Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Korean bank Moves back to Mainframes (...no, not back)

11 views
Skip to first unread message

Timothy Sipples

unread,
Jan 7, 2010, 3:40:43 AM1/7/10
to
That's not the correct headline.

BC Card isn't moving *back* to mainframes. In its 27+ year history, BC Card
has never had a mainframe -- nothing in the System z lineage, anyway. They
are now replacing HP and Sun UNIX servers, and Oracle databases, with (a
presumably small number of) IBM mainframes. They are new in almost every
possible mainframe-related way: new z/OS customer, new CICS Transaction
Server for z/OS customer, new WebSphere Application Server for z/OS
customer, new System z10 customer, new mainframe customer.

There are some things in the article I disagree with, but there's one fact
in particular that is most certainly not correct. The article says this:

"Sources at IBM say that this is the first Unix-to-mainframe application
migration in nearly a decade."

I hate to disagree with "sources at IBM," but no, that's just factually
incorrect. I have personal knowledge of another such customer (in Japan)
who migrated their applications from distributed UNIX to z/OS with Parallel
Sysplex, and they never had a mainframe before. Quite possibly their entire
industry has never had a mainframe before, partly explaining why they're
not public. I suspect there are others.

Which is not to say that this isn't significant news from Korea. It is,
very.

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Based in Tokyo, Serving IBM Japan / Asia-Pacific
E-Mail: timothy...@us.ibm.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Sam Siegel

unread,
Jan 7, 2010, 6:16:20 AM1/7/10
to
There are other business related inaccuracies in the article as well. The
article indicates that they process hundreds of millions of Credit Card
transactions a day. Having previously worked at a large credit card
processor in the US, it can be said with certainty that the S. Korean credit
card volumes are orders of magnitude smaller than US volumes. The US
volumes are in the range of 100 to 200 million per day depending on the time
of the year.

On Thu, Jan 7, 2010 at 8:39 AM, Timothy Sipples
<timothy...@us.ibm.com>wrote:

John Kim

unread,
Jan 7, 2010, 12:20:12 PM1/7/10
to
I am a positive side they process hundreds of millions of Credit Card
transactions a day. I used work for the one of national banks (BC card
member).

Their banking system also quite remarkable that more than dozen of
accounts from each bank are all connected to the card account;
- They almost do every thing through banking systems - pay tax, utility,
cell phone,
Speeding ticket, home shopping, air-line ticket, and wiring to
another bank...etc
- Bus pass, Sub-way or toll-gate fare also paid from your bank accounts
directly when you screen the system in on-site.


All these transactions are linked to card account via banking
accounts, but customers pay nothing to bank for transaction fee or any
other service changes...
No balance limits for waiver a service charges... not at all (but wire
to other countries). Instead they stand up & bow to you when you step
into the bank and advice you opening more accounts & cards.

You don't even have to open the door because your first encounter is a
door man. He / She will hand out you pamphlets & asking the opening
accounts & cards.

We used hire university kids as a summer job. They were pretty good
except random accident, some times bumped heads when they bowed each
other.

It can't be a simple comparison unless by population (45 million vs
??? million). Their system is quite different than US card companies; I
used have 7 BC cards from different banks that allowed more credit
limits from each banks.

- And also their changed attitude populates more cards; they used gift
their children savings accounts for entering kindergarten or
birthday...etc. But now it has switched to credit cards & cell-phone
(it's called hand-phone in S Korea).


The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you receive this in error, please contact the sender and delete or destroy this message and any copies.

Sam Siegel

unread,
Jan 7, 2010, 12:42:54 PM1/7/10
to
I will bow to the man with direct experience ... Base on reading the article
it appeared to be talking about traditional Credit Card processing. It was
not clear to someone without directly knowledge of the S. Korean banking
system (me) that Credit Cards handle such a broad scope of financial
transactions.

Even then, it means an average of 5 transaction per day per card they
manage. This is a very impressive number of transactions per card per day.

Regards,
Sam

Hal Merritt

unread,
Jan 7, 2010, 1:02:05 PM1/7/10
to
Concur. It would appear that the consumer electronic financial infrastructures are quite different outside of the US. Indeed, ours seems pretty primitive and a lot less consumer friendly. More, they don't seem to have quite as much of a fraud problem as we seem to have.

I think I read somewhere that they don't use 'credit cards' as we know them in Asia. Rather, it is more of a 'smart card' strategy.

Wonder how this works without fees?

Regards,
Sam

NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.

J R

unread,
Jan 7, 2010, 1:26:24 PM1/7/10
to
> ... they don't seem to have quite as much of a fraud problem as we seem to have.

That's the point of (EMV) "chip" cards. They are inherently more secure.

> ... they don't use 'credit cards' as we know them in Asia. Rather, it is more of a 'smart card' strategy.

The US is at least 12 years behind Europe, Australia/NZ and parts of Asia in deploying chip cards.

> Date: Thu, 7 Jan 2010 12:00:20 -0600
> From: HMer...@JACKHENRY.COM


> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

> To: IBM-...@bama.ua.edu


>
> Concur. It would appear that the consumer electronic financial infrastructures
> are quite different outside of the US. Indeed, ours seems pretty primitive and
> a lot less consumer friendly. More, they don't seem to have quite as much of
> a fraud problem as we seem to have.
>
> I think I read somewhere that they don't use 'credit cards' as we know them
> in Asia. Rather, it is more of a 'smart card' strategy.
>
> Wonder how this works without fees?
>
>




_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/196390710/direct/01/

Roach, Dennis , N-GHG

unread,
Jan 7, 2010, 1:31:19 PM1/7/10
to
The number is not that surprising when you stop and think about the no cash on hand philosophy.
Think of using your debit/bank/credit/atm card for everything you buy.
Morning coffee, newspaper, breakfast.
Transportation - gas, parking, bus, cab, train, subway.
Lunch
Snack (even from a vending machine)
Transportation
All shopping
5 transactions on average is not that much.


Dennis Roach
GHG Corporation
Lockheed Martin Mission Services
Facilities Design and Operations Contract
Strategic Technical Engineering
NASA/JSC
Address:
2100 Space Park Drive
LM-15-4BH
Houston, Texas 77058
Mail:
P.O. Box 58487
Mail Code H4C
Houston, Texas 77258-8487
Phone:
Voice: (281)336-5027
Cell: (713)591-1059
Fax: (281)336-5410
E-Mail: Dennis...@LMCo.COM

All opinions expressed by me are mine and may not agree with my employer or any person, company, or thing, living or dead, on or near this or any other planet, moon, asteroid, or other spatial object, natural or manufactured, since the beginning of time.

John Kim

unread,
Jan 7, 2010, 1:33:43 PM1/7/10
to
I wouldn't agree that the financial structure in the US seems primitive,
but it's quite sure a lot less customer friendly. The most tedious
thing was to participate in a campaign ' Customer is the king' on a
daily basis, although I was a computer guy there. No exception at all.

I can feel they have a lot less fraud incidents than Norte America.
Their system is kind of bureaucratic structure; instead Banks hire lots
of retired law-enforcement to look after who are fallen behind their
card payment.

People over there has a perception that no pay to the bank, unless
borrow money.
Which means I am a king of the feeder for Banks, and Banks still makes
pretty big fortune with fees.

Honestly I don't know how much portion in their profits from the fees if
they charge.
I was a system programming guy...

Regards John Kim

Ted MacNEIL

unread,
Jan 7, 2010, 1:37:14 PM1/7/10
to
>That's the point of (EMV) "chip" cards. >They are inherently more secure.

Why are they more secure?
INTERAC Canada has been telling us that they are.
So far, on their web-site, the proof presented has been: "They are more secure".

When they sent me my new chip card, through the bank I use, nothing had changed.
They even kept the same PIN, which is supposed to be a secret.

Except for a different slot in the debit machine, the process for payment is the same.

Where is the 'enhanced' security?
What makes it so?

I honestly don't know if this is off-topic, because debit cards, in Canada, are still processed on mainframes, for the Big Five, at least.

And, the mainframe, if you aren't stupid, is still the most secure processing environment, chip cards aside.

(Yes! My bias is showing.)
-
Too busy driving to stop for gas!

Chase, John

unread,
Jan 7, 2010, 1:47:34 PM1/7/10
to
> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Hal Merritt
>
> Concur. It would appear that the consumer electronic financial
infrastructures are quite different
> outside of the US. Indeed, ours seems pretty primitive and a lot less
consumer friendly. More, they
> don't seem to have quite as much of a fraud problem as we seem to
have.
>
> I think I read somewhere that they don't use 'credit cards' as we know
them in Asia. Rather, it is
> more of a 'smart card' strategy.
>
> Wonder how this works without fees?

Two possibilities come immediately to mind:

1. Interest on loans, and/or
2. Government (tax) subsidy.

I doubt "corporate altruism" enters into the equation.

-jc-

Chase, John

unread,
Jan 7, 2010, 1:50:04 PM1/7/10
to
> -----Original Message-----
> From: IBM Mainframe Discussion List [On Behalf Of Roach, Dennis
(N-GHG)
>
> The number is not that surprising when you stop and think about the no
cash on hand philosophy.
> Think of using your debit/bank/credit/atm card for everything you buy.
> Morning coffee, newspaper, breakfast.
> Transportation - gas, parking, bus, cab, train, subway.
> Lunch
> Snack (even from a vending machine)
> Transportation
> All shopping
> 5 transactions on average is not that much.

Still need cash for the "side pots" in bowling leagues. :-)

-jc-

Sam Siegel

unread,
Jan 7, 2010, 1:52:14 PM1/7/10
to


I'm not trying to be argumentative here, but some of the number still don't
just add up.

On a global basis the largest card processor in the world clears and settles
about 10 billion USD on 250 to 300 million transactions per day.. Or about
40 USD per transaction. Assuming that the average in S. Korea transaction
is 5 USD. Then 200 million per day is a billion USD per day cleared and
settled. This is over 360 billion USD per year. The S. Korean economy is
1.3 Trillion USD (2008) according to the CIA fact book. That would mean
that 28% of the S. Korean economy is handled via Credit Card transactions.
This is more than 5 times the rate of the rest of the world.


If an average transaction rate of 20 USD was used it would be even more
extreme. If a lower average transaction value was used, then fees and
charges would be a large portions of the profits that merchant would be
giving up.

Something does not balance.


