| |||||||||||||
|
| |||||||||||||
Full disclosure and the banking industry: Burden of proof must be on bankFull disclosure and the banking industry: Burden of proof must be on bankPosted Feb 28, 2003 10:26 UTC (Fri) by beejaybee (guest, #1581)In reply to: Full disclosure and the banking industry: Burden of proof must be on bank by dwheeler Parent article: Full disclosure and the banking industry Sorry but the problem is that the PIN system is _technically_ broken. It simply doesn't matter what administrative safeguards are in place (though I accept that it is probably easier to get a bank to own up to a mistake, either honest or fradulent, in the US than it is in the UK). In fact the situation is even worse than the decimalization table exploit that was the result of the Citibank gagging order. Jolyon Clulow, a graduate student at the University of Natal in South Africa, has published his thesis containing _no less than six_ discrete attacks which could obtain authorization information which could then be used to fraudulently obtain cash. The decimalization table exploit is but one of these. The paper has been replicated to help prevent overload or closure of the student's web site. There are probably enough other copies around already to make it quite certain that stuffing the cat back into the bag isn't going to be possible. Whole paper: http://home.icon.co.za/~clulow/dissertation.pdf Chapter 3 only (this is the strictly relevant stuff) With acknowledgements to the ukcrypto list, from where I obtained this information.
(Log in to post comments)
|
|
||||||||||||