Michael R N Dolbear wrote:
David of Broadway wrote

I don't understand why the machines can't prompt for a PIN only if
the
card is PIN-equipped.

ITYM Chip-and-PIN-equiped.

Plastic cards had PINs issued long before Chip-and-PIN but they were
intended only for getting cash.

Yes, that's right. I don't know the PIN's on my credit cards since I
have no interest in obtaining (and paying for) cash advances.

Why is the chip necessary for chip-and-PIN? Why not just latch onto the
preexisting chipless PIN?
--
David of Broadway
New York, NY, USA

Why is the chip necessary for chip-and-PIN? Why not just latch onto the
preexisting chipless PIN?
--
David of Broadway
New York, NY, USA

Magnetic stripe and PIN is not an authorised combination for any POS
transactions in the UK.

Matthew Dickinson wrote:

Magnetic stripe and PIN is not an authorised combination for any POS
transactions in the UK.

Since when?
--
Michael Hoffman

On Wed, 06 Jun 2007 03:35:02 +0100, Michael Hoffman
wrote:

Matthew Dickinson wrote:

Magnetic stripe and PIN is not an authorised combination for any POS
transactions in the UK.

Since when?

Since always. David's question, which Matthew failed to answer, is:
why not?

James Farrar wrote:
On Wed, 06 Jun 2007 03:35:02 +0100, Michael Hoffman
wrote:

Matthew Dickinson wrote:

Magnetic stripe and PIN is not an authorised combination for any POS
transactions in the UK.
Since when?

Since always. David's question, which Matthew failed to answer, is:
why not?

Bingo. You read my mind. (Actually, you merely read my post, which I
think was pretty clear.) What's the security flaw that I'm missing?
--
David of Broadway
New York, NY, USA

David of Broadway wrote in
news
John B wrote:
On 5 Jun, 14:21, David of Broadway
wrote:
You sound like you know more about this subject than I do.

I don't know what the CNP rules are. But doesn't the merchant
agreement obligate the merchant to accept every card that displays
the relevant logo (MasterCard, Visa, etc.)? At some stations, cards
without CNP are not accepted. (And TfL doesn't even warn people in
advance! Most people affected are probably visitors, who cannot be
expected to understand the intricacies of CNP.)

Oh, bother - sorry for use of confusing abbreviations. CNP =
"cardholder not present" not "chip and pin".

OH! As I said, you know more about this subject than I do.

Every merchant should accept every card, irrespective of whether it
has a chip or a PIN on it. If they refuse to accept your
non-chip-and- PIN card, explain politely to them that the risk is
with you and your bank, not with them. If they still refuse, then
report the merchant to Visa/Mastercard for breaking their T&Cs.

I suppose I could politely explain this to a vending machine. I don't
think I should expect much of a response, however.



Probably more of one than from the Patel/Singh Helpline

snip

David of Broadway wrote:
James Farrar wrote:
On Wed, 06 Jun 2007 03:35:02 +0100, Michael Hoffman
wrote:

Matthew Dickinson wrote:

Magnetic stripe and PIN is not an authorised combination for any
POS transactions in the UK.
Since when?

Since always. David's question, which Matthew failed to answer, is:
why not?

Bingo. You read my mind. (Actually, you merely read my post,
which I think was pretty clear.) What's the security flaw that I'm
missing?

Stripe-and-PIN would still rely on mag stripe technology which is
relatively easy to clone.
--
Richard J.
(to e-mail me, swap uk and yon in address)

Richard J. wrote:
David of Broadway wrote:
James Farrar wrote:
On Wed, 06 Jun 2007 03:35:02 +0100, Michael Hoffman
wrote:

Matthew Dickinson wrote:

Magnetic stripe and PIN is not an authorised combination for any
POS transactions in the UK.
Since when?

Since always. David's question, which Matthew failed to answer, is:
why not?

Bingo. You read my mind. (Actually, you merely read my post,
which I think was pretty clear.) What's the security flaw that I'm
missing?

Stripe-and-PIN would still rely on mag stripe technology which is
relatively easy to clone.

So? Without the PIN itself, what difference does it make?
--
David of Broadway
New York, NY, USA

On 6 Jun, 13:36, David of Broadway
wrote:
Stripe-and-PIN would still rely on mag stripe technology which is
relatively easy to clone.

So? Without the PIN itself, what difference does it make?

If you're a crooked merchant, you can use a dummy keypad to record the
PIN and a dummy swipe pad to record the magnetic swipe information.
Both of these are easy to come by. Then you can create a cloned stripe-
and-PIN card without much difficulty.

The chip on chip-and-PIN is uncloneable[*], so if a crooked merchant
steals your PIN then there's not a lot he can do with it - unless he
bashes you over the head and steals your card later on [**].

So allowing chip-and-magstripe would do nothing to improve card
security, but would make it marginally easier for people to steal cash
balances.
[*] the one attack that slightly hysterical people cite as a success
involved implausible feats of time-based co-ordination, tricking
someone into entering their card and PIN into a dummy machine at
exactly the same time that a radio-linked real machine was entered
into a genuine terminal. In other words, the fraud can only happen
while the card is in the fraudster's physical possession.

[**] this isn't entirely true, because some cash machines abroad (and
possibly a very few still in the UK) can't read chips, and so work on
a magstripe and PIN basis even for chip and PIN cards. Every case that
is ever cited as a "chip and PIN fraud" has actually involved crooked
merchants stealing the pin, cloning the magstripe, and using it in
these old devices.

--
John Band
john at johnband dot org
www.johnband.org

On Tue, 05 Jun 2007 00:57:59 -0400, David of Broadway
wrote:

I don't understand why the machines can't prompt for a PIN only if the
card is PIN-equipped.

I suppose, as discussed, there's a question about who's liable for
fraud. But a transport operator in a major city full of foreign
cardholders - I don't see how it's reasonable NOT to accept the cards.

Neither my credit card nor my ATM card worked at the Schiphol machines.
I had to buy my ticket from a ticket window and pay a €0.50 surcharge
(that I didn't even realize I was paying until I looked at my receipt).

My debit card worked there, but it seems that not all UK cardholders
are as lucky - the Visa debit holders perhaps?

This is not acceptable. I wonder why the banks haven't cracked down on
it yet.

They've had a long time to think about it... In France, 10 or more
years ago my cards wouldn't work in French Railways' ticket machines,
because they were not chip and PIN. (They would not even accept the
card as identification for a booking already paid for on the net.) Now
(well, 2005), they don't work on the Paris Metro even though they are
chip and PIN. French public transport, ever the innovator, got there
first. As France (etc.) moves to EMV bank cards, perhaps these
incompatibilities will disappear for UK users.

Never a problem in Germany or Switzerland, who, back that same 10
years, often wanted a PIN with my mag stripe debit card, unheard of
back in the UK.

Richard.