Chip and PIN

Charles Lindsey ukcrypto at chiark.greenend.org.uk
Fri, 25 Jan 2008 17:05:26 -0000 

On Thu, 24 Jan 2008 15:51:23 -0000, Paul S. Brown <pol@geekstuff.tv> wrote:

> I have to admit, I have a similar axe to grind with "Verified by Visa" -  
> a
> lovely little scheme to move the risk for fraudulent online transactions  
> to
> the customer whilst simultaneously lowering the overall security levels  
> by
> popping up offsite windows demanding personally identifying information
> before it will let transactions complete.

And there I disagree with you entirely. I subscribe to the corresponding  
Mastercard scheme, which I imagine is broadly similar, and I am happy to  
do so (and wish more merchants would use it).
>
> So, you're getting a popup from somewhere that you've never heard of and  
> can
> only take the webpages word that it's your bank which in turn demands  
> your
> name/DoB/CVV2 and therefore enough information to identify you and also
> demands a password.

The webpage should show you the usual padlock. I grant you that the owner  
of the certificate tends to be CYCOTA, which is an American company that  
the Banks/Mastercard have subcontracted the business too, and I have  
complained about this. But I am now satisfied that they are the bona fide  
agents of the Banks. Moreover, the webpage tells you the secret that you  
entrusted to them for that purpose, so you know the page comes with the  
authority of the Bank (or else you have disclosed your secret elsewhere) -  
Ebay use that same technique to identify themselves when they send email  
to you.
>
> Another password.
>
> I don't know about anybody else, but I have literally dozens of  
> passwords for
> various services - I try to keep them unique,...

But you shouldn't try to keep them unique. I have one password (not  
obvious, but a large enough dictionary attack would find it eventually)  
which I use for all those sites which expect me to register with them  
before accessing their services. If that password is compromised, then it  
is those sites which carry that risk.

For the few cases where it is MY money at risk, I have a few less obvious  
passwords which are meaningful to me, but nowhere written down (though I  
do write down a word associated with them, where the associations is  
something that would not be meaningful to anyone else).

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5