Yeah, Chip and PIN (EMV) in the UK is much better for security, we have a lot lower rates of card fraud here than in the US. In fact most of the world has now switched to EMV, the US is the only major country that I can think of which is still on swipe payments.
The problem goes further than the cards themselves though, I think the big problem with them is that you have to give companies all of the details needed to make a charge when you buy things online, and those details are stored. Other comments here are right, the main way to deal with this is single use card numbers that can be revoked individually.
I think a good way would be to implement something similar to what OAuth does. When you want to make a payment to Amazon for example, you tell your bank who you are and after authenticating you, they would provide a token to Amazon who can store that to use for purchases. If at some point in the future Amazon were 'hacked', the bank could revoke charging authorization for all tokens given to Amazon, immediately protecting all of their customers.
Chip and PIN should be better, except they fucked up the crypto such that anyone who stole your card could use it without knowing your PIN but still make it look like a PIN transaction - so you'd be liable for the fraudulent transaction since obviously you didn't take sufficient care to keep your PIN secret.
Verified by Visa and Mastercard 3D Secure were an attempt to implement something similar to this, but were a disaster. I recommend the paper "Veri ed by Visa and MasterCard SecureCode:
or, How Not to Design Authentication" by Steven Murdoch and Ross Anderson, who have been involved in quite a lot of the security research surrounding EMV.
EMV has it's problems. I've worked with a few researchers who have targeted the security of it in several ways and found some quite serious issues, so I'm quite aware of the security implications. However in terms of practical criminal use, having the challenge and response mechanism with the card is a significant improvement over the static data of a magstripe.
That said, an interesting piece of British law is the fact that a signature forgery is never the responsibility of the victim. This means that if someone fraudulently signs for a payment, you are not responsible for the charges at all, whereas if someone watches you enter your PIN, or you tell it to someone and they subsequently use it to make payments, this is your responsibility. The grey area for a while was that the companies behind EMV said it was 'uncrackable' (never a good idea) and refused to take responsibility of charges that some users claimed had been made without their PINs being revealed by them. Anderson, and the Cambridge security researchers demonstrated a proof of concept a few years ago that showed how it could be used without knowing disclosure of the PIN, and since then card companies and banks have been a little more receptive to taking on the responsibility.
danpalmer|12 years ago
The problem goes further than the cards themselves though, I think the big problem with them is that you have to give companies all of the details needed to make a charge when you buy things online, and those details are stored. Other comments here are right, the main way to deal with this is single use card numbers that can be revoked individually.
I think a good way would be to implement something similar to what OAuth does. When you want to make a payment to Amazon for example, you tell your bank who you are and after authenticating you, they would provide a token to Amazon who can store that to use for purchases. If at some point in the future Amazon were 'hacked', the bank could revoke charging authorization for all tokens given to Amazon, immediately protecting all of their customers.
makomk|12 years ago
cnorthwood|12 years ago
danpalmer|12 years ago
http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
EMV has it's problems. I've worked with a few researchers who have targeted the security of it in several ways and found some quite serious issues, so I'm quite aware of the security implications. However in terms of practical criminal use, having the challenge and response mechanism with the card is a significant improvement over the static data of a magstripe.
That said, an interesting piece of British law is the fact that a signature forgery is never the responsibility of the victim. This means that if someone fraudulently signs for a payment, you are not responsible for the charges at all, whereas if someone watches you enter your PIN, or you tell it to someone and they subsequently use it to make payments, this is your responsibility. The grey area for a while was that the companies behind EMV said it was 'uncrackable' (never a good idea) and refused to take responsibility of charges that some users claimed had been made without their PINs being revealed by them. Anderson, and the Cambridge security researchers demonstrated a proof of concept a few years ago that showed how it could be used without knowing disclosure of the PIN, and since then card companies and banks have been a little more receptive to taking on the responsibility.