ec2-34-229-119-176.compute-1.amazonaws.com | ToothyWiki | ChipAndPin | RecentChanges | Login | Advent calendar | Webcomic

Okay, so I sent an email to RossAnderson. This is his reply:

Yes, it's happening, and there's probably not much you can do about it. The burden of proof will be shifted more on to the user,
and as a result bank staff will get careless. Some of them will become dishonest. There will be an epidemic of fraud. Then will be the time to have a go at the politicians.

And this is his reply interspersed with the discussion that it triggered:

Yes, it's happening, and there's probably not much you can do about it. The burden of proof will be shifted more on to the user,

Non sequitur. Unless you can point to any actual changes in, for example, the Banking Code which shift the burden more heavily onto the user. Can you, Mr Anderson? Can you?
Whilst I cannot speak for Mr Anderson, I feel obliged to point out that there need be no changes.  A shift in attitudes is all that is required to make it a practical reality, if not a legal one.  Banks can also deny you credit without giing any reason at all - such blacklisting being pretty much a death sentence unless you already own property.  --Vitenka
A death sentence?  Don't you think that's exaggerating just a little bit?
Yes.  Sorry, that was a slight InJoke? reference.  Blacklisting is still a really bad thing to have happen, but it's not the literal DeathThreat? that it is in countries lacking a safety net.  --Vitenka
A shift in whose attitudes? The relevant authority is the financial ombudsman or (if it comes to that) the courts, both of whom are well aware that PINs are not the be-all and end-all of proof. What possible reason is there to believe that they'd suddenly start thinking otherwise?
Remember that the whole impulse to puit this new system in place has been those doubts.  The argument runs something like: "The system isn't secure / Ok, here's a new system / This person claims fraud / but we have our shiny new system that YOU asked for / Oh, ok."  --Vitenka
Rubbish. The system is more secure. It is more difficult under the new system to steal and use a card. Even you accept that. Even Moonshadow accepts that. No one thinks it's perfectly secure, just more secure. Check out any of the guff you got from your bank about it: do they say it will elimiate fraud, or that it'll reduce it? Do you doubt tht it will reduce it?
That's semantics.  I do doubt that it will reduce it.  It will make it more difficult to work out how to do it, but that won't matter.  As MoonShadow pointed out in ClassBreak - a few smart people churn out the equipment and then all the little StreetThugs? can do it.  Also, what a company says in its advertising and what they really think are somewhat unrelated.  How much do they think that it will reduce fraud?  Enough that they can claim a PaperTrail? is enough evidence against it?  --Vitenka

So you really think that it'll be as easy to set up CCTV-hacking-vans, and webcam-backpacks with some telepathic communication to accomplices, as to just lift a wallet and use the card? Is it not obvious that you're making it so much harder to do will reduce how often it's done?
I will respond to that when you stop beating your wife ;) - MoonShadow

sigh You are deliberately provoking us into errecting large "no but it is possible" reposnces and then using their unliklyhood to attack the reasonable problems.  This is irritating.  The system is simultaneously making the current exploits harder, but the new exploits worse  (Well, better from the pov of the exploiter).  This tradeoff is one that I do not think will reduce the rate of occurence.  --Vitenka

How are the new exploits worse? There's only one new exploit I can think of that is plausible: looking over someone's shoulder in a shop, then nicking the card and using it. This will probably happen. But how is it worse than the current situation where someone looks over someone's shoulder at a cash machine, then nicks the card and uses it?

The worse one is the current one.  Pay underpaid kid at the counter 50 to use an altered machine.  Skim the cards, but as well as taking the cards, take the pin numbers.  Then use them however you like - done properly, you could either net a vast fortune in a few hours and skip the country, or a decent living over a period of years without anyone catching on.  The key is that you take the PIN as well as the card - it opens up realms of possible abuses.  --Vitenka

How precisely does taking the PIN get you much more than what you currently get from card-cloning? So you can use it to make withdrawals at cash machines as well as on the internet or over the 'phone. Big whoop. People that organise already have front-companies set up on the internet using dodgy credit-card portals like swreg.org so that getting the card details is practicaly like getting cash anyway. I don't see how this makes it worse. 
A front company is a real weakness in a criminal strategy.  It can be traced, shut down, watched etc.  A card that you can use anywhere in the country, on no notice?  That's as good as cash in hand.  Getting credit card details, currently, only lets you buy goods and services.  That's traceable after the fact, and provides a risk and thus a disincentive.  Yes, I expect that most fraud will just carry on as it does currently (no better, but no worse) but just the possibility of someone stealing cards slowly over time, then using them all at once is one worth stopping.  --Vitenka  (And yes, you're gonna use "but that's so unlikely" against me again now.  I maintain that suggesting a worst-case suggests all of the 'not quite as bad' cases too, but they're longer to type and not as interesting)

It's not that it's unlikely (which it is certainly not: it will happen), it's that it's no more unlikely under the new system than the current one. If you have the wherewithal to do that you also have the wherewithal to set up untracable front companies (and with the internet, and portals like swreg, it's not that hard: a fake address, a disposable bank account opened with fake ID). So you collect the cards, set up your front company, buy lots of stuff form your fake company, withdraw it all from the bank account, and walk away. There's no new danger. In fact, having to go to a cash machine where you will almost certainly be recorded by the built-in camera is probably more likely to get you caught.

