First is not asking always just the full pin for the CAP, but the full pin (full just because is needed for the smart-card) plus partial something that just you and the bank know(like a today’s internet password), that is something like and offset that could be use to XOR with the CAP in the end (not sure about this). HSBC UK do something like this by asking you just to type partial and random selected numbers from your internet password. With this, the detection by “dirty and worn” can be more difficult, as well the “Malicious friend” problem (just if you borrow the device a very large number of times).

For the identification of scams Ross mention in the end, HSBC Brazil has simething that seems a good solution to me. Everytime I want to access any HSBC Brazil related stuff I see a digital stamp, with 3 carachterics ( a geometric figure, a number and an object ) that I should recognized as mine stamp. If it is not there I know that HSBC has someting worng (probably is not HSBC).

Ross also overlooks the fact that there may be a separate application on the chip for authentication purposes and that other controls can be applied using the card and reader to ensure the integrity of the transaction (and defeat phishing based man-in-the-middle attacks). It’s also highly likely that the banks will be using a range of controls to manage risk (I’m sure that Ross is aware of the concept of “defence in depth”?).

Ross is correct in thinking that life would be harder for phishermen if Internet users had a clear understanding about email communication, but the fact remains most people don’t understand email spoofing and there are some very convincing social engineering exploits used, so people will continue to be duped by scam emails.

So, “yet another moan by Ross Anderson” and no constructive views on the situation!

Especially the real-time MiTM attack (BTW, is there a non-real-time MiTM?) — I would venture to say that any protocol where the user has to authenticate the bank (i.e., to ensure that the website to which he connects is the correct one) is open to MiTM. This is because users are notoriously bad at checking authentication information (SSL certs, etc.).

You are right, the Banks (and most other organisations) will only increase the security of their systems when the Pain / Cost of not doing it exceads the current cost of the way they do it. Which is not going to happen as long as they either have no legal liability or can use compleatly inefectual “smoke and mirror” security to limit bad publicity.

I am still amazed that the banks and other organisations are alowed to transfer their liability on to the customer in such a maner, and one has to question why our legislators still act in their favour and not that of the customer….