Chip and PIN
Sebastien Lahtinen
ukcrypto at chiark.greenend.org.uk
Wed, 23 Jan 2008 18:52:40 +0000 (GMT)
On Wed, 23 Jan 2008, Igor Mozolevsky wrote:
> There's clearly no defence against someone watching you put your PIN in
> and then pick-pocketing your wallet... If anything, C&P is making it
> *easier* to draw cash from someone else's CC...
I find it really surprising how many people type in PINs without covering
the keypad. I think this illustrates a huge lack of interest within the
general public to protecting their own security. It's not unlike their
attitude to opening executable electronic Christmas card attachments..
They just think someone else is going to protect them. The pressure on
ISPs to protect end users is mounting, but the banks seem to be able to
get away with quite a bit.
The problem for banks is they have to deal with the lowest common
denominator. This means those who could have an intellectual capacity to
use more complex systems are frustated by processes designed for the
masses. This for example means Barclays can't supply me with a solution to
authenticate to online banking for my business account which doesn't rely
on my personal debit card which I don't wish to carry with me. They can't
supply a separate authentication mechanism (e.g. a specific authentication
card). This is logically silly and exposes me to more risk.
Has anyone twigged that with widespread adoption of PINSentry devicees,
someone who robs you can demand your PIN and verify it on the spot before
heading off with your card?
seb