Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 12 Jan 2010 14:28:02 -0800, rfocht...@ync.net (Rick Fochtman)
wrote:

---snip-
Shops like Fry's always annoy me when they ask for my Driver's license, 
make a cursory comparison of the picture and my name with my face and 
the card, and then complete the transaction without even checking the 
signature. Even for transactions for 1000s of dollars. Can they really 
spot a counterfeit license?
-unsnip-
No they can't spot a phoney license. 99% of the population doesn't even 
realize that birthdate and gender appear on the license on two places, 
as a cross-check. Even a lot of police officers don't know where to find 
the second occurance.

And the IS community has to realize that any solution is flawed if it
requires these salesmen and/or everybody who does on-line shopping to
be experts in security.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

Howard Brazee howard.bra...@cusys.edu writes:
 And the IS community has to realize that any solution is flawed if it
 requires these salesmen and/or everybody who does on-line shopping to
 be experts in security.

we had been called in to consult with a small client/server startup that
wanted to do payment transactions on their server ... the startup had
also invented this technology called SSL they wanted to use. Part of the
effort was deploying something called a payment gateway (we
periodically claim is the original SOA) ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

the effort is now frequently called electronic commerce. given the
ease that crooks can harvest account numbers and use them for fraudulent
transactions ... I drew up a list of things required for commerce
servers enabled for payment transactions ... like all individuals
involved in any way needed to have FBI background checks (type required
of individuals in sensitive positions at financial institutions).  part
of this was that long term numbers claim that insiders are involved in
70% of such events.

related comments about current paradigm in threads about naked
transactions
http://www.garlic.com/~lynn/subintegrity.html#payments

somewhat as the result of the work on electronic commerce, in the
mid-90s, we were invited to participate in the x9a10 financial standard
working group which had been given the requirement to preserve the
integrity of the financial infrastructure for *ALL* retail payments. as
part of that activity there was detailed end-to-end threat 
vulnerability studies done of different kinds  modes of retail
payments.

x9a10 financial standard working group produced an payment standard that
slightly tweaked the paradigm and eliminate the threat and vulnerability
from having account numbers and/or other transaction information
revealed ... for *ALL* retail payments (point-of-sale, face-to-face,
unattended, credit, debit, internet, ACH, stored-value, aka *ALL*).
http://www.garlic.com/~lynn/x959.html#x959

x9.59 financial standard didn't do anything about hiding or encrypting
the information in transactions ... but eliminated the ability of the
crooks being able to use that information for fraudulent transactions.

Now the major use of SSL in the world today is this earlier
electronic commerce work to hide account numbers and transaction
details. A side effect of x9.59 financial standard eliminates the need
for that hiding and therefor the major use of SSL in the world today.

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

s...@pscsi.net (Sam Siegel) writes:
 Every state has laws regarding the retention of data related to the conduct
 of business.  The amount of time is typically 3 to 7 years.  No keeping the
 receipts (or copies thereof) could create legal problems as well.

re:
http://www.garlic.com/~lynn/2010.html#98 Korean bank Moves back to Mainframes 
(...no, not back)

a lot of record retention is by UCC which most states follow ...
aka like for checks:
http://www.bankersonline.com/compliance/gurus_cmp1001l.html

above references if the items are not returned to customer ... in
the credit card slip case ... both the consumer and the merchant have
copies.

the electronic record of the transaction data is kept (by the issuing
bank) ... question of what wasn't kept was the merchant's paper slip
copy with signature /or electronic image of same.

the issue was resolving (potentially legal) disputes ... what side has
burden of proof and what kind of proof. merchant not having the signed
slip effectively resolves on behalf of the consumer (having the signed
slip doesn't mean that it resolves on behalf of the merchant ... the
merchant still has to show that it is the consumer's signature).

other items are like how long does consumer have to dispute items.

in any case, standard reg. E places burden of proof on merchant

one of the interesting flyers in the 90s was proposal about digitally
signed, public key transactions for internet transactions. consumers
would pay $100/annum for their digital certificate ... and in effort to
sweeten the deal for merchants to install the technology ... the burden
of proof (in disputes) for public key transactions ... would be switched
from merchant to consumer. the question was raised ... why would the
consumer pay $100/annum for something that would switched the burden of
proof to them.

there has been some amount of churn in the UK with their chip payment
card about something analogous ... where the dispute burden of proof is
now effectively on the consumer.

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

l...@garlic.com (Anne  Lynn Wheeler) writes:
 however, by at least the early 90s, there were cases of compromised
 end-points recording valid information (done during the process of valid
 transactions). these operations tended to be more large scale wholesale
 operations ... getting information for tens of thousand (or millions)
 ... rather than a few tens.

re:
http://www.garlic.com/~lynn/2010.html#97 Korean bank Moves back to Mainframes 
(...no, not back)

skimming news item from today:

ATM Skimming Incidents Increase
http://www.bankinfosecurity.com/articles.php?art_id=2059

frequently these are external attachments specifically targeting
magstripe ... however, there have been lots of cases where collecting
technology has been installed inside the end-point (pos terminal or atm
cash machine). cases have included modification of machines already
installed, replacing machine with modified machine, installing
modification at time of manufacturer ... or even criminal front
organization manufactuering machines and selling them on open market (or
on gray market ... copy of some other vendors machine).

criminal front manufactuers have even sold such machines at cost
(undercutting competition) because they are planning on making up the
profit with fraudulent transactions.

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 11 Jan 2010 13:56:09 -0800, p...@voltage.com (Phil Smith) wrote:

Fourth, Magstripe cards are easy to copy; chip-and-pin cards are (supposedly) 
not. 

Which effectiveness can be measured.

As for asking for a license, sure, it doesn't guarantee anything -- but it 
probably stops the kid 
who finds a card and says Hey, let's go buy an XBOX!. So it's not entirely 
worthless. 
If you don't think it's worthwhile, then I assume you don't bother to lock 
your car or house 
-- the true professional won't be stopped by a lousy lock, eh?

So the kid who found a card is stopped by either technology.

I'd like to see some figures on how much professional fraud actually
gets stopped by going to the more difficult to copy cards.Sure,
chip-and-pin cards are more expensive for the pros to copy.   But does
that actually cut down significantly on their stealing?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

Lots of people have been taught (by popular media?) to not sign their
credit cards.Instead, the vendor will ask to see their signature
on a different ID.

I don't know if this advice has been backed up by actual figures.   We
get *lots* of advice from people who think their advice makes sense,
but which hasn't been tested.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

l...@garlic.com (Anne  Lynn Wheeler) writes:
 there has been some amount of churn in the UK with their chip payment
 card about something analogous ... where the dispute burden of proof is
 now effectively on the consumer.

re:
http://www.garlic.com/~lynn/2010b.html#1 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010b.html#2 Korean bank Moves back to Mainframes 
(...no, not back)

there was recent case in the UK where an individual needed a copy of the
ATM machine video recording to prove that they didn't make the
withdrawel ... since the bank wasn't able to find the recording ... it
was decided in favor of the bank (and against the individual).

there have been comments that care taken regarding video recording might
be significantly different if the bank was required to show the video
recording to prove it was the individual (as opposed to the individual
getting a copy from the bank to prove it wasn't them).

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Howard Brazee
 
 Lots of people have been taught (by popular media?) to not sign their
 credit cards.Instead, the vendor will ask to see their signature
 on a different ID.

I printed REQUEST PHOTO ID in the signature area of my credit card,
issued some three years ago.  To date, exactly ONE merchant (a motel in
somewhere, USA) has asked me for a photo ID.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Rick Fochtman]

---snip--
I disagree. The basic operation of a credit card at the get go was for 
the customer to be authenticated by comparing the signature on the 
voucher with the one on the card. If they don't match the vendor refuses 
the transaction. This is still the basic MO for credit card transactions.

--unsnip--
Most credit card acceptors around Metro Chicago just swipe the card 
through a stripe-reader and don't even look at it. Signature comparison? 
HAH!!


---snip-
Shops like Fry's always annoy me when they ask for my Driver's license, 
make a cursory comparison of the picture and my name with my face and 
the card, and then complete the transaction without even checking the 
signature. Even for transactions for 1000s of dollars. Can they really 
spot a counterfeit license?

-unsnip-
No they can't spot a phoney license. 99% of the population doesn't even 
realize that birthdate and gender appear on the license on two places, 
as a cross-check. Even a lot of police officers don't know where to find 
the second occurance.


Rick

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Hardee, Charles H]

I, too, don't see how they can be more secure.
Possession is supposedly 9/10ths as the saying goes, but unless there's
something bio-metric in the chip/card/human being relationship, I would
have to say that the chips cards are no more, if not less, secure than
the regular plastic we use today.

What really peeves me is when I go into a merchant, present my plastic
for my purchase and ma told I don't need to sign anything,
What, no signature? But how do you know it's me? You didn't check my
signature on the back of the plastic against my signature at the time of
the purchase. 

And the merchant's cashier says that just the way it works.

Personally, I try to make a mental record of where this occurs and then
attempt to NEVER return there for another purchase unless it is the ONLY
place to do so and then I pay cash. Can't remember the last time I was
in at H^e Dp$t. (don't want to say the merchant's real name)

Chuck

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Ted MacNEIL
Sent: Thursday, January 07, 2010 12:37 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

That's the point of (EMV) chip cards.  They are inherently more
secure.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Bruno Sugliani]

Well chip cards need a pin number to be entered or they don't work! And i am
the only guy who knows the pin number of my card.
It is not full proof but the merchant generally knows it's you because you
have entered the proper pin number 
Or did i miss something ? 

Bruno Sugliani 
zxnetconsult(at)free(dot)fr

  



On Mon, 11 Jan 2010 10:20:34 -0500, Hardee, Charles H
charles.har...@ca.com wrote:

I, too, don't see how they can be more secure.
Possession is supposedly 9/10ths as the saying goes, but unless there's
something bio-metric in the chip/card/human being relationship, I would
have to say that the chips cards are no more, if not less, secure than
the regular plastic we use today.

What really peeves me is when I go into a merchant, present my plastic
for my purchase and ma told I don't need to sign anything,
What, no signature? But how do you know it's me? You didn't check my
signature on the back of the plastic against my signature at the time of
the purchase.

And the merchant's cashier says that just the way it works.

