From: | "J.W.Thomas" <cm5323@***.AC.UK> |
---|---|
Subject: | Re: Credsticks |
Date: | Wed, 8 Feb 1995 14:09:44 +0000 |
From n9475426 Wed Feb 8 13:23:21 1995
Message-Id: <m0rcCMa-0003tqC@****.wlv.ac.uk>
From: n9475426 (J.S.Webster)
Subject: Re: Credsticks
To: cm5323@****.wlv.ac.uk (J.W.Thomas)
Date: Wed, 8 Feb 1995 13:23:18 +0000 (GMT)
In-Reply-To: <m0rc8U0-0003tiC@****.wlv.ac.uk> from "J.W.Thomas" at Feb 8,
95 09:14:44 am
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 4749
On Tue, 7 Feb 1995 00:47:46 +0930 Robert Watkins <bob@**.NTU.EDU.AU>
Was replying to my bankjob post
>
> > <CHOPPER> You use it to autherise your transactions, yes?
> > So it holds all your BAnk PIN numbers and stuff, as well as your
> No... it holds _part_ of a key to a database that holds that information.
> The other part of the key you have to provide, in the form of some sort of
> verification performed by the credstick reader you are using. This can be a
> short code (ie, a PIN), to anything up to a genetic analysis. For more
> information, check out NAGRL. The complexity of the test is dependent on
> the size of the transaction.
GrIfTeR StEpS iN
Which IS ON THE STICK. the stick holds enough data to tell
someone where you live, what you look like etc. Some peaple put
there keycodes on them. All locked away by the
code/fingerprint/retinal scan it takes to activate the stick...
BUT if you record the stick from a shop terminal it has just
given you all the details it takes to acsess the bank account.
>
> > And when you authorise a transaction by terminal, the chip gives
> > the shop/whatever your bank ID and authorisation for a sum of
> > money to be transfered
>
> Yeah... right. And the bank computer then yells back asking for
> verification. And guess what? That database where all that personal, hard
> to forge info is where? At the bank. :)
So? if your working from a shop term, the fool stickowner has
just given the nessasary authorisation to clear a 'payment'. you
just record this verification (code/finger/retina) as its sent
out to the bank and the sticks security is lost.
> > >
> > > Certified credsticks just have a chip with the value of the things on it.
> > > They're transported blank, so stealing them is a bit useless. Also,
> > > changing the data on them most be damn near impossible, or such
> > > counterfeiting would be rampant.
> > <CHOPPER>as rampant as credit fraud today?
> > You don't change it, you PROGRAM IT, as the chip is BLANK
> But they don't HAVE all the programs you need. And credsticks are a far
> more secure scheme than credit cards.
They're still open to abuse. Creditcard fraud is something like
3 billion/year NOW. even if credsticks cut this by 50% its still
over a billion dollars. And anything you can invent, someone
else can invent the countermeasure to.
>
> *sigh* look, if you couldn't change the amount on them, they wouldn't be
> any more usefull than coins and notes, and a damn sight more inconvienent.
So you CAN alter the amount on a certified credstick
so whats to stop you hacking one and adding an extra few zeros?
each credstick type has a maximum value it can hold, but no
restrictions on who can use it or how many times it works
...so you just keep running the
1,000 =Y= stick to the limit then paying it into bank accounts
> You can't have it both ways, Chopper. Either the chips are useless to you,
> and therefore lightly guarded if at all, or they are very valuable to you,
> and to the corps, and so they are heavily guarded. Moral of the story:
> If it's easy to do, then there probably isn't much point in doing it.
NO NO NO... what Chopper was saying is that the CHIPS are like
banknote paper.hard to get, but useless unless you know what to
do with it, so its not as secure as a CASH shipment.
> > This DOES happen now, with crooked shops taking your credit
> > card, copying the signiture and details and using them to buy
> > stuff.
>
> Any secure system will have a time-dependent algorithim as a key, with at
> least part of the algorithim stored in a place where you can't get it.
like where? anywhere someone can get to on a regular basis to
authorise a transaction can't have heavy security.
You see, you have to balance security and ease-of-use.
Imagine you had a Timelocked Vault door on your bathroom...
Very secure, yes?
Completely useless, as you can't get in without hours waiting.
And how can you use a time dependant algorithm anyway? does the
stick owner memorise it? <NO> does it get stored on the stick
<easy to crack it and copy it> or is it in the bank? <useless>
>
<Fron the Cornflake killer>
> I like the idea though.
> But all serious loads of money are seldom transported by road.
> Because the things you described are likely to happen then.
> The usual mode of transportation is by air, in case of huge amount of
> credit.
ThE GrIfTeR SpEaKs
what your after isn't the CASH, as thats just numbers in a
program. what your after is the blank chips they use to make the
'sticks, as then you can forge sticks
(assuming they use special chips, like banknote paper)
>
GRIFTER
Ancestor of the Mountain Bike