That would

J R

unread,
Jan 7, 2010, 2:16:06 PM1/7/10
to
> Why are they more secure?

On a mag-stripe card, the data is right there, unencrypted for anyone to read and,
if they so desire, clone.

The chip is not just data; it is a processor. All data exchanged between the
card (ie. the chip) and the terminal is encrypted.

There's obviously a lot more to it than that but, right from that basic level,
the chip is inherently more secure that the stripe. I don't need Interac to tell me that.

> Date: Thu, 7 Jan 2010 18:36:37 +0000
> From: eama...@YAHOO.CA


> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

> To: IBM-...@bama.ua.edu


>
> >That's the point of (EMV) "chip" cards. >They are inherently more secure.
>
> Why are they more secure?
> INTERAC Canada has been telling us that they are.
> So far, on their web-site, the proof presented has been: "They are more secure".
>
> When they sent me my new chip card, through the bank I use, nothing had changed.
> They even kept the same PIN, which is supposed to be a secret.
>
> Except for a different slot in the debit machine, the process for payment is the same.
>
> Where is the 'enhanced' security?
> What makes it so?
>
> I honestly don't know if this is off-topic, because debit cards, in Canada,
> are still processed on mainframes, for the Big Five, at least.
>
> And, the mainframe, if you aren't stupid, is still the most secure processing environment, chip cards aside.
>
> (Yes! My bias is showing.)
> -
> Too busy driving to stop for gas!



_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/196390709/direct/01/

Howard Brazee

unread,
Jan 7, 2010, 2:35:37 PM1/7/10
to
On 7 Jan 2010 10:26:24 -0800, jaya...@HOTMAIL.COM (J R) wrote:

>> ... they don't use 'credit cards' as we know them in Asia. Rather, it is more of a 'smart card' strategy.
>
>
>
>The US is at least 12 years behind Europe, Australia/NZ and parts of Asia in deploying chip cards.

Yep. This isn't always bad. We didn't get on the bandwagon with
analog HDTV, but waited until the digital variety came out. Maybe
now that we see higher security and privacy needs, we will get a
better model here as well.

John Mattson

unread,
Jan 7, 2010, 2:42:21 PM1/7/10
to
Be not the first by whom the new are tried,
Nor yet the last to lay the old aside.
- Alexander Pope


Howard Brazee <howard...@CUSYS.EDU>
Sent by: IBM Mainframe Discussion List <IBM-...@bama.ua.edu>
01/07/2010 11:35 AM
Please respond to
IBM Mainframe Discussion List <IBM-...@bama.ua.edu>
Expire Date: 01/07/2012


To
IBM-...@bama.ua.edu
cc

Subject
Re: Korean bank Moves back to Mainframes (...no, not back)

Howard Brazee

unread,
Jan 7, 2010, 2:44:04 PM1/7/10
to
On 7 Jan 2010 10:31:19 -0800, dennis...@LMCO.COM (Roach, Dennis ,
N-GHG) wrote:

>The number is not that surprising when you stop and think about the no cash on hand philosophy.
>Think of using your debit/bank/credit/atm card for everything you buy.
>Morning coffee, newspaper, breakfast.
>Transportation - gas, parking, bus, cab, train, subway.
>Lunch
>Snack (even from a vending machine)
>Transportation
>All shopping
>5 transactions on average is not that much.

Most days, I buy nothing at all. But today I stopped at Panera
Bread and was asked if I could pay by card as their cash machine
wasn't yet ready.

I was reading SuperFreakonomics and it had a portion about the
economics of prostitution - and the high end call girl charged $500,
mainly to married men. I wondered how many men can get a hold of
that cash without wives seeing the withdrawal.

It also discussed programs done by anti-terrorists and anti-fraud
units which check for suspicious withdrawals. Everything gets
tracked. I haven't worked for a bank IS, but it could be
interesting to develop such programs.

McKown, John

unread,
Jan 7, 2010, 2:44:55 PM1/7/10
to
> -----Original Message-----
> From: IBM Mainframe Discussion List
> [mailto:IBM-...@bama.ua.edu] On Behalf Of Hal Merritt
> Sent: Thursday, January 07, 2010 12:00 PM
> To: IBM-...@bama.ua.edu
> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
>
> Concur. It would appear that the consumer electronic
> financial infrastructures are quite different outside of the
> US. Indeed, ours seems pretty primitive and a lot less
> consumer friendly. More, they don't seem to have quite as
> much of a fraud problem as we seem to have.
>
> I think I read somewhere that they don't use 'credit cards'
> as we know them in Asia. Rather, it is more of a 'smart card'
> strategy.
>
> Wonder how this works without fees?

Perhaps the Korean banks are competent? And they can make money by not paying the account holder all the income that the bank makes on the money entrusted to them? U.S. banks used to be user friendly and competent. They are, like most, now run by greedy fools.

--
John McKown
Systems Engineer IV
IT

Administrative Services Group

HealthMarkets(r)

9151 Boulevard 26 * N. Richland Hills * TX 76010
(817) 255-3225 phone * (817)-961-6183 cell
john....@healthmarkets.com * www.HealthMarkets.com

Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM

J R

unread,
Jan 7, 2010, 2:55:03 PM1/7/10
to
That's why I actually made two statements:

1.

> ... they don't seem to have quite as much of a fraud problem as we seem to have.

That's the point of (EMV) "chip" cards. They are inherently more secure.

2.


> ... they don't use 'credit cards' as we know them in Asia. Rather, it is more of a 'smart card' strategy.

The US is at least 12 years behind Europe, Australia/NZ and parts of Asia in deploying chip cards.


You can have your choice:
(1) Address security and have less fraud
-or-
(2) Wait for the technology to be perfected before adopting it.



> Date: Thu, 7 Jan 2010 12:35:38 -0700
> From: howard...@CUSYS.EDU


> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
> To: IBM-...@bama.ua.edu
>

_________________________________________________________________
Hotmail: Trusted email with Microsoft�s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/

Anne & Lynn Wheeler

unread,
Jan 7, 2010, 3:12:36 PM1/7/10
to

jaya...@HOTMAIL.COM (J R) writes:
> That's the point of (EMV) "chip" cards. They are inherently more secure.

modulo when there are significantly less secure ...

"yes card" vulnerability reference ... basically compromise POS terminal
(or other swipe mechanism to skim the data ... effectively same kind of
exploit used to skim magstripe data) ... and then "trivially" create
counterfeit "yes card" ... original reference gone 404 ... but can be
found at the wayback machine referencing presentation at cartes2002:
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

about the same time there was presentation on the vulnerabilities at the
ATM integrity task force meetings (prompting somebody in the audience to
comment that they managed to spend billions of dollars to prove that
chips are less secure than magstripe) ... a couple recent posts
with references:
http://www.garlic.com/~lynn/2009q.html#78 70 Years of ATM Innovation
http://www.garlic.com/~lynn/2009r.html#16 70 Years of ATM Innovation

lots of past posts mentioning "yes card":
http://www.garlic.com/~lynn/subintegrity.html#yescard

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

Anne & Lynn Wheeler

unread,
Jan 7, 2010, 3:19:36 PM1/7/10
to

Howard Brazee <howard...@cusys.edu> writes:
> Yep. This isn't always bad. We didn't get on the bandwagon with
> analog HDTV, but waited until the digital variety came out. Maybe
> now that we see higher security and privacy needs, we will get a
> better model here as well.

re:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes (...no, not back)

there was actually a rather large deployment in the NE about the time of
the cartes2002 presentation (and the atm integrity task force meetings)
... which then seemed to disappear w/o a trace. There has been some
concerned expressed about the much larger deployment costs for the US
... but it may actually not so much be about the cost of a single
deployment ... but that there may have to be a large number of
deployments.

Ted MacNEIL

unread,
Jan 7, 2010, 3:22:08 PM1/7/10
to
>It also discussed programs done by anti-terrorists and anti-fraud
units which check for suspicious withdrawals.
>Everything gets tracked. I haven't worked for a bank IS, but it could be
interesting to develop such programs.

Banks, at least in Canada, have been running DSS/AI/Anti-Fraud/Terrorist detection for years.
But, they have put in arbitrary thresholds, such as $1000, or the like.

The biggest issue is the number of false positives.

A similar issue showed up with the scanning of e-mails for violent/terrorist lamguage on the INTERNET.
Every teenage kid playing World of Warcraft got flagged.

I got flagged once, at work, for using a very vile word in an e-mail.
I didn't. I was just discussing Soccer and a town that ended in "thorpe'.
The word was pulled out of the middle of a larger word, without delimeters.

Another example, not financial, is at a company I used to work for.
The service provider had introduced a SPAM filtering package that kept suspected SPAM away from the recipient, so the intended recipient could not verify that it was SPAM.
So, there was no Human Intervention and approval.
But, the provider was using the percentage rejected as a performance metric.
When I asked about false positives, they told me I didn't understand the issue.

The whole point is, any AI algorithm needs a human overseer.
It's not good enough on its own, yet.


-
Too busy driving to stop for gas!

----------------------------------------------------------------------

Ted MacNEIL

unread,
Jan 7, 2010, 3:27:09 PM1/7/10
to
>The chip is not just data; it is a processor. All data exchanged between the card (ie. the chip) and the terminal is encrypted.

Why can't their web-site say that?

>There's obviously a lot more to it than that but, right from that basic level, the chip is inherently more secure that the stripe. I don't need Interac to tell me that.

I'm not a full-blown security expert; I'm a Jack-of-all-Trades.
All somebody had to do is answer the question.

(Mind you I'm still concerned that the new card had my 'secret' PIN already allocated when I received it.
At best, they should have me take the card to the Bank, and enter a new/old PIN)

Howard Brazee

unread,
Jan 7, 2010, 3:33:07 PM1/7/10
to
On 7 Jan 2010 11:44:55 -0800, John....@HEALTHMARKETS.COM (McKown,
John) wrote:

>Perhaps the Korean banks are competent? And they can make money by not paying the account
>holder all the income that the bank makes on the money entrusted to them? U.S. banks used to
>be user friendly and competent. They are, like most, now run by greedy fools.

There are two big issues with US banks here - one is how much money
they spend on regulatory issues. Why should banks and credit unions
have different rules to follow?

And the 2nd issue is much bigger, it's a business culture issue that
is by no means limited to banks. That is we have lots of people
running businesses who don't have the same risk/rewards as the
businesses themselves have. Making decisions that will bankrupt the
company in 5 years won't stop a CEO from getting wealthy now,
especially if the company gets bailed out by taxpayers.

Howard Brazee

unread,
Jan 7, 2010, 3:36:00 PM1/7/10
to
On 7 Jan 2010 11:16:06 -0800, jaya...@HOTMAIL.COM (J R) wrote:

>> Why are they more secure?
>
>
>
>On a mag-stripe card, the data is right there, unencrypted for anyone to read and,
>if they so desire, clone.
>
>The chip is not just data; it is a processor. All data exchanged between the
>card (ie. the chip) and the terminal is encrypted.
>
>There's obviously a lot more to it than that but, right from that basic level,
>the chip is inherently more secure that the stripe. I don't need Interac to tell me that.

The question is - are they secure enough? It takes more work to
clone a chip card, but do crooks who have the technology to use
mag-strip cards have access to the technology to use chip cards? I
don't know the answer.

Howard Brazee

unread,
Jan 7, 2010, 3:40:52 PM1/7/10
to
On 7 Jan 2010 12:22:08 -0800, eama...@YAHOO.CA (Ted MacNEIL) wrote:

>I got flagged once, at work, for using a very vile word in an e-mail.
>I didn't. I was just discussing Soccer and a town that ended in "thorpe'.
>The word was pulled out of the middle of a larger word, without delimeters.

I forgot the details where it took a while to figure out how to change
a business document to get by the Spam filters to a co-worker. Getting
rid of one innocuous (to me) word did it, but it wasn't at all
obvious.

I feel sorry for people who need to use their computers to search for
medical and other help for issues that get flagged as dirty (I'm not
wanting to use words to get this message filtered).

J R

unread,
Jan 7, 2010, 3:41:51 PM1/7/10
to
> Why can't their web-site say that?


Dunno! Too much information maybe?


> (Mind you I'm still concerned that the new card had my 'secret' PIN already allocated when I received it.
> At best, they should have me take the card to the Bank, and enter a new/old PIN)


I presume they did that for your convenience. (Not anybody else's since they wouldn't know the PIN.)
However, being a "smart" card with a processor on it, you should be able to change your PIN at an ATM.



> Date: Thu, 7 Jan 2010 20:26:39 +0000
> From: eama...@YAHOO.CA
> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
> To: IBM-...@bama.ua.edu


>
> >The chip is not just data; it is a processor. All data exchanged between the card (ie. the chip) and the terminal is encrypted.
>
> Why can't their web-site say that?
>
> >There's obviously a lot more to it than that but, right from that basic level, the chip is inherently more secure that the stripe. I don't need Interac to tell me that.
>
> I'm not a full-blown security expert; I'm a Jack-of-all-Trades.
> All somebody had to do is answer the question.
>
> (Mind you I'm still concerned that the new card had my 'secret' PIN already allocated when I received it.
> At best, they should have me take the card to the Bank, and enter a new/old PIN)
> -
> Too busy driving to stop for gas!

_________________________________________________________________
Hotmail: Trusted email with Microsoft�s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/

John Kim

unread,
Jan 7, 2010, 3:54:07 PM1/7/10
to
I am so impressed your insight! Please forgive me for off-line of the
topic.

Although I don't have stats in my hands, I can explain two things for
your understanding how they got over an economic crisis.
Way back to mid of 1990s the economic crisis in S Korea was almost same
or bigger than last years in US, and it was controlled by IMF.
I experienced a big jump on the commodity price, especially 5 times
increase over the night for the flour and toilet paper which had never
experienced since I was born in. That's why I came over here for a
better quality of toilet paper with batter price.

First thing government tried to do was campaigning in order for them to
turn around an economic crisis;
- asking the nation to come out them with Gold from their draw or safe.

At that time I also sold my wedding & my children's baby-shower rings to
government, in a result world gold market was fluctuated, and gold price
was downward.

- Secondly Government tried to let people sign on an application for the
credit cards as many as possible in order to stimulate a financial
infrastructure.

At that time my high school nephew had dozen cards, and still using it.

Eventually prevailing credit cards worked, and would be able to get over
an economic crisis, although they have a social crisis by over-spending
as fallout.

That's why they need extra wallet for more cards.

Sometime economists also don't understand how Korean economy works.

One thing I know is they are really superb at campaigning!


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@bama.ua.edu] On

Behalf Of Sam Siegel
Sent: Thursday, January 07, 2010 11:52 AM
To: IBM-...@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

Something does not balance.


That would

The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you receive this in error, please contact the sender and delete or destroy this message and any copies.

----------------------------------------------------------------------

Anne & Lynn Wheeler

unread,
Jan 7, 2010, 4:03:57 PM1/7/10
to

Howard Brazee <howard...@cusys.edu> writes:
> The question is - are they secure enough? It takes more work to
> clone a chip card, but do crooks who have the technology to use
> mag-strip cards have access to the technology to use chip cards? I
> don't know the answer.

re:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#72 Korean bank Moves back to Mainframes (...no, not back)

the compromise of terminal or machine to skim data ... whether magstripe
or chip ... was nearly identical. the cost of magstripe cards is several
cents less than chipcards used for "yes cards" ... but that is
relatively minor compared to the compromise effort to skim&collect the
data ... as well as the avg. fraud ROI per counterfeit card.

as referenced in the cartes2002 presentation ... it was trivial to
create a counterfeit "yes card" ... and the technology and description
was readily available on the internet thru the later half of the 90s.

after having done work with small client/server startup (the startup
also had invented this technology called "SSL" that they wanted to use)
for payment transactions and what is now comingly called "electronic
commerce" ... in the mid-90s we were invited to participate in the x9a10
financial standard working group ... which had been given the
requirement to preserve the integrity of the financial infrastructure
for all retail payments. The "yes card" kind of exploit was one of the
early, easily identifed vulnerabilities by the x9a10 standard working
group (long before any kind of actual deployment of that technology)

Terri E Shaffer

unread,
Jan 7, 2010, 4:06:23 PM1/7/10
to
So not to ask the obvious, but does any other nation use online buying as much as north america? How do most of the fraud attempts take place? Does it matter if my CC has a chip in it, if I enter the information online?....Sorry Im continuing this OT..

Thanks

Ms. Terri E. Shaffer
Terri.E...@jpmchase.com
Engineer
J.P.Morgan Chase & Co.
GTI DCT ECS Core Services zSoftware Group / Emerging Technologies
Office: # 614-213-3467
Cell: # 412-519-2592

This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of
any financial instrument or as an official confirmation of any
transaction. All market prices, data and other information are not
warranted as to completeness or accuracy and are subject to change
without notice. Any comments or statements made herein do not
necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
and affiliates.

This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.

Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to European legal entities.

Ted MacNEIL

unread,
Jan 7, 2010, 5:52:10 PM1/7/10
to
>I presume they did that for your convenience. (Not anybody else's since they wouldn't know the PIN.)
However, being a "smart" card with a processor on it, you should be able to change your PIN at an ATM.

Yes!
But, the PIN is supposed to be a secret.
Give me the chip-card, and have me come in to re-do my PIN would have made me feel more secure.

They didn't do that!


-
Too busy driving to stop for gas!

----------------------------------------------------------------------

J R

unread,
Jan 7, 2010, 6:04:07 PM1/7/10
to
> But, the PIN is supposed to be a secret.


They make a point of not knowing what your actual PIN is. What they
put in the chip is an encrypted PIN block that has to be matched after
the PIN that you actually key in has been put through the ringer.

Even if you could read the chip, and find your PIN block, unless you knew
what cryptographic key(s) were used, and which variant(s), to create it and
using which algorithm(s), you wouldn't be able to come up with your clear
text PIN. Your clear text PIN is not recorded anywhere unless you wrote it down.


> Date: Thu, 7 Jan 2010 22:51:52 +0000
> From: eama...@YAHOO.CA


> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

> To: IBM-...@bama.ua.edu


>
> >I presume they did that for your convenience. (Not anybody else's since they wouldn't know the PIN.)
> However, being a "smart" card with a processor on it, you should be able to change your PIN at an ATM.
>
> Yes!
> But, the PIN is supposed to be a secret.
> Give me the chip-card, and have me come in to re-do my PIN would have made me feel more secure.
>
> They didn't do that!
> -
> Too busy driving to stop for gas!

_________________________________________________________________
Hotmail: Trusted email with Microsoft�s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/

J R

unread,
Jan 7, 2010, 6:06:28 PM1/7/10
to
Of course, I meant "wringer"!



> Date: Thu, 7 Jan 2010 18:03:24 -0500
> From: jaya...@HOTMAIL.COM

Hotmail: Trusted email with powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390707/direct/01/

Clark Morris

unread,
Jan 7, 2010, 6:30:31 PM1/7/10
to
On 7 Jan 2010 12:27:09 -0800, in bit.listserv.ibm-main you wrote:

>>The chip is not just data; it is a processor. All data exchanged between the card (ie. the chip) and the terminal is encrypted.
>
>Why can't their web-site say that?
>
>>There's obviously a lot more to it than that but, right from that basic level, the chip is inherently more secure that the stripe. I don't need Interac to tell me that.
>
> I'm not a full-blown security expert; I'm a Jack-of-all-Trades.
>All somebody had to do is answer the question.
>
>(Mind you I'm still concerned that the new card had my 'secret' PIN already allocated when I received it.
>At best, they should have me take the card to the Bank, and enter a new/old PIN)

Is the PIN on the card or is it at the bank where they assigned the
one you already had on the debit card to it?

J R

unread,
Jan 7, 2010, 7:37:50 PM1/7/10
to
I believe there are two PINs,
an online PIN which is at the bank and can be verified for online transactions and
an offline PIN which is on the chip and can be used for small value offline transactions.
The goal is to keep the two in synch and this is done during the next online transaction.

I'm not an expert on this but I believe a lot of the functionality depends on
the actual application on the chip. There can be more than one application
on the same chip so that the card can be both a debit card and a credit card.
They do this a lot in Europe.



> Date: Thu, 7 Jan 2010 19:29:56 -0400
> From: cfmp...@NS.SYMPATICO.CA
> Subject: OT smart cards was Re: Korean bank Moves back to Mainframes (...no, not back)
> To: IBM-...@bama.ua.edu
>

> Is the PIN on the card or is it at the bank where they assigned the
> one you already had on the debit card to it?

_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/196390709/direct/01/

Timothy Sipples

unread,
Jan 8, 2010, 1:09:46 AM1/8/10
to
I should say right up front that I am not an expert on Korean banking.
Also, I have no idea whether the following remarks apply to BC Card
specifically.

One commenter in this thread suggested that the number of transactions
looks strange, if by "transactions" you mean "card swipes," basically. What
I sometimes find -- and not just in Korea -- is that the term
"transactions" has different meanings depending on whom you're talking to.
The business users and managers tend to think of measurements like card
swipes, purchases, etc. -- the direct business metrics. However, the IT
staff tend to think of "number of CICS transactions" and/or "number of
database updates," to pick two examples. Thus it's quite common for one
card swipe to result in several "transactions," depending on the functional
requirements and application architecture. Loyalty cards (point
processing), fraud analysis and prevention, business reporting functions,
overlimit SMS alerting triggers, PIN processing, interbank debiting and
crediting, customer service functions, etc., etc. can also add considerably
to the number of "transactions."

So it's very important to decode that term whenever having detailed
conversations about scale, sizing, growth, and other issues. If you don't
have that common understanding of "transactions," it gets difficult to have
meaningful conversations. In the context of a press article it's not a big
issue at all, but when involved in IT design discussions it's quite
important.

Also, I recall that Korea has a lot more "real-time posting" of typical
bank transactions than most other countries. If you think about U.S.
banking, there's lots of batch processing for, say, check clearing. I think
Korea handles their equivalent payments differently, much more like the
real-time interbank settlements for larger transactions. At least, that's
the explanation I constructed when someone once tried to educate me on the
differences in better English than my Korean. Said another way, one Korean
bank transaction does not equal one U.S. (or Chinese) bank transaction in
terms of path length (for example). They are different creatures for some
reason.

South Korea, like many other countries, has had problems with high rates of
credit card default in the not-too-distant past. That might be a reflection
of what John is talking about (and which I have also heard), that Korean
credit card companies have been very effective in saturating the market
with cards.

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Based in Tokyo, Serving IBM Japan / Asia-Pacific
E-Mail: timothy...@us.ibm.com

Ted MacNEIL

unread,
Jan 8, 2010, 2:06:49 AM1/8/10
to
>Is the PIN on the card or is it at the bank where they assigned the
one you already had on the debit card to it?

When I went in to get my (pre-chip) card, there was some processing and encoding done on the card after I entered my (new) PIN.

I assume there is something on the card, because you could get up to $200 out of ABMs when they went offline to the host processor.
At least, at the bank I used to work at.

-
Too busy driving to stop for gas!

----------------------------------------------------------------------

Sam Siegel

unread,
Jan 8, 2010, 2:21:49 AM1/8/10
to

I was talking about business transactions. If the posting was talking about
internal system transactions required to affect the processing of a purchase
then several hundred million transactions per day is easily possible.
However, the beginning of the article talks about a card holder base of 40
or so million people. From that it seemed reasonable to think that the
transaction count was was directly related to the cardholders and not to the
internal system activity. My comments should be viewed from this
perspective.

In the US the large card processors are running billions of internal system
transactions a day on distributed and sysplexed z/OS systems
to support hundreds of millions of card holder initiated transactions.

Regards,
Sam

Ted MacNEIL

unread,
Jan 8, 2010, 2:40:48 AM1/8/10
to
>What I sometimes find -- and not just in Korea -- is that the term
"transactions" has different meanings depending on whom you're talking to.
>The business users and managers tend to think of measurements like card
swipes, purchases, etc. -- the direct business metrics.
>However, the IT staff tend to think of "number of CICS transactions" and/or "number of database updates," to pick two examples.

That is a common issue across the board.
I've run into it many times in the almost 30 years I've been a capacity analyst.
At the last company I worked at the business worried about invoices/orders (86,000/day) and IT worried about CICS transactions (70M/day).
I had to do a lot of work to get them to relate to each other, and to point out that daily volumes were not totally related to peak volumes.
The latter was a herculean task.

-
Too busy driving to stop for gas!

----------------------------------------------------------------------

Anne & Lynn Wheeler

unread,
Jan 8, 2010, 12:13:07 PM1/8/10
to

E99...@JP.IBM.COM (Timothy Sipples) writes:
> So it's very important to decode that term whenever having detailed
> conversations about scale, sizing, growth, and other issues. If you don't
> have that common understanding of "transactions," it gets difficult to have
> meaningful conversations. In the context of a press article it's not a big
> issue at all, but when involved in IT design discussions it's quite
> important.

some of the real-time "auths" (authorizations) transactions are measured
in number of transactions that flow thru TPF system (change in name from
airline control program to transaction processing facility was ACP
starting to be used by some financial networks).