Personally, I try to make a mental record of where this occurs and then
attempt to NEVER return there for another purchase unless it is the ONLY
place to do so and then I pay cash. Can't remember the last time I was
in at H^e Dp$t. (don't want to say the merchant's real name)

Chuck

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

charles.har...@ca.com (Hardee, Charles H) writes:
 I, too, don't see how they can be more secure.
 Possession is supposedly 9/10ths as the saying goes, but unless there's
 something bio-metric in the chip/card/human being relationship, I would
 have to say that the chips cards are no more, if not less, secure than
 the regular plastic we use today.

re:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#72 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#73 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#77 Korean bank Moves back to Mainframes 
(...no, not back)

as previously mentioned the yes card scenario for chipcard resulted in
bigger infrastructure vulnerability and more fraud than traditional
magstripe.

supposedly the chipcard was hard to counterfeit *AND* had two-factor
authentication (chip/plastic: somthing you have and PIN: somthing you
know). from three factor authentication model, misc. posts
http://www.garlic.com/~lynn/subintegrity.html#3factor

* something you have
* something you know
* something you are

the assumption that multiple factor authentication is more secure than
single factor is based on different authentication factors having
different vulnerabilities.

the problem with skimming (whether for the yes card or magstripe) ...
is it is possible to have a single compromise process (end-point
skimming compromise) ... invalidating the assumption about different
factors having different vulnerabilities.  In the case of multi-factor
authentication magstripe (plastic/magstripe  PIN) ... a compromised
end-point skims both the magstripe information and the PIN.

in the yes card scenario, a compromised end-point skims the
information used by terminals to establish a valid chipcard. the crooks
then install the skimmed information (similar to information skimmed for
counterfeit magstripe) in a counterfeit yes card chip.

once a terminal has accepted the chipcard's validation information, it
then asks the chipcard 1) whether the correct PIN has been entered (a
yes card always answers YES ... so it isn't necessary to even
know/skim the PIN), 2) whether the transaction should be offline
(YES), and 3) whether the transaction is within the account credit
limit (YES).

in counterfeit magstripe scenario, the account number is eventually
invalidated at the backend database (and future transactions are
rejected). In the counterfeit YES CARD scenario, the terminal doesn't
go online to find out about any account number invalidation. the greater
counterfeit YES CARD fraud is because infrastructure business rules
have been moved into the chipcard (infrastructure relying on the
chipcard to decide whether it is online/offline transaction and whether
the transaction is within the account's credit limit).

misc. past yes card posts
http://www.garlic.com/~lynn/subintegrity.html#yescard

one of the issues with something you are biometrics ... is that
nominally biometrics information is reduced to some sort of electronic
pattern for matching against value stored in backend database.  If that
value is compromised (analogous to something you know PIN/passwords)
... it is difficult to issue a new finger or iris. Frequently biometrics
are most dependable ... when they involve secure sensors/endpoints
... that possibly are under constant surveillance by armed guards.

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

Howard Brazee howard.bra...@cusys.edu writes:
 We probably need to go bio-metric - but this is including on-line
 purchases.Our current system of random, unique, not-written-down
 passwords does not work.

re:
http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes 
(...no, not back)

the issue with pin/passwords aren't that they are something you know
authentication ... but they are shared secrets ... some past posts
http://www.garlic.com/~lynn/subintegrity.html#secrets

the issue is that a unique shared secret is required for every unique
security domain ... as countermeasure to cross-domain attacks (say local
garage ISP and some online banking).

in yes card scenario ... the PIN wasn't a shared secret ... but was
between you and your chipcard. the problem was that the chipcard had
the yes card vulnerability ... and so the whole infrastructure wasn't
very secure.

it is possible to have a something you know authentication ... w/o
requiring what-ever is used ... is not shared. In the non-sharing
scenario ... it would be acceptable to have the same (non-shared)
something you know authentication used in multiple different security
domains.

something you are, biometric authentication is a problem in the online
scenario ... since it can be difficult to assure secure/trusted
sensor/end-point (under constant surveillance by trusted, armed guards)

part of the issue is that biometric (electronic pattern recorded in
backend database) is also frequently implemented as shared secret.  If
all biometric sensors/end-points aren't constantly secured  validated
...  then the recording of the biometric electronic pattern could be
used to spoof a biometric reading ... by just directly transmitting the
pattern. In the case of a password shared secret compromise ... the
password can be replaced with new one ... fingers and iris are a little
harder to replace.

for a little more drift ... because of the cross-domain attack scenario,
for shared secrets ... current authentication is extremely
institutional-centric (unique cards  passwords per security domain).
In theory, a biometric shared secret implementation would require
unique biometric per security domain ... modulo nobody has quite figured
out how to implement such a thing. As a result, compensating procedures
are required for biometric shared secrets ... like secure/trusted
sensors/end-points under constant surveillance by armed guards.

it is possible to design a single something you have (like a chip) and
somethin you know authentication ... used in multiple different
domains ... analogous to the way that same fingerprint should work in
multiple different domains. part of the inhibitor to moving from
institutional-centric authentication to person-centric authentication
... is when things like institutional-specific business rules are
layered ontop of the authentication mechanism (like in the yes card
vulnerability).

In the 90s, I did quite a bit of work on AADS chip strawman for
enabling migration to a person-centric authentication infrastructure
(not limited just to biometrics)
http://www.garlic.com/~lynn/x959.html#aads

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

charles.har...@ca.com (Hardee, Charles H) writes:
 What really peeves me is when I go into a merchant, present my plastic
 for my purchase and ma told I don't need to sign anything,
 What, no signature? But how do you know it's me? You didn't check my
 signature on the back of the plastic against my signature at the time of
 the purchase. 

re:
http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes 
(...no, not back)

the signature isn't a fraud countermeasure ... it is a dispute issue.
if you dispute the charge and the merchant doesn't even have signed
receipt ... there is nothing demonstrating that you agreed to the
charge.

for some low-value purchases, they've eliminated the signature
requirement ... the issue is that there aren't going to be a lot of
crooked consumers disputing low value charges ... and if they do ... it
is trivial amount (convenience offset against crooked consumers).  the
infrastructure countermeasure against crooked consumers disputing large
number of (unsigned) charges ... is they revoke the card.

fraud countermeasure is the name on the piece of plastic and the clerk
checks the name against same/similar name on some other piece of
authentication (like gov. issued picture document).

there was an issue in the EU at one time regarding a privacy directive
... where electronic payment cards should be as anonymous as cash at
point of sale (i.e. no name on the payment card). this somewhat implied
that the financial infrastructure improved the authentication mechanisms
to the point that anti-fraud measures didn't require clerk matching
names on multiple documents.

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Schwarz, Barry A]

Does that mean you never use self service gasoline pumps?

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Hardee, Charles H
Sent: Monday, January 11, 2010 7:21 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

What really peeves me is when I go into a merchant, present my plastic
for my purchase and ma told I don't need to sign anything,
What, no signature? But how do you know it's me? You didn't check my
signature on the back of the plastic against my signature at the time of
the purchase.

And the merchant's cashier says that just the way it works.

Personally, I try to make a mental record of where this occurs and then
attempt to NEVER return there for another purchase unless it is the ONLY
place to do so and then I pay cash. Can't remember the last time I was
in at H^e Dp$t. (don't want to say the merchant's real name)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ron Hawkins]

I disagree. The basic operation of a credit card at the get go was for the
customer to be authenticated by comparing the signature on the voucher with
the one on the card. If they don't match the vendor refuses the transaction.
This is still the basic MO for credit card transactions. 

Shops like Fry's always annoy me when they ask for my Driver's license, make
a cursory comparison of the picture and my name with my face and the card,
and then complete the transaction without even checking the signature. Even
for transactions for 1000s of dollars. Can they really spot a counterfeit
license?

Ron

 
 the signature isn't a fraud countermeasure ... it is a dispute issue.
 if you dispute the charge and the merchant doesn't even have signed
 receipt ... there is nothing demonstrating that you agreed to the
 charge.
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

I disagree.
The basic operation of a credit card at the get go was for the
customer to be authenticated by comparing the signature on the voucher with the 
one on the card.
If they don't match the vendor refuses the transaction.
This is still the basic MO for credit card transactions. 

The basic MO for buying, pre-debit card, was with signed cheques.
Debit cards have PINs, and no signature required.
With the potential for more money in my bank account than my credit limit, why 
does this make debit cards secure?

PS: I'm assuming, possibly wrongly, that you don't order on the INTERNET, 
either.
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Sam Siegel]

On Mon, Jan 11, 2010 at 9:16 PM, Ron Hawkins
ron.hawkins1...@sbcglobal.netwrote:

 I disagree. The basic operation of a credit card at the get go was for the
 customer to be authenticated by comparing the signature on the voucher with
 the one on the card. If they don't match the vendor refuses the
 transaction.
 This is still the basic MO for credit card transactions.

 Shops like Fry's always annoy me when they ask for my Driver's license,
 make
 a cursory comparison of the picture and my name with my face and the card,
 and then complete the transaction without even checking the signature. Even
 for transactions for 1000s of dollars. Can they really spot a counterfeit
 license?

 Ron

 
  the signature isn't a fraud countermeasure ... it is a dispute issue.
  if you dispute the charge and the merchant doesn't even have signed
  receipt ... there is nothing demonstrating that you agreed to the
  charge.
 

 Both Visa and Mastercard rules required they merchant to check the
signature on the back of the card (unless it's PIN or a no-sig type of txn)
and that's it.  Merchants are not supposed to ask for additional
identification.  As Ron pointed out, it is unlikely that a clerk can spot a
phony license.  Also, don't forget the case where a person does not have a
license, etc.



 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Phil Smith]

On Mon, Jan 11, 2010 at 10:20 AM, Hardee, Charles H
charles.har...@ca.com wrote:
 I, too, don't see how they can be more secure.
 Possession is supposedly 9/10ths as the saying goes, but unless there's
 something bio-metric in the chip/card/human being relationship, I would
 have to say that the chips cards are no more, if not less, secure than
 the regular plastic we use today.

 What really peeves me is when I go into a merchant, present my plastic
 for my purchase and ma told I don't need to sign anything,
 What, no signature? But how do you know it's me? You didn't check my
 signature on the back of the plastic against my signature at the time of
 the purchase.

 And the merchant's cashier says that just the way it works.

 Personally, I try to make a mental record of where this occurs and then
 attempt to NEVER return there for another purchase unless it is the ONLY
 place to do so and then I pay cash. Can't remember the last time I was
 in at H^e Dp$t. (don't want to say the merchant's real name)

Why would you blame the store for this?

First, if a store has a no-signature threshold, that doesn't increase YOUR risk 
-- if there's an issue with a charge and there's no signature, it's not your 
loss. In some parts of the country, folks check signatures; where I live, they 
NEVER do -- and I mean NEVER. I only sign the backs of my cards because I 
occasionally travel to areas where they do check, and I often find that when do 
I get asked, the signature has worn off (that tells you how rarely it happens!).

Second, credit card fraud isn't at all of interest to the banks. Credit cards 
make the banks *in the US* something on the order of $150B/year. Loss due to 
fraud is on the order of $1B/year. Wow, you say, that's a lot of money. No 
it isn't: loss due to card default (bankruptcy) is 20++ times that amount. This 
is well-documented; I remember reading over 25 years ago about someone who had 
documented evidence of a $400 credit card fraud, and couldn't get the bank 
interested in following it up -- they just wrote it off.

Sometimes it's of interest to the store -- as Tony H notes, if you're buying a 
car, they care. That's because they're in a business where it's going to be 
THEIR loss if you defraud them. If I go through the McDonald's drive-thru and 
rip them off for a Big Mac, they probably accept the liability -- they throw 
out lots of food anyway. If I go through the McDonald's drive-thru and place 
the order from Woody Allen's _Bananas_ (1000 grilled cheese sandwiches, 300 
tuna fish, 200 BLTs... yeah, I know. McD's doesn't make those, but you know 
what I mean) they're going to be a lot more interested in the credit card's 
validity. The same applies to CNP (Card-Not-Present) transactions, such as web 
purchases: some businesses (e.g., used books) don't even ask for the CVV (the 
magic 3- or 4-digit number) because their liability is low. Businesses with 
high liability (electronics dealers, for example) care. Note that the 
percentage paid by the merchant is higher for CNP transactions becaus!
 e of the greater potential for fraud -- that's why the local mompop 
restaurant may be unhappy if your card won't swipe, even though they know you 
and thus aren't afraid you're ripping them off.

Third, don't confuse credit and debit cards. Credit cards are one thing; debit 
is another. If you haven't read 
http://www.nytimes.com/2010/01/05/your-money/credit-and-debit-cards/05visa.html?hp
 you really should.

Fourth, Magstripe cards are easy to copy; chip-and-pin cards are (supposedly) 
not. So if you have a chip-and-pin card and your number is compromised, it 
doesn't do them any good at an ATM that takes chip-and-pin (unless they get 
lucky and the ATM is offline). So to some extent it's security by obscurity, 
but in a case where that actually makes sense and works. You need a PIN *and* 
the card. So it satisfies two of the four magic requirements: something you 
have, something you know. Biometrics can (and, I'm sure, will in the near 
future) add the other two: something you are, and something you do.

I've heard of the YES cards, and I assume they exist, but they're not the 
norm yet -- cloned magstripes are. So for now, at least, chip-and-pin is more 
secure.

As for asking for a license, sure, it doesn't guarantee anything -- but it 
probably stops the kid who finds a card and says Hey, let's go buy an XBOX!. 
So it's not entirely worthless. If you don't think it's worthwhile, then I 
assume you don't bother to lock your car or house -- the true professional 
won't be stopped by a lousy lock, eh?

Hope this helps.
--
...phsiii

P.S. This is actually relevant to IBM-MAIN, as the large processors use z/OS 
and z/TPF for transaction processing. And they all use, like, computers. So 
it's more on-topic than a lot of threads on here...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to 

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

p...@voltage.com (Phil Smith) writes:
 I've heard of the YES cards, and I assume they exist, but they're
 not the norm yet -- cloned magstripes are. So for now, at least,
 chip-and-pin is more secure.

misc. past posts mentioning YES CARD:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#73 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#95 Korean bank Moves back to Mainframes 
(...no, not back)

chipcards have countermeasures for some random person taking a valid
chip and extracting the necessary information ... a random person can
copy magstripe information significantly easier.

however, by at least the early 90s, there were cases of compromised
end-points recording valid information (done during the process of valid
transactions). these operations tended to be more large scale wholesale
operations ... getting information for tens of thousand (or millions)
... rather than a few tens.

in the end-point compromises ... the process was esssentially identical
for recording magstripe information and recording chipcard
authentication information (for YES CARD exploit).

along the way, the criminals added wireless and other remote procedures
for retrieving the skimmed/recorded information (again, little or no
difference between magstripe and chipcard).

part of the issue in the US was that there was fairly large scale
chipcard deployment in the time-frame of cartes2002 (presentation on
yes card and the yes card presentations at the ATM integrity task
force meetings) ... and then evaporated w/o a trace (which may have also
created some reluctance to try again).

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

t...@harminc.net (Tony Harminc) writes:
 I'm not sure why this offends you so much. How would it help anything
 if the cashier checked your signature? Such checking is highly
 unreliable, and contributes much less to authentication than does the
 data they already know about the transaction.

at one point, a large merchant looked at automatically discarding all
signed receipts ... since they found that even if they automatically
settled all disputes in the favor of the customer ... those dispute
costs were still less than what they were paying (even in electronic
from) to retain all the signed receipts. The idea was abandoned when
somebody asked what might happen if the public found out that the
merchant was no longer retaining the signed receipts.

for the most part ... merchant associations don't like the idea of
clerks having to be involved in the authentication process ...  partly
because they have little or no training ... partly because they have
little or no authority ... and partly because clerks tend to already
have more than enough to deal with.

in general, merchants also don't like signature debit ... since the
interchange fees (merchant discount fees, the subtracted from the total
for actual paying to the merchant) are much higher

there have been various disputes about the whole signature debit
operation ... latest is:

Best Buy Cuts off Visa Contactless with Little Risk to Sales
http://www.digitaltransactions.net/newsstory.cfm?newsid=2418

above mentions problem with it being signature debit interchange
fees. somewhat older article ...

Study: Signature Debit Fraud Runs 15 Times Higher Than on PIN Debit
http://www.digitaltransactions.net/newsstory.cfm?newsid=738

part of the interchange fee is supposedly related to fraud level of the
corresponding kind of transaction ... and there can be more than an
order-of-magnitude difference (in interchange fee) between the
transactions with lowest fraud and transactions with highest fraud.

Past merchant class action lawsuit (sometimes referred to as the
Wal-Mart case) over the high cost of signature debit cards:

MasterCard Puts the 13-Year-Old Wal-Mart Case in the Rear-View Mirror
http://www.digitaltransactions.net/newsstory.cfm?newsid=2256

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ron Hawkins]

Ted,

I'm talking about credit cards, not debit cards. What point are you trying
to make about signatures on credit cards? As for signatures on cheques, it
was the responsibility of the paying Bank to verify the signatures. The
person giving value was required to verify that the person with the cheque
had bona fide entitlement to present it. This is different to a credit card
where the merchant verifies the signature.

I'm not sure what this has to do with internet purchases. Most - not all -
web sites I use require the CVS number, name on the card, and address in
order to verify the transaction. It's not a signature, but it falls in the
category of things you know.


Ron

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of
 Ted MacNEIL
 Sent: Monday, January 11, 2010 1:32 PM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: [IBM-MAIN] Korean bank Moves back to Mainframes (...no, not
back)
 
 I disagree.
 The basic operation of a credit card at the get go was for the
 customer to be authenticated by comparing the signature on the voucher
with
 the one on the card.
 If they don't match the vendor refuses the transaction.
 This is still the basic MO for credit card transactions.
 
 The basic MO for buying, pre-debit card, was with signed cheques.
 Debit cards have PINs, and no signature required.
 With the potential for more money in my bank account than my credit limit,
why
 does this make debit cards secure?
 
 PS: I'm assuming, possibly wrongly, that you don't order on the INTERNET,
 either.
 -
 Too busy driving to stop for gas!
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ron Hawkins]

True, but the requirement to sign the slip with a signature that matches the
card would be an equal deterrent. The D/L check would be redundant if the
store checked the signatures in the first place.

 As for asking for a license, sure, it doesn't guarantee anything -- but it
 probably stops the kid who finds a card and says Hey, let's go buy an
XBOX!.
 So it's not entirely worthless. If you don't think it's worthwhile, then I
 assume you don't bother to lock your car or house -- the true professional
 won't be stopped by a lousy lock, eh?
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

I'm talking about credit cards, not debit cards. What point are you trying
to make about signatures on credit cards? As for signatures on cheques, it
was the responsibility of the paying Bank to verify the signatures. The

Maybe I'm obtuse, but what is the difference in authentication for a debit or a 
credit card once you go to PINs?
Both, at least in Canada have the EMV chip.
So, my point (poorly expressed) was the fact that credit cards and debit cards 
now have a common exposure/protection regarding authentication.
Signature for debit was done away with around 1981 (when I got my first debit 
card from the Royal Bank of Canada).
Signature for credit card was done away with in Canada, at least, last year.

And, what does a PIN/chip have to do with anything on an INTERNET purchase?
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Jack . Hamilton]

Ron Hawkins ron.hawkins1...@sbcglobal.net 
 
 True, but the requirement to sign the slip with a signature that matches 
the
 card would be an equal deterrent. The D/L check would be redundant if 
the
 store checked the signatures in the first place.

Provided that the signature hasn't worn off, which it has on my most 
commonly used credit card.

In California, a merchant is allowed to ask to see ID for a credit card 
purchase, but is not allowed to write down any information from that ID. 
http://www.privacyrights.org/fs/fs15-mt.htm


  As for asking for a license, sure, it doesn't guarantee anything -- 
but it
  probably stops the kid who finds a card and says Hey, let's go buy an
 XBOX!.
  So it's not entirely worthless. If you don't think it's worthwhile, 
then I
  assume you don't bother to lock your car or house -- the true 
professional
  won't be stopped by a lousy lock, eh?


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ron Hawkins]

Jack,

According to the web site you referenced they can ask for ID, but for VISA
and MasterCard they cannot refuse to complete the transaction if you do not
comply.

I'm tempted to test this the next time I'm asked...

Ron

 
 In California, a merchant is allowed to ask to see ID for a credit card
 purchase, but is not allowed to write down any information from that ID. 
 http://www.privacyrights.org/fs/fs15-mt.htm
 
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[P S]

On Mon, Jan 11, 2010 at 10:13 PM, Ron Hawkins
ron.hawkins1...@sbcglobal.net wrote:
 Jack,

 According to the web site you referenced they can ask for ID, but for VISA
 and MasterCard they cannot refuse to complete the transaction if you do not
 comply.

 I'm tempted to test this the next time I'm asked...

Be prepared not to buy whatever. Cannot may mean per VISA's rules;
it doesn't mean they have to do business with you, eh? You could
report them to VISA, but...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ron Hawkins]

Radoslaw,

I disagree. It is not a rule; it is an agreement between the merchant and
the card company. The merchants must abide by their contract with VISA or
MasterCard, or they should be prepared not to business with the Credit card
company, eh?. In this case cannot means exactly that: Can Not.

If they complete the transaction - do business with me - then there is
nothing to report. If they will not do business with me because I refuse to
give an ID then the onus is on me to report them to VISA or M/C.

What is really daft about Fry's in particular is that before I had a
California Driver's License they would not accept my Australian Passport or
my HK ID card as ID, both of which are much harder to counterfeit than a
Californian Driver's license. They would only accept my Victorian Driver's
License, which is not meant to be used for ID, has no security features, and
can be counterfeited by anyone with a printer and a glue pot. And to top it
off they still did not check the signature!!!

Ron




 -Original Message-
 From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of
 P S
 Sent: Monday, January 11, 2010 9:31 PM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: [IBM-MAIN] Korean bank Moves back to Mainframes (...no, not
back)
 
 On Mon, Jan 11, 2010 at 10:13 PM, Ron Hawkins
 ron.hawkins1...@sbcglobal.net wrote:
  Jack,
 
  According to the web site you referenced they can ask for ID, but for
VISA
  and MasterCard they cannot refuse to complete the transaction if you do
not
  comply.
 
