Perry E. Metzger wrote:
Nothing terribly new here -- short interview with someone who bought
an RFID credit card reader on ebay for $8 and demonstrates getting
people's credit card information at short distances using it. Still,
it is interesting to see how trivial it is to do.
http://www.boingboing.net/2008/03/19/bbtv-how-to-hack-an.html
Yeah, but...
He's talking bollocks when he says that the decryption should be done in
some secure datacentre. That wouldn't save you unless there was some
kind of handshake with the card - and the trouble is, those cards don't
have the power to do any real crypto.
In the absence of something to prevent MitM, you would just intercept
the encrypted contents of the card, and then use that. So why bother to
encrypt it?
So, the bottom line is you need more horsepower in the gadget that
controls your money, so you can do real crypto.
Then we get to the next problem: we don't trust the device with the
keypad and display. So, we need to add that to the GTCYM (Gadget That
Controls Your Money).
And so we end up at the position that we have ended up at so many times
before: the GTCYM has to have a decent processor, a keyboard and a
screen, and must be portable and secure.
One day we'll stop concluding this and actually do something about it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
