[access-uk] Re: chip & pin banking

  • From: "Tristram Llewellyn" <tris-l@xxxxxxxxxx>
  • To: <access-uk@xxxxxxxxxxxxx>
  • Date: Wed, 16 May 2007 15:39:16 +0100

"My main concern is how accessible these devices will be, especially for those 
of us who cannot see a display screen."
The USB device described in the Guardian article is a non-talking device, it 
has an LCD display which is used to display what is an apparantly random string 
but is in fact able to be recognised by the server as coming from a valid 
source.  The code changes approximately every minute although some slippage is 
allowed but this is enough to make it difficult for fraudsters because getting 
any data from the one transaction would not let you crack the second..

This is an attempt to to introduce more than multiple factors into the 
authentication process.  Log in details or pin number that represent a first 
factor in a security system are only secure as the user who doesn't reveal them 
intentionally to another party or where they are exposed by some technical 
means (like a key logger) to another party.  The USB device provides a second 
factor in the authenticaion process as something they should only have which is 
tied into their account or log in details.  A third factor would be something 
such as some form of biometrics could be used to further secure a system.

I would be surprised if only on cost grounds that a bank sent out card readers 
to its customers. In time sure this would create a further vector through which 
fraudulent activity can enter the system.  We already know that for some reason 
which the You and Yours of this world have failed to uncover why it is that 
petrol station machines can be so easily compromised.  Unless you can make 
those things truely tamper proof it is a security risk waiting to happen.


Tristram Llewellyn
Sight and Sound Technology
Technical Support

** To leave the list, click on the immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** access-uk-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq

Other related posts: