On Mon, Dec 13, 1999 at 12:12:42PM -0800, David Honig wrote:
> Wouldn't a thumbprint reader on the card (to authenticate the meat to the
> smartcard) be a tougher thing to shoulder surf?
> Does raise the cost over a PIN.
I'm not sure if biometrics would help with the sort of attack this
appears to be.
It sounds like the modified card readers/number pads record everything.
The information on the magnetic strip, the PIN entered on the keypad,
possibly everything going over the wire too (these devices dial the bank
to authenticate).
Any biometric information could also be recorded and replayed. I guess
it would be more difficult because you couldn't use the information at a
regular ATM the way you can with card+PIN; you'd need a compromised
machine to feed the information to.
> Aren't there protocols where the exchange can't be replayed, but
> proof-of-knowledge is demonstrated?
That would require a smart card, or a cryptographicly strong operation
that the user could do in their head (which would probably get filed
under "too hard to use").
Anything depending on a regular magnetic card and PIN would probably be
vulnerable to whatever attack we're seeing here.
> Or would these exchanges require on-line connectivity, thereby defeating
> the utility of smartcards some?
I'm not sure if I'd trust a smartcard-based system that didn't require
on-line connectivity. From what little I've seen such things usually
(always?) depend on the tamper resistance of the device for their
security (eg. M*nd*x).
The current debit card system requires on-line connectivity to verify
the card+PIN and transfer the funds. It's basicly the same as using an
ATM machine. If you have a bank account and a card to access that
account from an ATM machine, you can use it all over the place instead
of cash. Some places even let you withdraw cash when making a
transaction. Here in Canada it's about as widely used now at
point-of-sale as credit cards are, maybe even more common, but you can't
order stuff over the phone the way you can with credit cards.