It will happen. But it happens now. It won't happen more.
The gain is greater, it's no harder to do, the risk is not believably increased and probably decreased... and it won't happen more?  Your lack of logic disturbs me.  --Vitenka (I never get to be the one who says that.  I'm always on the receiving end)

The gain is no greater. You can get as much money over the internet as you can at a cash machine, probably more as you can do more in a single transaction. The risk is increased: you have to physically go to the cashpoint instead of sitting at home with the computer. And it is harder to do: instead of just copying out the details onto a bit of paper you have to modify a card-reader. So no, it won't happen more. It will still happen, of course, just like it does now.

Now who's bringing out the black helicopters? ;) Anyway, it's worse because it's much harder to link ATM cash withdrawals to people than anything involving paperwork. I open an account to receive transfers from fake transactions, it gets linked to me. I do it via a front, that just delays the inevitable. I do it via enough fronts, I might have time to grab the money and get out of jurisdiction before I'm traced; but basically, that's how the current generation of scammers get caught; either the tellers remember me, or the police are waiting when I turn up to close my account, or.. well, read the papers. Inevitably, the trail either links to me now, or will link to me in the future - otherwise, there is no way for me to get my hands on the cash (or goods+services). Now, if I grab cash from a bunch of ATMs, I leave no trail leading back to me. They can track me as far as the city I got the cash in, but they have no idea who I am. There is no record, and no reason for me to ever go back near anything linked to the scam once I have the cash in my hands. - MoonShadow
Worse.  I suspect that this already happens, but having the PIN certainly makes it easier: I (the atacker) perform my black and grey transactions just by handing over cloned cards.  Given wastage, say each card is worth 100.  Now when they are spent, there's no traceback to me at all - they get spent in a bunch of different locations.  Though I do have to be careful that not too many of them have been cancelled or overdrawn...  --Vitenka (Each one having a potential value of 1k should help though)

You do know that nearly all cash machines have cameras in, don't you? You've just left your picture all over the place. And over quite an extended period, too, if you intend to do it with a lot of cards.

Apart from this argument being on the wrong paragraph, the big difference is enforcement.  I was trying to avoid talking about how this risk inevitably leads to mass systems linking databases of faces to RealTime? camera enforcement, since that apparently sounds to you like BlackHelicopters?.  Anyway - the point is that a front company is an easier way to get to you than a number of flaky CCTV images.  The perceived risk is greater (I think the real risk is greater too, but I have no real info on that)  I may be aware that using a cash point is a daft thing to do, most people aren't.  And it's the 'most people' who would be committing the fraud.

Anyone with the resources to modify a card reader is probably part of some larger criminal organisation that will know exactly what they're doing with regards to laundering money, so front companies are not a problem.

Hold on a moment - you want us to believe in untraceable front companies from which profits can be milked and laundered without leaving any trails - when the newspapers regularly report on just such setups being traced and busted - when you refuse to accept that a London street-gang is capable of getting hold of a pair of wifi-enabled laptops, a webcam and a rucksack? Why should we consider your elaborate crime schemes if you refuse to consider ours? ;) - MoonShadow

The fact that the newspapers report on them being traced and busted just proves that they already happen and are in use, which is more than I can say for your pie-in-the-sky systems.

Such card readers are already around for the old cards.  Whoever made them, will certainly make new ones.  The people who make the machines sell them for cash in hand, I would expect.  The people operating them would be completely different people, and require much less skill.  Card skimming already happens.  Internet shopping etc. doesn't change, you can still do that, and you can also now get cash.  Cash is better than goods.  About 50% better in terms of resale value, and a lot better in terms of traceability and time.  So the benefit is greater, so the incentive is greater.  If your argument is reduced to "it won't get much worse" then I think we've run out of argument.  A new system should not be a vector for it to get ANY worse.  If it is, then why spend the money to switch to a newer more inconvenient system?  --Vitenka

You can't just 'make' new card readers. You have to modify the existing ones. The old card readers work because they just take the information, and the cards are swiped through out of sight of the customer. They don't have to actually do anything, like the transaction, or look authentic.  The new ones will have to actually do the business, in order to get people to type their PIN into them. That's significantly more work. It will happen, of course, but it'll be harder than the present system. You said it would be no harder: you're wrong. It will still be possible, and there will be modified readers, but they will be fewer and more expensive. And of course with the current system you can just steal a card with pen and paper; that option will disappear. And, in order to get money, you'll have to have equipment to put the details onto a card, probably eventually one with a chip. That's harder than using a fake card on the internet, and more expensive. Again, it's not impossible, but you said it would be no harder; you're wrong. It will be harder. Not impossible. But harder.

And, in order to get money, you'll have to have equipment to put the details onto a card, probably eventually one with a chip. Eh? This blatantly contradicts previous conversation.

I'm not convinced cash is that much of a benefit either. With the holding-company scheme, already in use, you can get large amounts of money that you get out the other ends as cash: it's a scheme that works (otherwise why would the criminals keep using it, to get busted as described above? Because not all of them get busted, that' why, and those that do have had a bunch of money put through them before they do). With direct-from-cash-machine cash, which you say is the great benefit which this system has for the criminal, you're limited to whatever the cash withdrawal limit is (paltry by the standards of what you can get through a front company) and you actually have to physically put yourself at risk by using a compromised card (which they may have worked out is compromised) in a cash machine, possibly one watched by the police if they know you're operating in the area, certainly having your picture taken.
That's fine for a lone look-over-the-shoulder opportunistic type, but these modified card-readers will only be available to sophisticated outfits, which will carry on much as they have done. They won't want the risk or the hassle of using a cash machine for the 300 or so they can get at a time when they can jusy sit in a room and rack up cash over the internet.

Yes, you said that last time. This has all been dealt with already. Simply reiterating your position does not make it any more convincing, and I am sure simply reiterating mine in response will not help either. Perhaps it's time to summarise the two opposing viewpoints? - MoonShadow

This new system won't make the outook for the professional criminl gang much better or much worse: they'll have a new technical challenge to overcome, but they will overcome it, and then carry on s they have before. But it will deter the opportunistic thief, because they can no longer just pick a pocket and use the card. they'll probably still pick the pocket, of course, just in case there's cash, but they'll throw the card away instead of using it.

And, to suggest yet another line of attack (stop attacking my specific lines of attack - the real problem is that having card and pin gives more options than having card alone) having a card and pin makes it much easier to steal the account entirely.  IdentityTheft? is a growing problem.  --Vitenka

Having card and PIN gives one, count it, one more option: you can withdraw cash from a cash machine. nd that's so risky as to be not worth doing for any crinimal syndicate with the nous to modify the machines. (your lone gun will probably keep to the over-the-shoulder method, and quickly get caught).

Anyway, you haven't addressed the main point. No one's claimed this will eliminate fraud. The system already accepts that PINs are overseen.
No, if that were the case, then the system would prevent a user from using a compromised pin again.  It doesn't.  --Vitenka (Who has just thought of at least two 'black helicopters' organised crime schemes, and won't be surprised to see one really happen)

What? You really think that nowdays having used a PIN is regarded as absolute proof that it was you that did the transaction? You really think that if someone looked over your shoulder, stole your card, and took money out, no one would believe you? You really think the banks, the ombudsman, and the courts are al under some delusion that this never happens?

I'll just quickly add - I would love for this system to happen and go smoothly.  But every time a system with a potential to harm the average user has gone live, it has been abused and harmed that user.  Every single time, every single system.  There are enough asshats around to wreck anything.  --Vitenka

and as a result bank staff will get careless. Some of them will become dishonest. There will be an epidemic of fraud. Then will be the time to have a go at the politicians.

And that really makes sense. Wait until it all goes wrong - you aren't likely to be one of the ones that cops it - and then say to the politicians "I told you so". --Admiral

And this is the irreverent bit:

Yes, it's happening, and there's probably not much you can do about it. The burden of proof will be shifted more on to the user,
and as a result bank staff will get careless. Some of them will become dishonest. There will be an epidemic of fraud. Then will be the time to have a go at the politicians.

...and then come the black helicopters... - ChiarkPerson
...and then the gnomes will seal their bank vault... --Vitenka
...and they'll find the WeaponOfMassDestruction.. - MoonShadow
...and then we will need BioMetrics to prove they're not your WeaponOfMassDestruction... - Blunkett

That's a strategy?  Like there's anything in the world we're not going to moan about ;)  --Vitenka

ec2-34-229-119-176.compute-1.amazonaws.com | ToothyWiki | ChipAndPin | RecentChanges | Login | Advent calendar | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited February 11, 2004 9:16 am (viewing revision 39, which is the newest) (diff)