ec2-34-229-119-176.compute-1.amazonaws.com | ToothyWiki | ChipAndPin | RecentChanges | Login | Advent calendar | Webcomic

So, what would be the ideal system for transactions?

There are several websites talking about this (ToDo link to some of them, FreeCash? and the gold one for a start)

Here's our discussion about it.

The aim is to make a system where only the owner of the cash can spend it.  It would be nice to make it untraceable except to verified auditors too.

Pasted in from base page - ReFactor? it to be nicer some time

The problem is, of course, that your average punter can't do PublicKeyCrypto? whilst in a queue.  I mean, even us mathmo types need pen and paper...  And anything short of that is stealable.

Personally, I am working out my weekly budget and will withdraw cash from the bank every MondayMorning.  --Vitenka (Yes, I'm aware there's no real advantage to doing this, but I feel like doing it anyway)
If I am forced to use one of these cards, I will specifically ask each shop I enter whether they use the ChipAndPin system. If they do, I will politely explain why I don't trust their keypad, and walk out. You can always get stuff from somewhere else, and it would kind of send a message. Anyone fancy joining me? --Admiral
I'm in. - MoonShadow
Sadly, unless a very large number of people join in, it's too late.  It's a done deal.  Shops are saying that every shop will be moved to ChipAndPin by Christmas.  --Vitenka
Well, they will have lost my business then, won't they. There's always the market and Daily Bread. --Admiral
No.  If you have to not use a card then you can use any shop equally.  You're just boycotting every shop which requires cards.  Which is, even for my irrationality, a step too far.  --Vitenka
So the problem is that the banks have conspired with each other to all introduce the card at the same time, and to switch all shops over to the system as quickly as possible, to avoid the possibility of a group of people boycotting a proportion of shops or banks that is far from none or all, therefore reducing the impact that any given boycott could have had. Therefore, there is a small window of opportunity for a boycott to be effective - between the time that the first shops start using the system and the last shops are converted. The only way such a boycott will work is if a large proportion of the population takes part. The problem is that the majority of people do not understand why the system is bad for them. They trust the banks to work for them, and the banks have told them that the system is good. Does anyone know of any way to persuade a large proportion of the population? Write to Watchdog? --Admiral
Become a politician or news reporter ;)  Seriously, most of the population thinks it a slightly annoying but obviously good thing.  Small shops are getting their replacement units for free.  Supermarkets will of course switch en-masse, but they are holding out for longer.  Damn it - they could easily have made the jump to full anonymous secure electronic cash.  But nooo, we get a half hearted less secure system instead, purely because the banks like to attack the problem they can see rather than prevent all problems - and because they are getting better at PR.  --Vitenka
I would be most interested to learn what RossAnderson is doing about this affair - even if he has a card at all, given how bad he know the system is. Maybe I'll send him  an email. Of course, the banks have lots of money and a very good reason to pay people to keep quiet, so there may be quite a bit of opposition to publicity. --Admiral

One possible "solution" (not really a solution, more a method of limiting the damage), would be to open a second current account with no overdraft and transfer money into it from your main account once a week or so. Then destroy the card for your main account so the most anyone could get from stealing your card and pin would be your budget for one week. --qqzm
As you say, not really a solution.  Nor is moving to cash, or bvartering for everything with cows, before anyone suggests those :)  However, it's not entirely irrelevant as a practical thing to do.  Certainly slightly better than my using 'cash' as that second account, which was what I was going to do until you suggested it.  --Vitenka ( /PracticalSolution maybe?)

Of course, the proper solution would be to have the amount display and the keypad on the card itself - that way you are entering your passphrase into a trusted piece of hardware. Better still, use something non-shoulder-surfable, rather than a typable passphrase.
See [EMUE] for a new card that has a keypad and a display. They are using it for cardholder not present verification (OTP generation) and verifying that the person calling you is really from the bank. I kind of feel they have missed a great opportunity to secure cardholder present transactions. --Admiral
Interesting.  The card can prove to the bank that it is for real via signing with a key that only the bank has the counterpart to. The bank can do likewise.  Add a unique id for each transaction, and man-in-the-middle goes away.  About the only thing left to do is steal the card and the signature.  Biometrics could make violence the only option there.  Problem - how much would people be prpared to pay for such a card, and how could the banks guarantee that the card runs no intrusive programs?  --Vitenka
Of course, the bank doesn't actually need to authenticate to the smartcard. All that needs to happen is for the vendor to present to the smartcard interface a description of the transaction. The smartcard should display the amount to be transferred on its own display. The user should by some method authenticate his presence and willingness directly to the smartcard (for example by PIN), and the card adds a sequence/random number to the description and signs it cryptographically, and returns it to the vendor. --Admiral
So yes, the card creates a digital cheque, saying how much money and who it is paid out to and the user then tells the card to sign it.  The bank gets a timestamped order to transfer the money which could only have come from that card.  Oh - one problem:  If the card is able to make a transaction on its own, then dismantling the card would allow a fraudster to have it approve any transactions.  So the bank must send some information, which is then combined with the users passphrase and sent back (under the signing)  This does mean that the users key will have to be a lot longer than four digits to be even slightly secure.  Which means it has to be a phrase or maybe biodata or similar, not a number.  One nice advantage of this would be a better audit log - preventing a fraudster at the bank from creating transactions in your name (without your key anyway)  --Vitenka
There isn't actually any requirement for the passphrase to be longer than four digits. The card would have to have its secret cheque-signing key encrypted with the passphrase (which rules out biometrics), with the proviso that the secure electronics in the chip lock down the key after three failures. The method of lockdown could be: Make up some random number, encrypt the signing key with it, encrypt the number with the bank's public key, store the encrypted number, and throw away the plaintext signing-key-encrypted-with-passphrase and the plaintext number. Then the likelihood of an attacker retrieving the plaintext signing key is very low, and an idiot can still unlock the card by going to a cash machine and getting the passphrase right. The bank would limit the number of unlocking sessions, or flag up "unusual use" if there are too many. Of course, the card may still wish to communicate with the bank during a transaction, but only to see if the bank is willing to accomodate the amount being transferred. --Admiral

I think we need a seperate BioMetrics page.  --Vitenka
Having gotten that, then if the chip stores the secret then the secret can be gotten out of the chip by dismantling it.  Although I guess you can make it require very hard work to get out.  Hmm.  The secret is a totally random number, no pattern to it, so I guess just block xor-ing the pin across it would actually do.  And a customer is likely to notice if the vendor dismantles the card before plugging it in.
Yes. you would hope that the cardholder would report the card missing within a day of losing it, thereby reducing the amount of time available to someone to retrieve it. And of course you can make the card do some detecting of whether it is under attack, and have it destroy weakly-protected data as I describe above. --Admiral
(PeterTaylor) I'll be impressed if you manage the latter. No-one's managed it yet.
Well, there's the simple way of making it lock up after someone gets the PIN wrong three times. Of course the next point of defense is to make system such that it costs sufficient amounts to successfully attack the card, that either the reward is too small, or it is important enough for the police to pay attention and catch the person doing it. That may be hard. --Admiral
You're still thinking of an attack via the published interface.  I'm talking about the kind of analysis you can do once you prise the glue off and read out the flash memory directly.  You can make it hard, but emptying an account is always worthwhile.  TamperProof?ing the cards is an option, but you'll have to send out replacements to cards that nuke themselves due to getting bent in the wallet a lot.  (ie. costly)  --Vitenka
Actually, I am thinking about attacks other than via the published interface. You can make the published interface very simple (and therefore hard to crack). However, where I was saying to make the system hard enough to attack, I was referring to prising the chip apart. Now I don't know much about the current state of affairs in chip prising-apart, so here's a question for anyone who does: How long does it take to prise a chip apart and/or do power usage analysis, in order to read the unpublished data on the chip? The SimpleFact? is that the average user is not going to want to enter a large enough passphrase to decrypt sensitive data on the chip on every purchase to protect such sensitive data if someone is able to read the data by prising the chip apart. Therefore, the only option is to increase the cost/time of retrieving that data from the chip. --Admiral
Check out [Markus Kuhn] and [Ross Anderson]'s pages. In particular, [this] is relevant. Reading stuff out of the current generation of smartcards is simple and cheap, basically. - MoonShadow

One last disadvantage of not doing the comms in real time, it would allow a vendor to take a copy of the digital cheue, and submit it to two separate banks.  But that's just a problem for the banks network.  So yes, ok, that seems workable.  --Vitenka
Hence the card adding a sequence/random number to the digital cheque, so that it can only be used once. --Admiral
You've still got the kind of attack that works today, withdraw money from three ATMs simultaneously on a Sunday night and laugh.  The banks network should shrug it off, but right now it doesn't.  --Vitenka

So, how do any of these ideal systems stop the two most obvious attacks: looking over someone's shoulder and then stealing the card, or mugging someone and forcing them to tell you the number? And is there any point in spending however-much it would cost to create these supercards when there's such a simple way of getting around them?
Well, I can think of two defences.  First, it would be nice to be able to provide a number which seems to work, but which logs the transaction as criminal.  You give that one out (when forced) and wait for the police.  Secondly, you have to rely upon auditing I guess - and no, a PIN just isn't as good as having to be there and put your hand on a bit of paper.  But I would say that getting to "you have to know that the number is stolen" is probably good enough.  And before you protest, no, neither of these ideas has been previously talked about here.  --Vitenka
And why can't you do the first one without all this fancy stuff, and just with the system as suggested?
No reason - but it requires a change to the system.  Since they are making such a change, why not do something obvious like that and add it in now?  --Vitenka
And what extra auditing does this fancy stuff give you over the system as suggested?
Currently all you have is 'this data was used at this time' - we are talking about making it much harder to seperate the data from the card.  With the current system it's pretty trivial to just listen in on the phone call (and yes, that's a simple as connecting a modem to a second line) alter it slightly and make multiple charges to that account from many different merchants.  --Vitenka (as well as many other attacks)
And how do you know the number is stolen if somebody looks over your shoulder while you're typing it on your card?
Hence my suggesting it ideally needs to not be something stealable.  A unique number for each transaction, calculated on the spot was my first TongueInCheek? suggestion.  It's really the only thing that will work though.  It is probably sufficient though, to make it so that the card needs to be stolen.  If the card is copiable, you have many more avenues of attack.  --Vitenka
And surely what you're actually going to know is that the card is stolen, at which point you assume that the number is gone and call up and cancel it?
Agreed.  The real problem is, as I say, that currently (and with the current proposed system) it is easy enough to copy a card, so that you don't know it's stolen.  Then they can wait, perhaps for weeks, before emptying your account.  Or drain it out slowly, whichever is more effective.  --Vitenka

Biometrics is mentioned above, on the other hand. Combined with a PIN, it makes shoulder-surfing rather less useful. It does have problems of its own, though. - MoonShadow
I'm amazed that the man who was shocked at the idea of a national ID card is talking about fingerprints, or whatever, on a credit card being a good idea...
I'm not saying it's a good idea, but it is an obvious one.  --Vitenka

How about taking a cheep, low quality picture of the person making every card transaction. You then have a good idea later on if the card was used fradulently and you have a picture of your suspect. -- King DJ
...and print it on the back of the receipt, both the customer-kept one and the audit trail one. Also take one of the person at the till at the same time. - MoonShadow
That could actually work.  I don't like taking pictures on principle, but the principle has little rationale behind it and I'm asking for an audit trail.  Plus getting a piccy would be a positive benefit of the cards.  I spot an implementation flaw, though - bets as to how many checkpoints accidentally (or otherwise) would position the cameras to see the pin as it is typed?  --Vitenka
Use a still camera, triggered somehow? --CH
Something like that.  The difficulty is that the punter somehow has to be able to see that the camera isn't triggering and that the picture doesn't go anywhere except the reciepts.  You also need something in the picture to show that it was at a given shop on a given day.  Just printing that on is a bit too easily manipulated.  --Vitenka
Digital watermark springs to mind - although obviously you'd need to save the file as well as print it - which could prohibitive in terms of HDD space --CH
Slap the date on the photo bitmap. Sign with the till's public key and print enough bytes of the signature to make a collision search cost more than defrauding the shop will earn below the photo. - MoonShadow
I didn't mean that it is hard to get the proof on to it, I meant that it is hard to show the person whose photo is being taken that this is being done.  Also you've gone the opposit way in proving that it's only being used for this audit - once it's saved to the HDD it can go anywhere.  I would predict a small but flourishing market in stub photos of celebrities.  Even worse if it's coupled with a reciept!  --Vitenka
ItsNotABugItsAFeature. I'm a celebrity, now I can go shopping then sell my receipt on Ebay and make a profit ;) Encrypt the version on the till audit trail so the shop clerk can't use it. - MoonShadow

ec2-34-229-119-176.compute-1.amazonaws.com | ToothyWiki | ChipAndPin | RecentChanges | Login | Advent calendar | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited November 19, 2008 3:49 pm (viewing revision 36, which is the newest) (diff)