At 10:49 13/12/1999 -0500, Steven M. Bellovin wrote:
> If so, a simple visual recorder -- already used by
>other thieves -- might suffice, and all the tamper-resistance in the world
>won't help. Crypto, in other words, doesn't protect you if the attack is on
>the crypto endpoint or on the cleartext.
This doesn't work. The PIN is derived by adding a "PIN Offset" which is
stored on the magstripe to the "Real PIN" which is cryptographically
derived from the account information. If you can't duplicate the magstripe
the pin you have shoulder-surfed is useless. (To caveat my own words...
this is one of the internationally standardised and widely deployed
methods. I don't know how the other ones handle this problem.)
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9181-4851 FAX: +61-2-9181-5470
Suite 410, Birkenhead Point, http://people.qualcomm.com/ggr/
Drummoyne NSW 2047 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
