods of time afterwards in order to mask the  
thermal signature?

> Also how you dispose of your banks statements could be an issue. Are
> you shredding them? No document with sensitive information leave my
> house unshredded...

I recently sorted my desk out and was horrified to discover that I  
filled an entire crate with shreddables, and that's without counting  
all of the paperwork I've filed into another crate. Who'd've known my  
desk could get *that* bad?


Anyway, time for the obligatory chip and signature talk. With chip and  
pin, you are liable for fraud. There is another option, chip and  
signature. Chip and signature indemnifies you against fraud because it  
shifts the liability back to the bank to check your signature to  
detect fraud.

There are downsides, you can't use a cashpoint for example. And while  
stores have an obligation to accept it, smaller retailers can be very  
arsey about it and some flat refuse to take it.

Getting one can also be quite an adventure as well. They are designed  
for mentally disabled people who may have difficulty remembering their  
pin. The disability discrimination act forces them to make any  
concessions for disabled people available to non-disabled people as  
well.

I somehow convinced a lloyds bank worker to show me their guidelines  
for chip and signature issue. Apparently they expect a mentally  
disabled person who can't remember their pin to talk about the nature  
of their disability. How inhuman (and completely illegal!), but they  
really don't want to give them out.

Anyway, if you don't desperately need a cashpoint, chip and signature  
is the way forward. Shift the liability back to where it ought to be,  
with the bank! Because they can, y'know, do something about it. Until  
the chip and pin system is properly discredited (or the law is changed  
to shift liability back to the bank), I'll stick with signature,  
thanks. And yes, I like my chequebook.

--James
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list