Comments on: Optimised to fail: Card readers for online banking

By: Marite Ferrero

Marite Ferrero — Thu, 12 Nov 2009 12:21:47 +0000

Jad’ | April 21st, 2009 at 13:20 UTC said ” In France, we use CHIP&PIN for more than 20 years… As a result there is less fraud, and there is no case of assault for PIN, yet.”

Hi Jad, April 12, 2002, 4 men broke into my house while I was sleeping. They stayed for about an hour, asking me for my pin-codes and choosing what they wanted to take from me.

Let me tell you something you might not have heard of. I told them that they can take all my cards but I cant give them the pincodes since they (my american cards) didn’t have pin-codes. They took many things with them (cash, laptops, mobile phones, jewelries) but they left all my american cards. This incident was reported with the gendarme in my area.

The gendarme and police told me that thieves often assault cardholders for the cards and the pin-codes.

By: Marite Ferrero

Marite Ferrero — Thu, 12 Nov 2009 08:10:30 +0000

Gerald Levin’s (CNN’s former CEO) son (Jon Levin) was tortured and murdered by one of his students for the pin-code of his ATM card.

http://www.google.com/search?hl=en&source=hp&q=Gerard+Levin+pin-code+son+murder&aq=f&oq=&aqi=

By: David Haslam

David Haslam — Tue, 16 Jun 2009 14:16:32 +0000

While on the subject of online banking, has anyone in the group looked at the Rapport software that RBS is advising their customers to install? Several other banks are doing the same.

http://www.rbs.co.uk/global/f/security/security-advice/protect-yourself/computer/rapport.ashx?DCMP=OTC-rapportFURL

Can the security claims for Rapport can be demonstrated?
Does this product introduce more security risks than it claims to solve?

Here’s the supplier’s web page about the product.
http://www.trusteer.com/the-problem

David

By: Jad'

Jad' — Tue, 21 Apr 2009 13:20:28 +0000

Guys, look around you. UK is not the only country ro use CAP, and it’s no even new!
In France, we use CHIP&PIN for more than 20 years…
As a result there is less fraud, and there is no case of assault for PIN, yet.

By: Haitham

Haitham — Fri, 03 Apr 2009 19:29:08 +0000

I’ve read the Paper with the title of “the Man-in-the-Middle Defence” by Ross Anderson and Mike Bond and it seems very help and very rich-in-content!
Still any help on how to encounter the real-time MITM attack would be much appreciated!

By: Haitham

Haitham — Fri, 03 Apr 2009 18:52:09 +0000

Indeed, best-read in ages! I think I am just losing faith in our online banking security! This is all scary and something must be done about it SOONER rather than later!
Our great authors, in Page 2, where you talked about the real-time MITM attack and where you wrote this: “This class of attack can be resisted by cryptographically binding the one-time code to the data of the transaction being attempted – transaction authentication. A robust way to do this is to provide the customer with an electronic signature device with a trustworthy display on which she could verify the transaction data, a trusted path to authorise a digital signature, and a tamper-resistant store for
the signing key.”,
Is there any chance that you could possibly forward me to where I can find some more details on how to encounter the real-time MITM attack, please?
Thanks in advance!

By: Vicky Larmour

Vicky Larmour — Tue, 17 Mar 2009 12:25:30 +0000

@Steven: Thanks very much for the pointers. I’m sure that having more voices adding to the pile of complaints can’t hurt.

By: Steven J. Murdoch

Steven J. Murdoch — Tue, 17 Mar 2009 11:27:39 +0000

@Vicky APACS, who are the official spokesman for the banks, said that they were already aware of the vulnerabilities. Barclays claimed their system was infallible! You still might get something different from the customer care representatives, rather than their PR side. The BBA, like APACS, represent the bank and not the customer, so are unlikely to help. The Financial Ombudsman Service have a narrow remit in settling disputes, so don't seem appropriate. They also have been the subject of substantial criticism. Probably your best approach is the Financial Services Authority, who are at least accountable to parliament. They are having their own problems at the moment though. Your MP is also in a good position to apply pressure to the right people.

By: Vicky Larmour

Vicky Larmour — Tue, 17 Mar 2009 10:57:46 +0000

This is all quite horrifying. I was worried enough about Chip & Pin but this takes it to a whole new level.

I assume that complaining to the banks is likely to be met with a form response about how they care for our security etc etc. Any suggestions as to who better to raise this with? Banking Ombudsman?

By: Nick Leach

Nick Leach — Tue, 10 Mar 2009 23:40:17 +0000

No you are right, I just looked into this a bit deeper and there has been an update to the spec to deliberately remove the setting of the field that would have made the two modes of operation different. It’s always easy to be wise after the event: but it would have seemed sensible to have at least one field different between the two modes of operation, even if it were hard coded to different values. I stand corrected, good spot!