Tuesday, May 08, 2007

Security Screams for the morning

Firstly, Radio Scotland was discussing the new proximity debit & credit cards - where transactions up to £10 can be done without necessarily going through the full transaction authorisation process (i.e. no docking, no pin entry). To deter fraud, there will be both a limit on the number of transactions that can be conducted without authorisation (and, I believe, this will be stored on the card. That may well lead to the possibility of a card cloning situation where the fraudulent card is programmed to always answer "first transaction" when asked how many non-auth there have been, so some degree of back-end recording and audit will be necessary), and there will also be a random selection of transactions for on-line authentication. Enough, what caused the scream. Well, according to the expert from the regulatory board of APACS, these cards are continually broadcasting an encrypted subset of your card data.

Err, no. For a start that would have the "microwaves are rotting the brains of our children" crowd up in arms. Never mind that many people normally keep cards in or around their trouser pockets. Anybody else remember "Radhaz is Dadhaz"? What the cards actually do is take power from a proximity reader, via inductive power transfer, and then act in a transponder type "challenge - response" manner. So if you either never go near a terminal or use one of these, your card is unlikely to activate.

Not that that is a defence against fraud, particularly, because a fraudster can create a base station (or use one acquired as, or posing as, a legitimate merchant). And criminals are unlikely to obey restrictions on transmission levels for unlicenced radio devices ... Still we'll see what Ben or Ross, or their mates, manage to come up with.

The other scream - am typing this on a kiosk terminal. When I logged in it complains that Blogger's SSL cert is "not yet valid". Date is set to 25 July 2003. Because it is a kiosk, I can't change the date so had to keep clicking through. Do you wonder why punters ignore computer warning messages?


No comments:

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2013.