hanco...@bbs.cpcn.com writes: > As I understand it, years ago in foreign countries telephone capacity > was limited and phones were expensive, thus many people did not have > them. When cell phones came out, it represented a whole new > infrastructure that exploded, and many people got connected that way.
expensive/scarcity of telco also shows up in slow-adaption of point-of-sale terminals and magstripe plastic payment cards in europe as a result, saw chipcards that could do "offline" point-of-sale transactions in europe ... i.e. point-of-sale terminal interacted with chipcard and wasn't required to go online for every transaction. lot of these were "stored-value" cards ... that had "secure" mechanism for storing & recording value ... somewhat like some of the US metro cards. in the 90s, some of these made pilot excursions into the US ... and we got asked to design&cost dataprocessing infrastructure for scaled-up, country-wide deployment (mostly backup dealing with loading valud into the cards). I also did some financial analysis and nearly all of the infrastructure value motivating the programs was that the operator got the float on the unspent value in the cards. In some case it was like a pyramid scheme where the international license holder effectively got all of the float ... with individual country operators not getting any. then to spur the uptake, there were announcements that the international license holder would split the float with the individual country operators. Then the EU central banks decreed said that interest would have to start being paid on unspent value in the cards ... and the programs just slowly dwindled away. About that time, some operators in the US introduced an online magstripe stored value ... similar in concept to the EU chipcards but leveraged existing online point-of-sale & telco infrastructures to do account-based operation. they are now marketing as gift and merchant cards ... large racks of them can be seen near checkout counters in some grocery stores. a variation of the stored-value chipcards ... were more sophisticated association chipcards for standard credit operation. the merchant point-of-sale terminal would interact with the chipcards ... and the chipcards could be trusted to tell the merchant POS terminal whether or not to go online, as well as how much available credit limit was available on the card and whether the current transaction was approved or not. these required PIN operation (as countermeasure to lost/stolen cards unauthorized use) and supposedly had lots of security to prevent other forms of fraudulent activity. Point of the card was specifically for security ... but would allow merchant point-of-sale terminals to do offline transactions (to avoid high telco charges) and could batch large number of transactions to be done in one telco transaction at end-of-shift or end-of-day. There was a large pilot in the US of these cards in the early part of the century. However, the cards interacted with the terminal using "static" authentication data. There turned out that effectively the same terminal compromise that would skim static magstripe data (to create counterfeit magstripe cards) could be used to skim static chipcard authentication data. This then could be used to create counterfeit chipcards that were called "YES CARDS"; once authenticated the card would always answer "YES" to the following three question: 1) was the correct PIN entered ("YES"), 2) should this be an offline transaction ("YES") and 3) is the transaction within the account credit limit ("YES"). It was not too long later that the pilot disappeared w/o a trace. I had tried to tell the pilot operators about the vulnerability ... but they apparently had such a myopic focus on the chips ... that they responded by saying they could address the problem by changing the programming in valid chips. The problem was that the compromise wasn't of valid chips ... but a merchant terminal compromise (and changing programming in valid chips had no impact on creation of fraudulent counterfeit "YES CARDS"). At the ATM Integrity Task Force meetings ... early part of this century when the "YES CARD" problem was explained, somebody in the audience made the observation that they managed to spend billions of dollars to prove chipcards are less secure than magstripe cards. The issue is that a countermeasure to counterfeit magstripe card is to deactivate the account (and prevents/blocks future online fraudulent transactions). However for "YES CARDS", deactivating the account has no effect, since the merchant terminal doesn't go online until long after the crooks are gone. old reference (gone 404 but lives on at wayback machine) to "YES CARD" presentation at cartes2002: http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html past posts mentioning "YES CARDS": http://www.garlic.com/~lynn/subintegrity.html#yescard -- virtualization experience starting Jan1968, online at home since Mar1970 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN