On 6/21/05, Florian Weimer <[EMAIL PROTECTED]> wrote: >> Also there are several attacks on Chip n' PIN as deployed here in >> the UK, starting with the fake reader attacks - for >> instance, a fake reader says you are authorising a payment for >> $6.99 while in fact the card and PIN are being used to authorise a >> transaction for $10,000 across the street. > > In Germany, there's a widely used system based on PIN and a magnetic > stripe, and you can buy used reader devices on Ebay. 8-( This makes > it rather easy to mount a MITM attack.
That most certainly is true but you're overlooking a more practical aspect. All German financial institutions that processes credit card transactions contractually require their merchants to offer the customer a receipt (as does German law in most cases). Most, if not all, banks that issue credit cards require their customers to retain a copy of those receipts for one billing cycle (ie. until they send you your statement and you have a chance to review it and compare individual charges that seem suspect with the data on the receipts you have). If your receipt says $6.99 but your statement says $10,000 (classic MITM attack), you have a valid defense in the eyes of the German law. Legally, the receipt is the document which authorized the financial transaction. If you show up in court and present your $6.99 receipt, you automatically shift the burden of proof to the bank -- now they have to positively proof that you indeed authorized $10k, and not just $6.99, not be transfered. Realistically, the will hardly ever be able to do that. That model works fairly well. The weak point is the customer -- just tossing or blindly signing a receipt obviously breaks the model. But, personally, I don't really have a problem with that; the point is to protect the customer from scammers, and not from his or her own stupidity. Sincerely, Joern ____________________________________________________ Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]