[LINK] Consumer Credit-Card Risks

Steven Clark steven.clark at internode.on.net
Thu Jan 14 12:59:17 AEDT 2010

On 13/01/2010 11:19 AM, Stephen Wilson wrote:
> More importantly, I don't think he is actually talking about one time 
> passcodes as most of us know them (the codes generated by key fobs for 
> online authentication).  Rather he seems to be referring to the one-time 
> dynamic cryptograms exchanged between the chipcard and the terminal, 
> under the covers.  This is the mechanism that defeats skimming.

my thought exactly.

> Yes, un-authenticated use of cards in vending machines is increasingly 
> common esp. in carparks.  What astounds me is that when I used a credit 
> card face-to-face with a person at the Sydney Opera House carpark, there 
> was nothing to sign either.  Seems to be a new category of "Card 
> Present, Merchant Asleep" transaction.

perhaps someone decided that saving the recurring cost of the little
bits of paper was worth the risk of the occasional transaction. after
all, each one is relatively low value. it's a volume sale business,
after all.

> Indidentally, I was greatly relieved to not see any mention of 
> biometrics in the article.  Does anyone know of any biometric payment 
> security scheme that has survived its pilot?  IMHO biometrics remain 
> totally academic in retail or consumer security.

the hassle of convincing consumers to participate goes a long way to
explaining this. with passports, people *want* to travel enough to
overcome their resistance (such that hasn't already been undermined by
the 'antiterrorism' rhetoric).

whether it works is much more an academic question in the business
sector than 'can we get people to use it'. if people will use it, it's
got a fighting chance. if it makes people think they're safer because
they're using it, is - frankly - a bonus for business. [i'm not
suggesting business is not interested in security, rather that
convincing customers to try a new thing - particularly one that adds
hassle - is much harder than you might think.]

> Now, do you mind if I push the envelope a little?  The reason chip cards 
> are important in payments is that, one way or another, they protect the 
> integrity of the cardholder account number and other details, as 
> transmitted with the user's consent (PIN), from the card to the 
> terminal.  The details are encrypted (signed if you will) between the 
> chip and the terminal, which stops replay attack and thwarts ID theft.  
> More subtly, by increasing the dependability of those details, it means 
> that in princple less personal information is needed to corroborate a 
> transaction.

well, they certainly afford more certainty.

problem is, the more 'trustworthy' a process is thought to be, the less
people think about it - and therein lies the opportunities for fraud,
and other misuse.

> These properties are sorely needed in e-government and e-health.  If 
> we're keen on chip cards in payment security, then we should also be 
> looking for properly designed smartcards to secure e-health records and 
> the like.  Different cards for different domains of course.

this is/was a purpose of the defunct access card - and it's lesser
sibling being 'developed' for all those lucky guests of the centrelink
system. and is a long term goal of the ehealth bureaucracy (and ehealth

whether we're 'keen' on such cards for any purpose, ultimately it's not
the technology that is the hardest problem to address.

Steven R Clark, BSc(Hons) LLB/LP(Hons) /Flinders/, MACS, Barrister and
PhD Candidate, School of Commerce, City West Campus, University of South

/Finding a Balance between Privacy and National Security in Australia's
ePassport System/

More information about the Link mailing list