Bogus digital signatures, Re: OT: utility account transfer frauds
Peter Tomlinson
Peter Tomlinson" <pwt at iosis.co.uk
Sat, 12 Oct 2002 12:35:15 +0100
Yes, we could do a lot better, but the card associations decided not to.
Amex (not part of EMV) was the first to add extra authentication to their
chip card. Until the end of last year, the UK banks were rolling out a very
simple chip card (lowest possible cost), which only replicated the mag
stripe transaction process. Its true that it cannot be cloned in the way
that is so easy with the mag stripe cards, so it is a big step forward.
When the French proposed the FINREAD specification for European recognition,
it was their intent to have all 'customer not present' debit smart card
transactions using a secure end-to-end transaction protocol, but the EMV
consortium would not adopt that, and the French rollout was blocked.
Peter
----- Original Message -----
From: "Adrian Midgley" <akm@92tr.freeserve.co.uk>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Saturday, October 12, 2002 11:49 AM
Subject: Re: Bogus digital signatures, Re: OT: utility account transfer
frauds
On Saturday 12 October 2002 09:29, you wrote:
> Yep -- they force the risk of cardholder-not-present transactions onto
> merchants: http://elj.warwick.ac.uk/jilt/00-3/bohm.html
Could we do better?
Is there any merit in systems such as e-Gold where there is a physical
resource involved - I don't know how cryptographically respectable their
authentication and security systems are.
--
From one of the Linux desktops of Dr Adrian Midgley
http://www.defoam.net/