Saturday, May 06, 2006

ID Cards Will Make Us Safer

Of course they will!

Major Chip'n'Pin securifart. It's essentially the exploit described by Prof. Ross Anderson of the Cambridge Computer Lab, as described on his cracking blog (in both senses of cracking) - thieves have converted some point-of-sale terminals to collect the data from the cards' magnetic strips, then made new cards. They can only be used if the chip is not checked, as there is no chip, but this does not appear to have been a problem.

Interesting sidelight: British cards, unlike (I think) the original'n'best French system, do online authorisation but local authentication. That is, the PIN is recorded on the card, just like your bank tells you not to, but the payment authorisation is done by the bank's server over the wires. This obviously means that it's not true two-factor verification as the PIN is actually on the card.

Why is this? Well, let us summon the shade of Galbraith. Are you in there, John?

(LOUD TABLE RAPPING)

Bastards, I've just got here and you're wanting my advice. Go away!

There's a dry martini in it for you, Professor.

All right then. If the authorisation was local, the bank would risk someone buying thousands of dollars' worth of gold and welshing. So it has to be immediate. I remember, when the first credit cards appeared, Diners Club struggled for years with it - once at the Hanover Inn, I was having the first of the day with Pierre Salinger and they..

Get to the point, can't you? Damn, I see how you wrote so many books now..

But if the authentication fails, it's the customer whose money is gone. And the bank wants the transactions to keep going, even if the authorisation is down. You see

Thanks, ghostly economist!

Where's my martini? Ungrateful swine. Why, it's enough to make one wish for death..

Right, enough with the seance. If the authorisation buggers up in such a way as to authorise stuff that shouldn't be, it's the bank's responsibility - if the PIN is lost, it's the customer's, and indeed the banks tried for years to deny it could be stolen.

No comments:

kostenloser Counter