  I'm tempted to test this the next time I'm asked...
 
 Be prepared not to buy whatever. Cannot may mean per VISA's rules;
 it doesn't mean they have to do business with you, eh? You could
 report them to VISA, but...
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Sam Siegel]

On Mon, Jan 11, 2010 at 10:59 PM, Anne  Lynn Wheeler l...@garlic.comwrote:

 t...@harminc.net (Tony Harminc) writes:
  I'm not sure why this offends you so much. How would it help anything
  if the cashier checked your signature? Such checking is highly
  unreliable, and contributes much less to authentication than does the
  data they already know about the transaction.

 at one point, a large merchant looked at automatically discarding all
 signed receipts ... since they found that even if they automatically
 settled all disputes in the favor of the customer ... those dispute
 costs were still less than what they were paying (even in electronic
 from) to retain all the signed receipts. The idea was abandoned when
 somebody asked what might happen if the public found out that the
 merchant was no longer retaining the signed receipts.


Every state has laws regarding the retention of data related to the conduct
of business.  The amount of time is typically 3 to 7 years.  No keeping the
receipts (or copies thereof) could create legal problems as well.


 for the most part ... merchant associations don't like the idea of
 clerks having to be involved in the authentication process ...  partly
 because they have little or no training ... partly because they have
 little or no authority ... and partly because clerks tend to already
 have more than enough to deal with.

 in general, merchants also don't like signature debit ... since the
 interchange fees (merchant discount fees, the subtracted from the total
 for actual paying to the merchant) are much higher

 there have been various disputes about the whole signature debit
 operation ... latest is:

 Best Buy Cuts off Visa Contactless with Little Risk to Sales
 http://www.digitaltransactions.net/newsstory.cfm?newsid=2418

 above mentions problem with it being signature debit interchange
 fees. somewhat older article ...

 Study: Signature Debit Fraud Runs 15 Times Higher Than on PIN Debit
 http://www.digitaltransactions.net/newsstory.cfm?newsid=738

 part of the interchange fee is supposedly related to fraud level of the
 corresponding kind of transaction ... and there can be more than an
 order-of-magnitude difference (in interchange fee) between the
 transactions with lowest fraud and transactions with highest fraud.

 Past merchant class action lawsuit (sometimes referred to as the
 Wal-Mart case) over the high cost of signature debit cards:

 MasterCard Puts the 13-Year-Old Wal-Mart Case in the Rear-View Mirror
 http://www.digitaltransactions.net/newsstory.cfm?newsid=2256

 --
 40+yrs virtualization experience (since Jan68), online at home since
 Mar1970

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Rifkind]

Well loose one gain one.

I saw a post on the z/VM list that the University of Maine just shut down their 
mainframe operation.

--- On Thu, 1/7/10, Chase, John jch...@ussco.com wrote:

 From: Chase, John jch...@ussco.com
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 To: IBM-MAIN@bama.ua.edu
 Date: Thursday, January 7, 2010, 1:46 PM
  -Original Message-
  From: IBM Mainframe Discussion List On Behalf Of Hal
 Merritt
  
  Concur. It would appear that the consumer electronic
 financial
 infrastructures are quite different
  outside of the US. Indeed, ours seems pretty primitive
 and a lot less
 consumer friendly. More, they
  don't seem to have quite as much of a fraud problem as
 we seem to
 have.
  
  I think I read somewhere that they don't use 'credit
 cards' as we know
 them in Asia. Rather, it is
  more of a 'smart card' strategy.
  
  Wonder how this works without fees?
 
 Two possibilities come immediately to mind:
 
 1.  Interest on loans, and/or
 2.  Government (tax) subsidy.
 
 I doubt corporate altruism enters into the equation.
 
     -jc-
 
 --
 For IBM-MAIN subscribe / signoff / archive access
 instructions,
 send email to lists...@bama.ua.edu
 with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
 


  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

The following message is a courtesy copy of an article
that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.


e99...@jp.ibm.com (Timothy Sipples) writes:
 So it's very important to decode that term whenever having detailed
 conversations about scale, sizing, growth, and other issues. If you don't
 have that common understanding of transactions, it gets difficult to have
 meaningful conversations. In the context of a press article it's not a big
 issue at all, but when involved in IT design discussions it's quite
 important.

some of the real-time auths (authorizations) transactions are measured
in number of transactions that flow thru TPF system (change in name from
airline control program to transaction processing facility was ACP
starting to be used by some financial networks).

in states ... there has tended to still be a bunch of stuff done in the
overnight batch window ... some recent posts about doing optimization
work on 450+k statement cobol program that overnight ran on 40+ mainframe fully
tricked-out CECs.
http://www.garlic.com/~lynn/2009d.html#5 Why do IBMers think disks are 'Direct 
Access'?
http://www.garlic.com/~lynn/2009e.html#76 Architectural Diversity
http://www.garlic.com/~lynn/2009f.html#55 Cobol hits 50 and keeps counting
http://www.garlic.com/~lynn/2009g.html#20 IBM forecasts 'new world order' for 
financial services
http://www.garlic.com/~lynn/2009s.html#9 Union Pacific Railroad ditches its 
mainframe for SOA

several places in the financial industry spent billions in the 90s on
failed straight-through processing efforts (to replace overnight
batch window) ... they were planning on using large number of parallel
killer micros and some COTS libraries. Problem was that they didn't
actually size the overhead of the COTS libraries (some vague
anticipation that more micros would offset the increased overhead).

it turned out that the COTS libraries had factor of 100 times increase
in overhead (compared to batch COBOL), totally swamping anticipated
thruput improvement with large numbers of killer micros. some past
references to the billions spent on failed straight-through processing
implementation:
http://www.garlic.com/~lynn/2009h.html#1 z/Journal Does it Again
http://www.garlic.com/~lynn/2009h.html#2 z/Journal Does it Again
http://www.garlic.com/~lynn/2009i.html#21 Why are z/OS people reluctant to use 
z/OS UNIX?
http://www.garlic.com/~lynn/2009l.html#57 IBM halves mainframe Linux engine 
prices
http://www.garlic.com/~lynn/2009m.html#22 PCI SSC Seeks standard for End to End 
Encryption?
http://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud
http://www.garlic.com/~lynn/2009o.html#81 big iron mainframe vs. x86 servers
http://www.garlic.com/~lynn/2009q.html#67 Now is time for banks to replace core 
system according to Accenture
http://www.garlic.com/~lynn/2009q.html#68 Now is time for banks to replace core 
system according to Accenture

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Timothy Sipples]

That's not the correct headline.

BC Card isn't moving *back* to mainframes. In its 27+ year history, BC Card
has never had a mainframe -- nothing in the System z lineage, anyway. They
are now replacing HP and Sun UNIX servers, and Oracle databases, with (a
presumably small number of) IBM mainframes. They are new in almost every
possible mainframe-related way: new z/OS customer, new CICS Transaction
Server for z/OS customer, new WebSphere Application Server for z/OS
customer, new System z10 customer, new mainframe customer.

There are some things in the article I disagree with, but there's one fact
in particular that is most certainly not correct. The article says this:

Sources at IBM say that this is the first Unix-to-mainframe application
migration in nearly a decade.

I hate to disagree with sources at IBM, but no, that's just factually
incorrect. I have personal knowledge of another such customer (in Japan)
who migrated their applications from distributed UNIX to z/OS with Parallel
Sysplex, and they never had a mainframe before. Quite possibly their entire
industry has never had a mainframe before, partly explaining why they're
not public. I suspect there are others.

Which is not to say that this isn't significant news from Korea. It is,
very.

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Based in Tokyo, Serving IBM Japan / Asia-Pacific
E-Mail: timothy.sipp...@us.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Sam Siegel]

There are other business related inaccuracies in the article as well.  The
article indicates that they process hundreds of millions of Credit Card
transactions a day.  Having previously worked at a large credit card
processor in the US, it can be said with certainty that the S. Korean credit
card volumes are orders of magnitude smaller than US volumes.  The US
volumes are in the range of 100 to 200 million per day depending on the time
of the year.

On Thu, Jan 7, 2010 at 8:39 AM, Timothy Sipples
timothy.sipp...@us.ibm.comwrote:

 That's not the correct headline.

 BC Card isn't moving *back* to mainframes. In its 27+ year history, BC Card
 has never had a mainframe -- nothing in the System z lineage, anyway. They
 are now replacing HP and Sun UNIX servers, and Oracle databases, with (a
 presumably small number of) IBM mainframes. They are new in almost every
 possible mainframe-related way: new z/OS customer, new CICS Transaction
 Server for z/OS customer, new WebSphere Application Server for z/OS
 customer, new System z10 customer, new mainframe customer.

 There are some things in the article I disagree with, but there's one fact
 in particular that is most certainly not correct. The article says this:

 Sources at IBM say that this is the first Unix-to-mainframe application
 migration in nearly a decade.

 I hate to disagree with sources at IBM, but no, that's just factually
 incorrect. I have personal knowledge of another such customer (in Japan)
 who migrated their applications from distributed UNIX to z/OS with Parallel
 Sysplex, and they never had a mainframe before. Quite possibly their entire
 industry has never had a mainframe before, partly explaining why they're
 not public. I suspect there are others.

 Which is not to say that this isn't significant news from Korea. It is,
 very.

 - - - - -
 Timothy Sipples
 IBM Consulting Enterprise Software Architect
 Based in Tokyo, Serving IBM Japan / Asia-Pacific
 E-Mail: timothy.sipp...@us.ibm.com
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[John Kim]

I am a positive side they process hundreds of millions of Credit Card
transactions a day. I used work for the one of national banks (BC card
member).

Their banking system also quite remarkable that more than dozen of
accounts from each bank are all connected to the card account;
- They almost do every thing through banking systems - pay tax, utility,
cell phone,
   Speeding ticket, home shopping, air-line ticket, and wiring to
another bank...etc
- Bus pass, Sub-way or toll-gate fare also paid from your bank accounts
directly when you screen the system in on-site.


  All these transactions are linked to card account via banking
accounts, but customers pay nothing to bank for transaction fee or any
other service changes... 
No balance limits for waiver a service charges... not at all (but wire
to other countries). Instead they stand up  bow to you when you step
into the bank and advice you opening more accounts  cards.   

You don't even have to open the door because your first encounter is a
door man.  He / She will hand out you pamphlets  asking the opening
accounts  cards.  

We used hire university kids as a summer job. They were pretty good
except random accident, some times bumped heads when they bowed each
other.  
 

It can't be a simple comparison unless by population (45 million vs
??? million). Their system is quite different than US card companies; I
used have 7 BC cards from different banks that allowed more credit
limits from each banks. 

- And also their changed attitude populates more cards; they used gift
their children savings accounts for entering kindergarten or
birthday...etc.  But now it has switched to credit cards  cell-phone
(it's called hand-phone in S Korea).  




