PIN's and credit cards.
Nicholas Bohm
nbohm at ernest.net
Sun, 24 Nov 2002 12:44:46 +0000
At 12:37 18/11/2002 +0000, Peter Tomlinson wrote:
[snip]
>In this case, a
>secure PIN pad is definitely better than no PIN at all, but I also back
>public scrutiny of scheme security and the onus on the scheme to prove that
>the customer was wrong. Dosen't Nicholas Bohm back this in a paper about the
>balance being tilted too far in favour of the banks these days?
We know that people have no means by which they can transfer between one
another the means of making a recognisably identical manual
signature. That is why signatures can work quite well for authentication,
and why the risk of failing to spot a fake can be made to fall on the
person relying on the signature.
Non-transferability of this kind doesn't seem to be achievable with PINs,
not altogether even with biometrics (for which quite a bit of spoofing
seems possible).
At the moment, a move from manual signatures (or none, as in telephone or
Internet transactions) to PINs and the like will almost certainly result in
more risk falling on customers than now falls on them.
>Regards
Nicholas
Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK
Phone 01279 871272 (+44 1279 871272)
Fax 01279 870215 (+44 1279 870215)
Mobile 07715 419728 (+44 7715 419728)
PGP RSA 1024 bit public key ID: 0x08340015. Fingerprint:
9E 15 FB 2A 54 96 24 37 98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF