[LINK] City launches fingerprint payment program
Rick Welykochy
rick at praxis.com.au
Wed Oct 17 10:36:04 AEST 2007
Craig Sanders wrote:
> On Mon, Oct 15, 2007 at 09:33:53PM +1000, Rick Welykochy wrote:
>> The new credit card provides two modes of authentication:
>>
>> 1. my PIN is encoded on the magnetic strip, as always
>
> huh?
>
> the PIN isn't on the card. the account number (and a very small amount
> of related info) is on the card, the PIN is in the owner's memory.
> they key it into the EFTPOS or ATM keypad, where it is encrypted and
> transmitted (along with the account number and the amount of the
> purchase/withdrawal as well as identifying information about the shop,
> the EFTPOS machine or ATM, and so on) to remote servers which perform
> the authentication check and send back an OK or DECLINED message.
Thanks to a Linker for posting a good reference site (a Cambridge academic)
who clears this issue up somewhat.
It is up to the bank itself to do what they wish with the mag strip.
<http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html>
"One large UK bank even wrote the encrypted PIN to the card strip.
It took the criminal fraternity fifteen years to figure out that you
could change the account number on your own card's magnetic strip to
that of your target, and then use it with your own PIN to loot his
account."
The above paper is an excellent survey of ATM fraud. I was surprised by the
number of different attack vectors, including social engineering, insider
fraud, mechanical tampering and cryptanalysis.
cheers
rickw
--
_________________________________
Rick Welykochy || Praxis Services
When will governments realise that we do not want to live in economies,
we want to live in societies.
-- Les Twentyman
More information about the Link
mailing list