-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Sam Siegel
Sent: Thursday, January 07, 2010 4:15 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

There are other business related inaccuracies in the article as well.
The
article indicates that they process hundreds of millions of Credit Card
transactions a day.  Having previously worked at a large credit card
processor in the US, it can be said with certainty that the S. Korean
credit
card volumes are orders of magnitude smaller than US volumes.  The US
volumes are in the range of 100 to 200 million per day depending on the
time
of the year.

On Thu, Jan 7, 2010 at 8:39 AM, Timothy Sipples
timothy.sipp...@us.ibm.comwrote:

 That's not the correct headline.

 BC Card isn't moving *back* to mainframes. In its 27+ year history, BC
Card
 has never had a mainframe -- nothing in the System z lineage, anyway.
They
 are now replacing HP and Sun UNIX servers, and Oracle databases, with
(a
 presumably small number of) IBM mainframes. They are new in almost
every
 possible mainframe-related way: new z/OS customer, new CICS
Transaction
 Server for z/OS customer, new WebSphere Application Server for z/OS
 customer, new System z10 customer, new mainframe customer.

 There are some things in the article I disagree with, but there's one
fact
 in particular that is most certainly not correct. The article says
this:

 Sources at IBM say that this is the first Unix-to-mainframe
application
 migration in nearly a decade.

 I hate to disagree with sources at IBM, but no, that's just
factually
 incorrect. I have personal knowledge of another such customer (in
Japan)
 who migrated their applications from distributed UNIX to z/OS with
Parallel
 Sysplex, and they never had a mainframe before. Quite possibly their
entire
 industry has never had a mainframe before, partly explaining why
they're
 not public. I suspect there are others.

 Which is not to say that this isn't significant news from Korea. It
is,
 very.

 - - - - -
 Timothy Sipples
 IBM Consulting Enterprise Software Architect
 Based in Tokyo, Serving IBM Japan / Asia-Pacific
 E-Mail: timothy.sipp...@us.ibm.com
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


The information transmitted is intended only for the addressee and may contain 
confidential, proprietary and/or privileged material. Any unauthorized review, 
distribution or other use of or the taking of any action in reliance upon this 
information is prohibited. If you receive this in error, please contact the 
sender and delete or destroy this message and any copies.

--
For IBM-MAIN subscribe / signoff

Re: Korean bank Moves back to Mainframes (...no, not back)

[Hal Merritt]

Concur. It would appear that the consumer electronic financial infrastructures 
are quite different outside of the US. Indeed, ours seems pretty primitive and 
a lot less consumer friendly. More, they don't seem to have quite as much of a 
fraud problem as we seem to have. 

I think I read somewhere that they don't use 'credit cards' as we know them in 
Asia. Rather, it is more of a 'smart card' strategy. 

Wonder how this works without fees? 

  

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of 
Sam Siegel
Sent: Thursday, January 07, 2010 11:42 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

I will bow to the man with direct experience ... Base on reading the article
it appeared to be talking about traditional Credit Card processing.  It was
not clear to someone without directly knowledge of the S. Korean banking
system (me) that Credit Cards handle such a broad scope of financial
transactions.

Even then, it means an average of 5 transaction per day per card they
manage.  This is a very impressive number of transactions per card per day.

Regards,
Sam

On Thu, Jan 7, 2010 at 5:19 PM, John Kim john@atcoitek.com wrote:

 I am a positive side they process hundreds of millions of Credit Card
 transactions a day. I used work for the one of national banks (BC card
 member).

 Their banking system also quite remarkable that more than dozen of
 accounts from each bank are all connected to the card account;
 - They almost do every thing through banking systems - pay tax, utility,
 cell phone,
   Speeding ticket, home shopping, air-line ticket, and wiring to
 another bank...etc
 - Bus pass, Sub-way or toll-gate fare also paid from your bank accounts
 directly when you screen the system in on-site.


  All these transactions are linked to card account via banking
 accounts, but customers pay nothing to bank for transaction fee or any
 other service changes...
 No balance limits for waiver a service charges... not at all (but wire
 to other countries). Instead they stand up  bow to you when you step
 into the bank and advice you opening more accounts  cards.

 You don't even have to open the door because your first encounter is a
 door man.  He / She will hand out you pamphlets  asking the opening
 accounts  cards.

 We used hire university kids as a summer job. They were pretty good
 except random accident, some times bumped heads when they bowed each
 other.


 It can't be a simple comparison unless by population (45 million vs
 ??? million). Their system is quite different than US card companies; I
 used have 7 BC cards from different banks that allowed more credit
 limits from each banks.

 - And also their changed attitude populates more cards; they used gift
 their children savings accounts for entering kindergarten or
 birthday...etc.  But now it has switched to credit cards  cell-phone
 (it's called hand-phone in S Korea).




 -Original Message-
 From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
 Behalf Of Sam Siegel
 Sent: Thursday, January 07, 2010 4:15 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

 There are other business related inaccuracies in the article as well.
 The
 article indicates that they process hundreds of millions of Credit Card
 transactions a day.  Having previously worked at a large credit card
 processor in the US, it can be said with certainty that the S. Korean
 credit
 card volumes are orders of magnitude smaller than US volumes.  The US
 volumes are in the range of 100 to 200 million per day depending on the
 time
 of the year.

 On Thu, Jan 7, 2010 at 8:39 AM, Timothy Sipples
 timothy.sipp...@us.ibm.comwrote:

  That's not the correct headline.
 
  BC Card isn't moving *back* to mainframes. In its 27+ year history, BC
 Card
  has never had a mainframe -- nothing in the System z lineage, anyway.
 They
  are now replacing HP and Sun UNIX servers, and Oracle databases, with
 (a
  presumably small number of) IBM mainframes. They are new in almost
 every
  possible mainframe-related way: new z/OS customer, new CICS
 Transaction
  Server for z/OS customer, new WebSphere Application Server for z/OS
  customer, new System z10 customer, new mainframe customer.
 
  There are some things in the article I disagree with, but there's one
 fact
  in particular that is most certainly not correct. The article says
 this:
 
  Sources at IBM say that this is the first Unix-to-mainframe
 application
  migration in nearly a decade.
 
  I hate to disagree with sources at IBM, but no, that's just
 factually
  incorrect. I have personal knowledge of another such customer (in
 Japan)
  who migrated their applications from distributed UNIX to z/OS with
 Parallel
  Sysplex, and they never had a mainframe before. Quite possibly their
 entire
  industry has never had a mainframe before, partly explaining why
 they're

Re: Korean bank Moves back to Mainframes (...no, not back)

[Roach, Dennis (N-GHG)]

The number is not that surprising when you stop and think about the no cash on 
hand philosophy. 
Think of using your debit/bank/credit/atm card for everything you buy.  
Morning coffee, newspaper, breakfast. 
Transportation - gas, parking, bus, cab, train, subway. 
Lunch
Snack (even from a vending machine)
Transportation
All shopping
5 transactions on average is not that much.


Dennis Roach
GHG Corporation
Lockheed Martin Mission Services
Facilities Design and Operations Contract
Strategic Technical Engineering
NASA/JSC
Address:
   2100 Space Park Drive 
   LM-15-4BH
   Houston, Texas 77058
Mail:
   P.O. Box 58487
   Mail Code H4C
   Houston, Texas 77258-8487
Phone:
   Voice:  (281)336-5027
   Cell:   (713)591-1059
   Fax:(281)336-5410
E-Mail:  dennis.ro...@lmco.com

All opinions expressed by me are mine and may not agree with my employer or any 
person, company, or thing, living or dead, on or near this or any other planet, 
moon, asteroid, or other spatial object, natural or manufactured, since the 
beginning of time.

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
 Behalf Of Sam Siegel
 Sent: Thursday, January 07, 2010 11:42 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 
 I will bow to the man with direct experience ... Base on reading the
 article
 it appeared to be talking about traditional Credit Card processing.  It
 was
 not clear to someone without directly knowledge of the S. Korean banking
 system (me) that Credit Cards handle such a broad scope of financial
 transactions.
 
 Even then, it means an average of 5 transaction per day per card they
 manage.  This is a very impressive number of transactions per card per
 day.
 
 Regards,
 Sam
 
 On Thu, Jan 7, 2010 at 5:19 PM, John Kim john@atcoitek.com wrote:
 
  I am a positive side they process hundreds of millions of Credit Card
  transactions a day. I used work for the one of national banks (BC card
  member).
 
  Their banking system also quite remarkable that more than dozen of
  accounts from each bank are all connected to the card account;
  - They almost do every thing through banking systems - pay tax,
 utility,
  cell phone,
Speeding ticket, home shopping, air-line ticket, and wiring to
  another bank...etc
  - Bus pass, Sub-way or toll-gate fare also paid from your bank
 accounts
  directly when you screen the system in on-site.
 
 
   All these transactions are linked to card account via banking
  accounts, but customers pay nothing to bank for transaction fee or any
  other service changes...
  No balance limits for waiver a service charges... not at all (but wire
  to other countries). Instead they stand up  bow to you when you step
  into the bank and advice you opening more accounts  cards.
 
  You don't even have to open the door because your first encounter is a
  door man.  He / She will hand out you pamphlets  asking the opening
  accounts  cards.
 
  We used hire university kids as a summer job. They were pretty good
  except random accident, some times bumped heads when they bowed each
  other.
 
 
  It can't be a simple comparison unless by population (45 million vs
  ??? million). Their system is quite different than US card companies;
 I
  used have 7 BC cards from different banks that allowed more credit
  limits from each banks.
 
  - And also their changed attitude populates more cards; they used gift
  their children savings accounts for entering kindergarten or
  birthday...etc.  But now it has switched to credit cards  cell-phone
  (it's called hand-phone in S Korea).
 
 
 
 
  -Original Message-
  From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
  Behalf Of Sam Siegel
  Sent: Thursday, January 07, 2010 4:15 AM
  To: IBM-MAIN@bama.ua.edu
  Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 
  There are other business related inaccuracies in the article as well.
  The
  article indicates that they process hundreds of millions of Credit
 Card
  transactions a day.  Having previously worked at a large credit card
  processor in the US, it can be said with certainty that the S. Korean
  credit
  card volumes are orders of magnitude smaller than US volumes.  The US
  volumes are in the range of 100 to 200 million per day depending on
 the
  time
  of the year.
 
  On Thu, Jan 7, 2010 at 8:39 AM, Timothy Sipples
  timothy.sipp...@us.ibm.comwrote:
 
   That's not the correct headline.
  
   BC Card isn't moving *back* to mainframes. In its 27+ year history,
 BC
  Card
   has never had a mainframe -- nothing in the System z lineage,
 anyway.
  They
   are now replacing HP and Sun UNIX servers, and Oracle databases,
 with
  (a
   presumably small number of) IBM mainframes. They are new in almost
  every
   possible mainframe-related way: new z/OS customer, new CICS
  Transaction
   Server for z/OS customer, new WebSphere Application Server for z/OS
   customer, new

Re: Korean bank Moves back to Mainframes (...no, not back)

[John Kim]

I wouldn't agree that the financial structure in the US seems primitive,
but it's quite sure a lot less customer friendly.  The most tedious
thing was to participate in a campaign ' Customer is the king' on a
daily basis, although I was a computer guy there. No exception at all.

