[LINK] City launches fingerprint payment program
Craig Sanders
cas at taz.net.au
Tue Oct 16 07:10:22 AEST 2007
On Mon, Oct 15, 2007 at 09:33:53PM +1000, Rick Welykochy wrote:
> The new credit card provides two modes of authentication:
>
> 1. my PIN is encoded on the magnetic strip, as always
huh?
the PIN isn't on the card. the account number (and a very small amount
of related info) is on the card, the PIN is in the owner's memory.
they key it into the EFTPOS or ATM keypad, where it is encrypted and
transmitted (along with the account number and the amount of the
purchase/withdrawal as well as identifying information about the shop,
the EFTPOS machine or ATM, and so on) to remote servers which perform
the authentication check and send back an OK or DECLINED message.
> Ironically, there are now two vectors of attack available on my credit
> card: crack the data on the mag strip or crack the chip.
PIN security isn't the danger from smart cards. the danger is to
privacy, from the data-gathering capabilities of them.
and a further danger is from RFID cards, where money can be withdrawn
or accounts debited (and data snooped on) by mere proximity - without
requiring any act of consent by the owner.
craig
--
craig sanders <cas at taz.net.au>
BOFH excuse #93:
Feature not yet implemented
More information about the Link
mailing list