Steven M. Bellovin wrote: > Designing a system that deflects this sort of attack is challenging. > The right answer is smart cards that can digitally sign transactions
No, it isn't! A handwritten signature is far better, it gives post-facto evidence about who authorised the transaction - it is hard to fake a signature so well that later analysis can't detect the forgery, and few people would bother to do it that well anyway, while it is easy enough to enter a PIN with "digital reproducibility". Also there are several attacks on Chip n' PIN as deployed here in the UK, starting with the fake reader attacks - for instance, a fake reader says you are authorising a payment for $6.99 while in fact the card and PIN are being used to authorise a transaction for $10,000 across the street. They get quite complex, there's the double-dip, where the $6.99 transaction is also made, and the delayed double dip, where a reader belonging to a crook makes the $10,000 transaction several days later (the crook has to skip town with the money in this attack - so far. Except of course he never existed in the first place, and maybe ...). Then there's probably a Bank-wide attack, where an expensive attack on one card can break all the cards used by one bank - ouch! because the Banks haven't actually issued cards that digitally sign the transaction (and it would make little difference to many of the fake reader attacks if they had), but just reuse one key or a key with an offset or XOR on the card to generate a keyed hash of the transaction for authorisation. There are some more classes of attacks too. It's a bit early to say about many of them, but it looks like there are a goodly number of going-to-be successful attacks. This might not matter that much except to the banks, but the liability for what appears to be a PIN-authorised transaction is being foisted off on the cardholder, who has litle recourse to proof that he didn't make the transaction when one of these attacks is made. I don't have any Chip n' PIN cards, and I don't want any either. I'm sticking with signatures. -- Peter Fairbrother --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]