I can feel they have a lot less fraud incidents than Norte America.
Their system is kind of bureaucratic structure; instead Banks hire lots
of retired law-enforcement to look after who are fallen behind their
card payment.  

People over there has a perception that no pay to the bank, unless
borrow money.
Which means I am a king of the feeder for Banks, and Banks still makes
pretty big fortune with fees.  

Honestly I don't know how much portion in their profits from the fees if
they charge.
I was a system programming guy...

Regards John Kim

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Hal Merritt
Sent: Thursday, January 07, 2010 11:00 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

Concur. It would appear that the consumer electronic financial
infrastructures are quite different outside of the US. Indeed, ours
seems pretty primitive and a lot less consumer friendly. More, they
don't seem to have quite as much of a fraud problem as we seem to have. 

I think I read somewhere that they don't use 'credit cards' as we know
them in Asia. Rather, it is more of a 'smart card' strategy. 

Wonder how this works without fees? 

  

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Sam Siegel
Sent: Thursday, January 07, 2010 11:42 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

I will bow to the man with direct experience ... Base on reading the
article
it appeared to be talking about traditional Credit Card processing.  It
was
not clear to someone without directly knowledge of the S. Korean banking
system (me) that Credit Cards handle such a broad scope of financial
transactions.

Even then, it means an average of 5 transaction per day per card they
manage.  This is a very impressive number of transactions per card per
day.

Regards,
Sam

On Thu, Jan 7, 2010 at 5:19 PM, John Kim john@atcoitek.com wrote:

 I am a positive side they process hundreds of millions of Credit Card
 transactions a day. I used work for the one of national banks (BC card
 member).

 Their banking system also quite remarkable that more than dozen of
 accounts from each bank are all connected to the card account;
 - They almost do every thing through banking systems - pay tax,
utility,
 cell phone,
   Speeding ticket, home shopping, air-line ticket, and wiring to
 another bank...etc
 - Bus pass, Sub-way or toll-gate fare also paid from your bank
accounts
 directly when you screen the system in on-site.


  All these transactions are linked to card account via banking
 accounts, but customers pay nothing to bank for transaction fee or any
 other service changes...
 No balance limits for waiver a service charges... not at all (but wire
 to other countries). Instead they stand up  bow to you when you step
 into the bank and advice you opening more accounts  cards.

 You don't even have to open the door because your first encounter is a
 door man.  He / She will hand out you pamphlets  asking the opening
 accounts  cards.

 We used hire university kids as a summer job. They were pretty good
 except random accident, some times bumped heads when they bowed each
 other.


 It can't be a simple comparison unless by population (45 million vs
 ??? million). Their system is quite different than US card companies;
I
 used have 7 BC cards from different banks that allowed more credit
 limits from each banks.

 - And also their changed attitude populates more cards; they used gift
 their children savings accounts for entering kindergarten or
 birthday...etc.  But now it has switched to credit cards  cell-phone
 (it's called hand-phone in S Korea).




 -Original Message-
 From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
 Behalf Of Sam Siegel
 Sent: Thursday, January 07, 2010 4:15 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

 There are other business related inaccuracies in the article as well.
 The
 article indicates that they process hundreds of millions of Credit
Card
 transactions a day.  Having previously worked at a large credit card
 processor in the US, it can be said with certainty that the S. Korean
 credit
 card volumes are orders of magnitude smaller than US volumes.  The US
 volumes are in the range of 100 to 200 million per day depending on
the
 time
 of the year.

 On Thu, Jan 7, 2010 at 8:39 AM, Timothy Sipples
 timothy.sipp...@us.ibm.comwrote:

  That's not the correct headline.
 
  BC Card isn't moving *back* to mainframes. In its 27+ year history,
BC
 Card
  has

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

That's the point of (EMV) chip cards.  They are inherently more secure.  

Why are they more secure?
INTERAC Canada has been telling us that they are.
So far, on their web-site, the proof presented has been: They are more secure.

When they sent me my new chip card, through the bank I use, nothing had changed.
They even kept the same PIN, which is supposed to be a secret.

Except for a different slot in the debit machine, the process for payment is 
the same.

Where is the 'enhanced' security?
What makes it so?

I honestly don't know if this is off-topic, because debit cards, in Canada, are 
still processed on mainframes, for the Big Five, at least.

And, the mainframe, if you aren't stupid, is still the most secure processing 
environment, chip cards aside.

(Yes! My bias is showing.)
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Hal Merritt
 
 Concur. It would appear that the consumer electronic financial
infrastructures are quite different
 outside of the US. Indeed, ours seems pretty primitive and a lot less
consumer friendly. More, they
 don't seem to have quite as much of a fraud problem as we seem to
have.
 
 I think I read somewhere that they don't use 'credit cards' as we know
them in Asia. Rather, it is
 more of a 'smart card' strategy.
 
 Wonder how this works without fees?

Two possibilities come immediately to mind:

1.  Interest on loans, and/or
2.  Government (tax) subsidy.

I doubt corporate altruism enters into the equation.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List [On Behalf Of Roach, Dennis
(N-GHG)
 
 The number is not that surprising when you stop and think about the no
cash on hand philosophy.
 Think of using your debit/bank/credit/atm card for everything you buy.
 Morning coffee, newspaper, breakfast.
 Transportation - gas, parking, bus, cab, train, subway.
 Lunch
 Snack (even from a vending machine)
 Transportation
 All shopping
 5 transactions on average is not that much.

Still need cash for the side pots in bowling leagues.  :-)

   -jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Sam Siegel]

On Thu, Jan 7, 2010 at 6:36 PM, Ted MacNEIL eamacn...@yahoo.ca wrote:

 That's the point of (EMV) chip cards.  They are inherently more secure.

 Why are they more secure?
 INTERAC Canada has been telling us that they are.
 So far, on their web-site, the proof presented has been: They are more
 secure.

 When they sent me my new chip card, through the bank I use, nothing had
 changed.
 They even kept the same PIN, which is supposed to be a secret.

 Except for a different slot in the debit machine, the process for payment
 is the same.

 Where is the 'enhanced' security?
 What makes it so?

 I honestly don't know if this is off-topic, because debit cards, in Canada,
 are still processed on mainframes, for the Big Five, at least.

 And, the mainframe, if you aren't stupid, is still the most secure
 processing environment, chip cards aside.

 (Yes! My bias is showing.)
 -
 Too busy driving to stop for gas!

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html



I'm not trying to be argumentative here, but some of the number still don't
just add up.

On a global basis the largest card processor in the world clears and settles
about 10 billion USD on 250 to 300 million transactions per day..  Or about
40 USD per transaction.  Assuming that the average in S. Korea transaction
is 5 USD.  Then 200 million per day is a billion USD per day cleared and
settled.  This is over 360 billion USD per year.  The S. Korean economy  is
1.3 Trillion USD (2008) according to the CIA fact book.  That would mean
that 28% of the S. Korean economy is handled via Credit Card transactions.
 This is more than 5 times the rate of the rest of the world.


If an average transaction rate of 20 USD was used it would be even more
extreme.  If a lower average transaction value was used, then fees and
charges would be a large portions of the profits that merchant would be
giving up.

Something does not balance.


That would

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[J R]

 Why are they more secure?

 

On a mag-stripe card, the data is right there, unencrypted for anyone to read 
and, 
if they so desire, clone.  

The chip is not just data; it is a processor.  All data exchanged between the 
card (ie. the chip) and the terminal is encrypted.  

There's obviously a lot more to it than that but, right from that basic level, 
the chip is inherently more secure that the stripe.  I don't need Interac to 
tell me that.  

 

 

 Date: Thu, 7 Jan 2010 18:36:37 +
 From: eamacn...@yahoo.ca
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 To: IBM-MAIN@bama.ua.edu
 
 That's the point of (EMV) chip cards. They are inherently more secure. 
 
 Why are they more secure?
 INTERAC Canada has been telling us that they are.
 So far, on their web-site, the proof presented has been: They are more 
 secure.
 
 When they sent me my new chip card, through the bank I use, nothing had 
 changed.
 They even kept the same PIN, which is supposed to be a secret.
 
 Except for a different slot in the debit machine, the process for payment is 
 the same.
 
 Where is the 'enhanced' security?
 What makes it so?
 
 I honestly don't know if this is off-topic, because debit cards, in Canada, 
 are still processed on mainframes, for the Big Five, at least.
 
 And, the mainframe, if you aren't stupid, is still the most secure processing 
 environment, chip cards aside.
 
 (Yes! My bias is showing.)
 -
 Too busy driving to stop for gas!


  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/196390709/direct/01/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 7 Jan 2010 10:26:24 -0800, jayare...@hotmail.com (J R) wrote:

 ... they don't use 'credit cards' as we know them in Asia. Rather, it is 
 more of a 'smart card' strategy. 

 

The US is at least 12 years behind Europe, Australia/NZ and parts of Asia in 
deploying chip cards.  

Yep.   This isn't always bad.   We didn't get on the bandwagon with
analog HDTV, but waited until the digital variety came out.Maybe
now that we see higher security and privacy needs, we will get a
better model here as well.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[John Mattson]

Be not the first by whom the new are tried, 
Nor yet the last to lay the old aside. 
- Alexander Pope 


Howard Brazee howard.bra...@cusys.edu 
Sent by: IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu
01/07/2010 11:35 AM
Please respond to
IBM Mainframe Discussion List IBM-MAIN@bama.ua.edu
Expire Date: 01/07/2012


To
IBM-MAIN@bama.ua.edu
cc

Subject
Re: Korean bank Moves back to Mainframes (...no, not back)




On 7 Jan 2010 10:26:24 -0800, jayare...@hotmail.com (J R) wrote:
 ... they don't use 'credit cards' as we know them in Asia. Rather, it 
is more of a 'smart card' strategy. 
The US is at least 12 years behind Europe, Australia/NZ and parts of 
Asia in deploying chip cards. 
Yep.   This isn't always bad.   We didn't get on the bandwagon with 
analog HDTV, but waited until the digital variety came out.Maybe now 
that we see higher security and privacy needs, we will get a better model 
here as well.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 7 Jan 2010 10:31:19 -0800, dennis.ro...@lmco.com (Roach, Dennis  ,
N-GHG) wrote:

The number is not that surprising when you stop and think about the no cash on 
hand philosophy. 
Think of using your debit/bank/credit/atm card for everything you buy.  
Morning coffee, newspaper, breakfast. 
Transportation - gas, parking, bus, cab, train, subway. 
Lunch
Snack (even from a vending machine)
Transportation
All shopping
5 transactions on average is not that much.

Most days, I buy nothing at all.But today I stopped at Panera
Bread and was asked if I could pay by card as their cash machine
wasn't yet ready.

I was reading SuperFreakonomics and it had a portion about the
economics of prostitution - and the high end call girl charged $500,
mainly to married men.I wondered how many men can get a hold of
that cash without wives seeing the withdrawal.

It also discussed programs done by anti-terrorists and anti-fraud
units which check for suspicious withdrawals.   Everything gets
tracked.I haven't worked for a bank IS, but it could be
interesting to develop such programs.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[J R]

That's why I actually made two statements:  

1. 
 ... they don't seem to have quite as much of a fraud problem as we seem to 
 have. 
 
That's the point of (EMV) chip cards. They are inherently more secure. 
 
 2.
 ... they don't use 'credit cards' as we know them in Asia. Rather, it is more 
 of a 'smart card' strategy. 
 
The US is at least 12 years behind Europe, Australia/NZ and parts of Asia in 
deploying chip cards. 


 

You can have your choice:  
(1)  Address security and have less fraud  
-or-  
(2)  Wait for the technology to be perfected before adopting it.  


 

 
 Date: Thu, 7 Jan 2010 12:35:38 -0700
 From: howard.bra...@cusys.edu
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 To: IBM-MAIN@bama.ua.edu
 
 On 7 Jan 2010 10:26:24 -0800, jayare...@hotmail.com (J R) wrote:
 
  ... they don't use 'credit cards' as we know them in Asia. Rather, it is 
  more of a 'smart card' strategy. 
 
  
 
 The US is at least 12 years behind Europe, Australia/NZ and parts of Asia in 
 deploying chip cards. 
 
 Yep. This isn't always bad. We didn't get on the bandwagon with
 analog HDTV, but waited until the digital variety came out. Maybe
 now that we see higher security and privacy needs, we will get a
 better model here as well.
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

The following message is a courtesy copy of an article
that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.


jayare...@hotmail.com (J R) writes:
 That's the point of (EMV) chip cards.  They are inherently more secure.  

modulo when there are significantly less secure ... 

yes card vulnerability reference ... basically compromise POS terminal
(or other swipe mechanism to skim the data ... effectively same kind of
exploit used to skim magstripe data) ... and then trivially create
counterfeit yes card ... original reference gone 404 ... but can be
found at the wayback machine referencing presentation at cartes2002:
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

about the same time there was presentation on the vulnerabilities at the
ATM integrity task force meetings (prompting somebody in the audience to
comment that they managed to spend billions of dollars to prove that
chips are less secure than magstripe) ... a couple recent posts
with references:
http://www.garlic.com/~lynn/2009q.html#78 70 Years of ATM Innovation
http://www.garlic.com/~lynn/2009r.html#16 70 Years of ATM Innovation

lots of past posts mentioning yes card:
http://www.garlic.com/~lynn/subintegrity.html#yescard

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

The following message is a courtesy copy of an article
that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.


Howard Brazee howard.bra...@cusys.edu writes:
 Yep.   This isn't always bad.   We didn't get on the bandwagon with
 analog HDTV, but waited until the digital variety came out.Maybe
 now that we see higher security and privacy needs, we will get a
 better model here as well.

re:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes 
(...no, not back)

there was actually a rather large deployment in the NE about the time of
the cartes2002 presentation (and the atm integrity task force meetings)
... which then seemed to disappear w/o a trace. There has been some
concerned expressed about the much larger deployment costs for the US
... but it may actually not so much be about the cost of a single
deployment ... but that there may have to be a large number of
deployments.

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

It also discussed programs done by anti-terrorists and anti-fraud
units which check for suspicious withdrawals.
Everything gets tracked.I haven't worked for a bank IS, but it could be
interesting to develop such programs.

Banks, at least in Canada, have been running DSS/AI/Anti-Fraud/Terrorist 
detection for years.
But, they have put in arbitrary thresholds, such as $1000, or the like.

The biggest issue is the number of false positives.

A similar issue showed up with the scanning of e-mails for violent/terrorist 
lamguage on the INTERNET.
Every teenage kid playing World of Warcraft got flagged.

I got flagged once, at work, for using a very vile word in an e-mail.
I didn't. I was just discussing Soccer and a town that ended in thorpe'.
The word was pulled out of the middle of a larger word, without delimeters.

Another example, not financial, is at a company I used to work for.
The service provider had introduced a SPAM filtering package that kept 
suspected SPAM away from the recipient, so the intended recipient could not 
verify that it was SPAM.
So, there was no Human Intervention and approval.
But, the provider was using the percentage rejected as a performance metric.
When I asked about false positives, they told me I didn't understand the issue.

The whole point is, any AI algorithm needs a human overseer.
It's not good enough on its own, yet.
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

The chip is not just data; it is a processor.  All data exchanged between the 
card (ie. the chip) and the terminal is encrypted.  

Why can't their web-site say that?

There's obviously a lot more to it than that but, right from that basic level, 
the chip is inherently more secure that the stripe.  I don't need Interac to 
tell me that.  

 I'm not a full-blown security expert; I'm a Jack-of-all-Trades.
All somebody had to do is answer the question.

(Mind you I'm still concerned that the new card had my 'secret' PIN already 
allocated when I received it.
At best, they should have me take the card to the Bank, and enter a new/old PIN)
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 7 Jan 2010 11:44:55 -0800, john.mck...@healthmarkets.com (McKown,
John) wrote:

Perhaps the Korean banks are competent? And they can make money by not paying 
the account 
holder all the income that the bank makes on the money entrusted to them? U.S. 
banks used to 
be user friendly and competent. They are, like most, now run by greedy fools.

There are two big issues with US banks here - one is how much money
they spend on regulatory issues.Why should banks and credit unions
have different rules to follow?

And the 2nd issue is much bigger, it's a business culture issue that
is by no means limited to banks.   That is we have lots of people
running businesses who don't have the same risk/rewards as the
businesses themselves have.Making decisions that will bankrupt the
company in 5 years won't stop a CEO from getting wealthy now,
especially if the company gets bailed out by taxpayers.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 7 Jan 2010 11:16:06 -0800, jayare...@hotmail.com (J R) wrote:

 Why are they more secure?

 

On a mag-stripe card, the data is right there, unencrypted for anyone to read 
and, 
if they so desire, clone.  

The chip is not just data; it is a processor.  All data exchanged between the 
card (ie. the chip) and the terminal is encrypted.  

There's obviously a lot more to it than that but, right from that basic level, 
the chip is inherently more secure that the stripe.  I don't need Interac to 
tell me that.  

The question is - are they secure enough?It takes more work to
clone a chip card, but do crooks who have the technology to use
mag-strip cards have access to the technology to use chip cards?   I
don't know the answer.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Howard Brazee]

On 7 Jan 2010 12:22:08 -0800, eamacn...@yahoo.ca (Ted MacNEIL) wrote:

I got flagged once, at work, for using a very vile word in an e-mail.
I didn't. I was just discussing Soccer and a town that ended in thorpe'.
The word was pulled out of the middle of a larger word, without delimeters.

I forgot the details where it took a while to figure out how to change
a business document to get by the Spam filters to a co-worker. Getting
rid of one innocuous (to me) word did it, but it wasn't at all
obvious.

I feel sorry for people who need to use their computers to search for
medical and other help for issues that get flagged as dirty (I'm not
wanting to use words to get this message filtered). 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[J R]

 Why can't their web-site say that?


Dunno!  Too much information maybe?  


 

 (Mind you I'm still concerned that the new card had my 'secret' PIN already 
 allocated when I received it.
 At best, they should have me take the card to the Bank, and enter a new/old 
 PIN)


I presume they did that for your convenience.  (Not anybody else's since they 
wouldn't know the PIN.)  
However, being a smart card with a processor on it, you should be able to 
change your PIN at an ATM.  


 

 

 
 Date: Thu, 7 Jan 2010 20:26:39 +
 From: eamacn...@yahoo.ca
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 To: IBM-MAIN@bama.ua.edu
 
 The chip is not just data; it is a processor. All data exchanged between the 
 card (ie. the chip) and the terminal is encrypted. 
 
 Why can't their web-site say that?
 
 There's obviously a lot more to it than that but, right from that basic 
 level, the chip is inherently more secure that the stripe. I don't need 
 Interac to tell me that. 
 
 I'm not a full-blown security expert; I'm a Jack-of-all-Trades.
 All somebody had to do is answer the question.
 
 (Mind you I'm still concerned that the new card had my 'secret' PIN already 
 allocated when I received it.
 At best, they should have me take the card to the Bank, and enter a new/old 
 PIN)
 -
 Too busy driving to stop for gas!
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[John Kim]

I am so impressed your insight!  Please forgive me for off-line of the
topic.

Although I don't have stats in my hands, I can explain two things for
your understanding how they got over an economic crisis. 
Way back to mid of 1990s the economic crisis in S Korea was almost same
or bigger than last years in US, and it was controlled by IMF.
I experienced a big jump on the commodity price, especially 5 times
increase over the night for the  flour and toilet paper which had never
experienced since I was born in.  That's why I came over here for a
better quality of toilet paper with batter price.

First thing government tried to do was campaigning in order for them to
turn around an economic crisis;
- asking the nation to come out them with Gold from their draw or safe.
 
At that time I also sold my wedding  my children's baby-shower rings to
government, in a result world gold market was fluctuated, and gold price
was downward.

- Secondly Government tried to let people sign on an application for the
credit cards as many as possible in order to stimulate a financial
infrastructure.  

At that time my high school nephew had dozen cards, and still using it.

Eventually prevailing credit cards worked, and would be able to get over
an economic crisis, although they have a social crisis by over-spending
as fallout.

That's why they need extra wallet for more cards.

Sometime economists also don't understand how Korean economy works.

One thing I know is they are really superb at campaigning!

 

  

 
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Sam Siegel
Sent: Thursday, January 07, 2010 11:52 AM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

On Thu, Jan 7, 2010 at 6:36 PM, Ted MacNEIL eamacn...@yahoo.ca wrote:

 That's the point of (EMV) chip cards.  They are inherently more
secure.

 Why are they more secure?
 INTERAC Canada has been telling us that they are.
 So far, on their web-site, the proof presented has been: They are
more
 secure.

 When they sent me my new chip card, through the bank I use, nothing
had
 changed.
 They even kept the same PIN, which is supposed to be a secret.

 Except for a different slot in the debit machine, the process for
payment
 is the same.

 Where is the 'enhanced' security?
 What makes it so?

 I honestly don't know if this is off-topic, because debit cards, in
Canada,
 are still processed on mainframes, for the Big Five, at least.

 And, the mainframe, if you aren't stupid, is still the most secure
 processing environment, chip cards aside.

 (Yes! My bias is showing.)
 -
 Too busy driving to stop for gas!

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html



I'm not trying to be argumentative here, but some of the number still
don't
just add up.

On a global basis the largest card processor in the world clears and
settles
about 10 billion USD on 250 to 300 million transactions per day..  Or
about
40 USD per transaction.  Assuming that the average in S. Korea
transaction
is 5 USD.  Then 200 million per day is a billion USD per day cleared and
settled.  This is over 360 billion USD per year.  The S. Korean economy
is
1.3 Trillion USD (2008) according to the CIA fact book.  That would mean
that 28% of the S. Korean economy is handled via Credit Card
transactions.
 This is more than 5 times the rate of the rest of the world.


