Comments:Chip and PIN 'not fit for purpose', says Cambridge researcher
This page is for commentary on the news. If you wish to point out a problem in the article (e.g. factual error, etc), please use its regular collaboration page instead. Comments on this page do not need to adhere to the Neutral Point of View policy. Please remain on topic and avoid offensive or inflammatory comments where possible. Try thought-provoking, insightful, or controversial. Civil discussion and polite sparring make our comments pages a fun and friendly place. Please think of this when posting.
Use the "Start a new discussion" button just below to start a new discussion. If the button isn't there, wait a few seconds and click this link: Refresh.
Contents
Thread title | Replies | Last modified |
---|---|---|
Those in positions of power shirking responsibility and lying? | 3 | 03:05, 25 June 2011 |
"All the banks are lying. They are maliciously and wilfully deceiving the customer [...] The system is not fit for purpose." I'm so surprised that I've apparently transcended a serious remark and instead am being sarcastic. Incidentally, only part of that sentence was sarcastic.
I had no idea that the PIN was in the chip. Talk about broken security. That should always have been verified on the bank's servers and nowhere else.
Going back as far as 40 years ago, the Banks and Insurance companies have always been considered the dregs of high-technology. Sure they have massive computer systems, but they have consistently dragged their feet toward any reasonable security systems, not to mention modern accounting systems.
One can only assume that they intend to maximize profit against the cost of implementing proper systems -- even though, ironically, here in the States, banks very often forgive the charges to customers who dispute them. That must cost a huge amount of money, but they seem to prefer to avoid embarrassment in the press than to actually fix their broken systems.
They still wear the black arm-bands and green visors of their fore-figures... The story points out just how absurdly simplistic their technological thinking is. Amazing! but hardly surprising.
Merchants are advised that they should ensure the cardholder removes their hand from the card during a Chip and PIN transaction, and that there are no wires connecting the card to the cardholder.
This simple defence renders Professor Anderson's somewhat convoluted "Backpack Computer" attack ineffective.
To date, no mechanism can be demonstrated -- in the laboratory or in the field -- whereby the PIN can be obtained from the cryptogrphically protected area of the chip in which it is held.
Therefore the assertion that the technology is not fit for purpose is invalid.
There is an easier way to obtain someone's PIN -- look over their shoulder. So unless the entire concept of entering a "secret number" is deemed invalid, the technology should not be attacked.