home *** CD-ROM | disk | FTP | other *** search
- Xref: sparky sci.crypt:3144 alt.security:4290 comp.security.misc:1192
- Path: sparky!uunet!mcsun!uknet!cam-cl!cam-cl!rja14
- From: rja14@cl.cam.ac.uk (Ross Anderson)
- Newsgroups: sci.crypt,alt.security,comp.security.misc,local.crypto
- Subject: ATM fraud
- Message-ID: <1992Sep8.115050.8694@cl.cam.ac.uk>
- Date: 8 Sep 92 11:50:50 GMT
- Sender: pb@cl.cam.ac.uk (Piete Brooks)
- Reply-To: rja14@cl.cam.ac.uk (Ross Anderson)
- Organization: U of Cambridge Computer Lab, UK
- Lines: 23
-
- A new type of ATM fraud has just arrived in London.
-
- An auction was advertised at which video cassette recorders and other
- consumer electronic goods were for sale at very low prices. A lot of
- people turned up and were asked to provide identification at the door -
- this is normal enough at auctions in Britain - and the preferred means
- of identification was a bank or credit card (you had to swipe it in a
- reader and enter your PIN at a nearby keypad).
-
- This sort of `false terminal attack' was first reported in the USA in
- about 1988. You'd think the banks would warn people about it, but
- instead they seem determined to introduce PIN pads in retail outlets
- here. The idiots seem to believe that this will cut fraud from the
- current \pounds 200 million plus, but in practice it means that every
- bent merchant in the country will be able to collect card and PIN data.
-
- What's the point of designing wonderful cryptographic systems when the
- customer corporations think they know it all and build implementations
- that are trivial to break even without cryptanalysis? And what should
- we taxpayers believe about the government's systems? Are civil servants
- better at system design than bankers, despite earning half the salary?
-
- Ross
-
