two-factor authentication nominal objective is to have different
vulnerabilities, i.e. PINs ("something you know") is nominally
countermeasure to lost/stolen cards ("something you have").However, skimming exploits can copy both magstripe and pin for producing a counterfeit magstripe card that can be used with stolen PIN (common vulnerability) ... minor reference found with search engine: http://wiki.whatthehack.org/index.php/Time_to_Ditch_the_Magstripe The phishing vulnerability can steal both account number and PIN for producing counterfeit magstripe card for use with the stolen pin; again, common vulnerability defeating objective of using two-factor authentication. back in the dark ages there were attacks on magstripe credit cards that used the algorithms for valid account numbers to generate counterfeit magstripe credit cards. magstripes then acquired effectively a kind of hash code as countermeasure to counterfeit mastripes with algorithm generated account numbers. this turns out to also be a countermeasure for counterfeit magstripe credit cards that have been created from phished account number (however this isn't a countermeasure to skimmed magstripe exploit that produces counterfeit magstripe with all the exact information). description of magstripe (and descretionary data field) format: http://en.wikipedia.org/wiki/Magnetic_stripe_card PINs have also been used as countermeasure to counterfeit magstripe debit cards ... possibly based on assumption that counterfeit debit magstripe from phishing exploits were similar threat to lost/stolen card. However, this isn't a effective countermeasure when both the PIN and the account number (magstripe) have a common vulnerability (phishing) As an aside, a countermeasure for lost/stolen cards is also early reporting (owner is aware of the missing card). However this is not applicable to skimmed/phished information since the card owner might not even be aware that it has happened (until after discovering fraudulent transactions). ... spate of recent articles on phishing and ATM/debit Analysts Say ATM Systems Highly Vulnerable To Fraud http://www.banktech.com/aml/showArticle.jhtml?articleID=167100238 Something Phishy's Going On http://www.banktech.com/aml/showArticle.jhtml?articleID=167100396 Analysts Say ATM Systems Highly Vulnerable To Fraud http://www.banktech.com/news/showArticle.jhtml?articleID=167100238 E-Fraud | Cybercrooks Target ATM And Debit Cards, Steal Billions http://www.techweb.com/wire/security/167100202 Analysts Say ATM Systems Highly Vulnerable To Fraud http://www.financetech.com/utils/www.banktech.com/story/enews/showArticle.jhtml?articleID=167100238 Phishers exploiting lax ATM security - Gartner http://www.finextra.com/fullstory.asp?id=14058 Banks let phishers get away with $2.75bn http://www.vnunet.com/vnunet/news/2140690/banks-let-phishers-away-75b Banks let phishers get away with $2.75bn http://www.pcw.co.uk/vnunet/news/2140690/banks-let-phishers-away-75b Phishing attacks highlight banks' weaknesses http://news.zdnet.co.uk/internet/security/0,39020375,39211852,00.htm Phishers cash in on ATM cards http://www.zdnetasia.com/news/security/0,39044215,39246973,00.htm ATM Systems Highly Vulnerable http://www.newsfactor.com/story.xhtml?story_id=003000002F1U --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
