p...@voltage.com (Phil Smith) writes: > I've heard of the "YES" cards, and I assume they exist, but they're > not the norm yet -- cloned magstripes are. So for now, at least, > chip-and-pin is more secure.
misc. past posts mentioning "YES CARD": http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes (...no, not back) http://www.garlic.com/~lynn/2010.html#73 Korean bank Moves back to Mainframes (...no, not back) http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes (...no, not back) http://www.garlic.com/~lynn/2010.html#95 Korean bank Moves back to Mainframes (...no, not back) chipcards have countermeasures for some random person taking a valid chip and extracting the necessary information ... a random person can copy magstripe information significantly easier. however, by at least the early 90s, there were cases of compromised end-points recording valid information (done during the process of valid transactions). these operations tended to be more large scale wholesale operations ... getting information for tens of thousand (or millions) ... rather than a few tens. in the end-point compromises ... the process was esssentially identical for recording magstripe information and recording chipcard authentication information (for "YES CARD" exploit). along the way, the criminals added wireless and other remote procedures for retrieving the skimmed/recorded information (again, little or no difference between magstripe and chipcard). part of the issue in the US was that there was fairly large scale chipcard deployment in the time-frame of cartes2002 (presentation on "yes card" and the "yes card" presentations at the ATM integrity task force meetings) ... and then evaporated w/o a trace (which may have also created some reluctance to try again). -- 40+yrs virtualization experience (since Jan68), online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html