If an average transaction rate of 20 USD was used it would be even more
extreme.  If a lower average transaction value was used, then fees and
charges would be a large portions of the profits that merchant would be
giving up.

Something does not balance.


That would

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


The information transmitted is intended only for the addressee and may contain 
confidential, proprietary and/or privileged material. Any unauthorized review, 
distribution or other use of or the taking of any action in reliance upon this 
information is prohibited. If you receive this in error, please contact the 
sender and delete or destroy this message and any copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Anne Lynn Wheeler]

The following message is a courtesy copy of an article
that has been posted to bit.listserv.ibm-main,alt.folklore.computers as well.


Howard Brazee howard.bra...@cusys.edu writes:
 The question is - are they secure enough?It takes more work to
 clone a chip card, but do crooks who have the technology to use
 mag-strip cards have access to the technology to use chip cards?   I
 don't know the answer.

re:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes 
(...no, not back)
http://www.garlic.com/~lynn/2010.html#72 Korean bank Moves back to Mainframes 
(...no, not back)

the compromise of terminal or machine to skim data ... whether magstripe
or chip ... was nearly identical. the cost of magstripe cards is several
cents less than chipcards used for yes cards ... but that is
relatively minor compared to the compromise effort to skimcollect the
data ... as well as the avg. fraud ROI per counterfeit card.

as referenced in the cartes2002 presentation ... it was trivial to
create a counterfeit yes card ... and the technology and description
was readily available on the internet thru the later half of the 90s.

after having done work with small client/server startup (the startup
also had invented this technology called SSL that they wanted to use)
for payment transactions and what is now comingly called electronic
commerce ... in the mid-90s we were invited to participate in the x9a10
financial standard working group ... which had been given the
requirement to preserve the integrity of the financial infrastructure
for all retail payments. The yes card kind of exploit was one of the
early, easily identifed vulnerabilities by the x9a10 standard working
group (long before any kind of actual deployment of that technology)

-- 
40+yrs virtualization experience (since Jan68), online at home since Mar1970

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

I presume they did that for your convenience.  (Not anybody else's since they 
wouldn't know the PIN.)  
However, being a smart card with a processor on it, you should be able to 
change your PIN at an ATM.  

Yes!
But, the PIN is supposed to be a secret.
Give me the chip-card, and have me come in to re-do my PIN would have made me 
feel more secure.

They didn't do that!
-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[J R]

 But, the PIN is supposed to be a secret.


They make a point of not knowing what your actual PIN is.  What they 
put in the chip is an encrypted PIN block that has to be matched after 
the PIN that you actually key in has been put through the ringer.  

Even if you could read the chip, and find your PIN block, unless you knew 
what cryptographic key(s) were used, and which variant(s), to create it and 
using which algorithm(s), you wouldn't be able to come up with your clear 
text PIN.  Your clear text PIN is not recorded anywhere unless you wrote it 
down.  

 

 
 Date: Thu, 7 Jan 2010 22:51:52 +
 From: eamacn...@yahoo.ca
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 To: IBM-MAIN@bama.ua.edu
 
 I presume they did that for your convenience. (Not anybody else's since they 
 wouldn't know the PIN.) 
 However, being a smart card with a processor on it, you should be able to 
 change your PIN at an ATM. 
 
 Yes!
 But, the PIN is supposed to be a secret.
 Give me the chip-card, and have me come in to re-do my PIN would have made me 
 feel more secure.
 
 They didn't do that!
 -
 Too busy driving to stop for gas!
  
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[J R]

Of course, I meant wringer!  


 

 

 
 Date: Thu, 7 Jan 2010 18:03:24 -0500
 From: jayare...@hotmail.com
 Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
 To: IBM-MAIN@bama.ua.edu
 
  But, the PIN is supposed to be a secret.
 
 
 They make a point of not knowing what your actual PIN is. What they 
 put in the chip is an encrypted PIN block that has to be matched after 
 the PIN that you actually key in has been put through the ringer. 
 
 Even if you could read the chip, and find your PIN block, unless you knew 
 what cryptographic key(s) were used, and which variant(s), to create it and 
 using which algorithm(s), you wouldn't be able to come up with your clear 
 text PIN. Your clear text PIN is not recorded anywhere unless you wrote it 
 down. 
 
 
 
 
  Date: Thu, 7 Jan 2010 22:51:52 +
  From: eamacn...@yahoo.ca
  Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
  To: IBM-MAIN@bama.ua.edu
  
  I presume they did that for your convenience. (Not anybody else's since 
  they wouldn't know the PIN.) 
  However, being a smart card with a processor on it, you should be able to 
  change your PIN at an ATM. 
  
  Yes!
  But, the PIN is supposed to be a secret.
  Give me the chip-card, and have me come in to re-do my PIN would have made 
  me feel more secure.
  
  They didn't do that!
  -
  Too busy driving to stop for gas!
 
 _
 Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
 http://clk.atdmt.com/GBL/go/196390706/direct/01/
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html
  
_
Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390707/direct/01/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

OT smart cards was Re: Korean bank Moves back to Mainframes (...no, not back)

[Clark Morris]

On 7 Jan 2010 12:27:09 -0800, in bit.listserv.ibm-main you wrote:

The chip is not just data; it is a processor.  All data exchanged between the 
card (ie. the chip) and the terminal is encrypted.  

Why can't their web-site say that?

There's obviously a lot more to it than that but, right from that basic 
level, the chip is inherently more secure that the stripe.  I don't need 
Interac to tell me that.  

 I'm not a full-blown security expert; I'm a Jack-of-all-Trades.
All somebody had to do is answer the question.

(Mind you I'm still concerned that the new card had my 'secret' PIN already 
allocated when I received it.
At best, they should have me take the card to the Bank, and enter a new/old 
PIN)

Is the PIN on the card or is it at the bank where they assigned the
one you already had on the debit card to it?
-
Too busy driving to stop for gas!


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT smart cards was Re: Korean bank Moves back to Mainframes (...no, not back)

[J R]

I believe there are two PINs, 
an online PIN which is at the bank and can be verified for online transactions 
and 
an offline PIN which is on the chip and can be used for small value offline 
transactions.  
The goal is to keep the two in synch and this is done during the next online 
transaction.  

I'm not an expert on this but I believe a lot of the functionality depends on 
the actual application on the chip.  There can be more than one application 
on the same chip so that the card can be both a debit card and a credit card.  
They do this a lot in Europe.  


 

 

 
 Date: Thu, 7 Jan 2010 19:29:56 -0400
 From: cfmpub...@ns.sympatico.ca
 Subject: OT smart cards was Re: Korean bank Moves back to Mainframes (...no, 
 not back)
 To: IBM-MAIN@bama.ua.edu
 
 Is the PIN on the card or is it at the bank where they assigned the
 one you already had on the debit card to it?
  
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/196390709/direct/01/
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: OT smart cards was Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

Is the PIN on the card or is it at the bank where they assigned the
one you already had on the debit card to it?

When I went in to get my (pre-chip) card, there was some processing and 
encoding done on the card after I entered my (new) PIN.

I assume there is something on the card, because you could get up to $200 out 
of ABMs when they went offline to the host processor.
At least, at the bank I used to work at.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Sam Siegel]

On Fri, Jan 8, 2010 at 6:08 AM, Timothy Sipples e99...@jp.ibm.com wrote:

 I should say right up front that I am not an expert on Korean banking.
 Also, I have no idea whether the following remarks apply to BC Card
 specifically.

 One commenter in this thread suggested that the number of transactions
 looks strange, if by transactions you mean card swipes, basically. What
 I sometimes find -- and not just in Korea -- is that the term
 transactions has different meanings depending on whom you're talking to.
 The business users and managers tend to think of measurements like card
 swipes, purchases, etc. -- the direct business metrics. However, the IT
 staff tend to think of number of CICS transactions and/or number of
 database updates, to pick two examples. Thus it's quite common for one
 card swipe to result in several transactions, depending on the functional
 requirements and application architecture. Loyalty cards (point
 processing), fraud analysis and prevention, business reporting functions,
 overlimit SMS alerting triggers, PIN processing, interbank debiting and
 crediting, customer service functions, etc., etc. can also add considerably
 to the number of transactions.

 So it's very important to decode that term whenever having detailed
 conversations about scale, sizing, growth, and other issues. If you don't
 have that common understanding of transactions, it gets difficult to have
 meaningful conversations. In the context of a press article it's not a big
 issue at all, but when involved in IT design discussions it's quite
 important.

 Also, I recall that Korea has a lot more real-time posting of typical
 bank transactions than most other countries. If you think about U.S.
 banking, there's lots of batch processing for, say, check clearing. I think
 Korea handles their equivalent payments differently, much more like the
 real-time interbank settlements for larger transactions. At least, that's
 the explanation I constructed when someone once tried to educate me on the
 differences in better English than my Korean. Said another way, one Korean
 bank transaction does not equal one U.S. (or Chinese) bank transaction in
 terms of path length (for example). They are different creatures for some
 reason.

 South Korea, like many other countries, has had problems with high rates of
 credit card default in the not-too-distant past. That might be a reflection
 of what John is talking about (and which I have also heard), that Korean
 credit card companies have been very effective in saturating the market
 with cards.

 - - - - -
 Timothy Sipples
 IBM Consulting Enterprise Software Architect
 Based in Tokyo, Serving IBM Japan / Asia-Pacific
 E-Mail: timothy.sipp...@us.ibm.com
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


I was talking about business transactions.  If the posting was talking about
internal system transactions required to affect the processing of a purchase
then several hundred million transactions per day is easily possible.
 However, the beginning of the article talks about a card holder base of 40
or so million people.  From that it seemed reasonable to think that the
transaction count was was directly related to the cardholders and not to the
internal system activity.  My comments should be viewed from this
perspective.

In the US the large card processors are running billions of internal system
transactions a day on distributed and sysplexed z/OS systems
to support hundreds of millions of card holder initiated transactions.

Regards,
Sam

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Korean bank Moves back to Mainframes (...no, not back)

[Ted MacNEIL]

What I sometimes find -- and not just in Korea -- is that the term
transactions has different meanings depending on whom you're talking to.
The business users and managers tend to think of measurements like card
swipes, purchases, etc. -- the direct business metrics.
However, the IT staff tend to think of number of CICS transactions and/or 
number of database updates, to pick two examples.

That is a common issue across the board.
I've run into it many times in the almost 30 years I've been a capacity analyst.
At the last company I worked at the business worried about invoices/orders 
(86,000/day) and IT worried about CICS transactions (70M/day).
I had to do a lot of work to get them to relate to each other, and to point out 
that daily volumes were not totally related to peak volumes.
The latter was a herculean task.

-
Too busy driving to stop for gas!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html