Chip and PIN

Paul S. Brown ukcrypto at chiark.greenend.org.uk
Thu, 24 Jan 2008 15:51:23 +0000 

On Thursday 24 January 2008 15:35, Roger Hird wrote:
> In article <E9D730C1-F6A3-4AAC-A1A6-91DC5CA0F0DF@imaj.es>,
>
>    James Cox <james@imaj.es> wrote:
> > However, i revert to my previous statement that, if my
> > card number + pin + cv2 + address etc did get cloned, i'd simply get
> > another one - my credit alert and other id theft protections make that
> > less of an issue, just an annoyance.
>
> But if I understand the earlier part of this debate, the isssue is that
> this or something like this is happening and the banks etc are demanding
> that you prove it - which one can't - and the Ombusprats are backing them
> up.

Don't you just love this whole risk offloading thing "Your PIN was there 
mate - you must have authorised the withdrawl - no fraud committed"

I have to admit, I have a similar axe to grind with "Verified by Visa" - a 
lovely little scheme to move the risk for fraudulent online transactions to 
the customer whilst simultaneously lowering the overall security levels by 
popping up offsite windows demanding personally identifying information 
before it will let transactions complete.

So, you're getting a popup from somewhere that you've never heard of and can 
only take the webpages word that it's your bank which in turn demands your 
name/DoB/CVV2 and therefore enough information to identify you and also 
demands a password.

Another password.

I don't know about anybody else, but I have literally dozens of passwords for 
various services - I try to keep them unique, but there's a limit to the 
number of associations I can keep and so I either get to write them down or 
reuse passwords - either way my passwords become less secure every time I 
need to supply one for *another* service.

Big problem with Verified by Visa is that it serves the same purpose as C+P - 
it provides the banks with a big stick to go "Your VbV password was used to 
authorise the transaction" and so place the risk for any online fraud on your 
lap.

I'll be the one stuffing paper money into my mattress. It's no less secure and 
at least I know when a theft has occured.

P.