in states ... there has tended to still be a bunch of stuff done in the
"overnight batch window" ... some recent posts about doing optimization
work on 450+k statement cobol program that overnight ran on 40+ mainframe fully
tricked-out CECs.
http://www.garlic.com/~lynn/2009d.html#5 Why do IBMers think disks are 'Direct Access'?
http://www.garlic.com/~lynn/2009e.html#76 Architectural Diversity
http://www.garlic.com/~lynn/2009f.html#55 Cobol hits 50 and keeps counting
http://www.garlic.com/~lynn/2009g.html#20 IBM forecasts 'new world order' for financial services
http://www.garlic.com/~lynn/2009s.html#9 Union Pacific Railroad ditches its mainframe for SOA

several places in the financial industry spent billions in the 90s on
failed "straight-through" processing efforts (to replace "overnight
batch window") ... they were planning on using large number of parallel
"killer micros" and some COTS libraries. Problem was that they didn't
actually size the overhead of the COTS libraries (some vague
anticipation that more micros would offset the increased overhead).

it turned out that the COTS libraries had factor of 100 times increase
in overhead (compared to batch COBOL), totally swamping anticipated
thruput improvement with large numbers of killer micros. some past
references to the billions spent on failed "straight-through" processing
implementation:
http://www.garlic.com/~lynn/2009h.html#1 z/Journal Does it Again
http://www.garlic.com/~lynn/2009h.html#2 z/Journal Does it Again
http://www.garlic.com/~lynn/2009i.html#21 Why are z/OS people reluctant to use z/OS UNIX?
http://www.garlic.com/~lynn/2009l.html#57 IBM halves mainframe Linux engine prices
http://www.garlic.com/~lynn/2009m.html#22 PCI SSC Seeks standard for End to End Encryption?
http://www.garlic.com/~lynn/2009m.html#81 A Faster Way to the Cloud
http://www.garlic.com/~lynn/2009o.html#81 big iron mainframe vs. x86 servers
http://www.garlic.com/~lynn/2009q.html#67 Now is time for banks to replace core system according to Accenture
http://www.garlic.com/~lynn/2009q.html#68 Now is time for banks to replace core system according to Accenture

Howard Rifkind

unread,
Jan 10, 2010, 9:14:09 PM1/10/10
to
Well loose one gain one.

I saw a post on the z/VM list that the University of Maine just shut down their mainframe operation.

--- On Thu, 1/7/10, Chase, John <jch...@USSCO.COM> wrote:

> From: Chase, John <jch...@USSCO.COM>
> Subject: Re: Korean bank Moves back to Mainframes (...no, not back)
> To: IBM-...@bama.ua.edu

> Date: Thursday, January 7, 2010, 1:46 PM
> > -----Original Message-----

> > From: IBM Mainframe Discussion List On Behalf Of Hal
> Merritt
> >

> > Concur. It would appear that the consumer electronic
> financial
> infrastructures are quite different
> > outside of the US. Indeed, ours seems pretty primitive
> and a lot less

> consumer friendly. More, they


> > don't seem to have quite as much of a fraud problem as
> we seem to
> have.
> >

> > I think I read somewhere that they don't use 'credit


> cards' as we know
> them in Asia. Rather, it is
> > more of a 'smart card' strategy.
> >

> > Wonder how this works without fees?
>

> Two possibilities come immediately to mind:
>
> 1.� Interest on loans, and/or
> 2.� Government (tax) subsidy.
>
> I doubt "corporate altruism" enters into the equation.
>
> � � -jc-

Hardee, Charles H

unread,
Jan 11, 2010, 10:21:10 AM1/11/10
to
I, too, don't see how they can be more secure.
Possession is supposedly 9/10ths as the saying goes, but unless there's
something bio-metric in the chip/card/human being relationship, I would
have to say that the chips cards are no more, if not less, secure than
the regular plastic we use today.

What really peeves me is when I go into a merchant, present my plastic
for my purchase and ma told I don't need to sign anything,
What, no signature? But how do you know it's me? You didn't check my
signature on the back of the plastic against my signature at the time of
the purchase.

And the merchant's cashier says that just the way it works.

Personally, I try to make a mental record of where this occurs and then
attempt to NEVER return there for another purchase unless it is the ONLY
place to do so and then I pay cash. Can't remember the last time I was
in at H^&e D&p$t. (don't want to say the merchant's real name)

Chuck

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@bama.ua.edu] On

Behalf Of Ted MacNEIL
Sent: Thursday, January 07, 2010 12:37 PM
To: IBM-...@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

>That's the point of (EMV) "chip" cards. >They are inherently more
secure.

----------------------------------------------------------------------

Howard Brazee

unread,
Jan 11, 2010, 11:37:06 AM1/11/10
to
On 11 Jan 2010 07:21:10 -0800, Charles...@CA.COM (Hardee, Charles
H) wrote:

>I, too, don't see how they can be more secure.
>Possession is supposedly 9/10ths as the saying goes, but unless there's
>something bio-metric in the chip/card/human being relationship, I would
>have to say that the chips cards are no more, if not less, secure than
>the regular plastic we use today.

We probably need to go bio-metric - but this is including on-line
purchases. Our current system of random, unique, not-written-down
passwords does not work.

>What really peeves me is when I go into a merchant, present my plastic
>for my purchase and ma told I don't need to sign anything,
>What, no signature? But how do you know it's me? You didn't check my
>signature on the back of the plastic against my signature at the time of
>the purchase.

That seems to be a matter of $20 or less. But how closely do they
look at your signature anyway? And the places that have us sign on
glass get something that I don't recognize as my signature!

Again though - if we can buy something on the Web without a signature,
what difference does it make? Sure, they can track where the
product (or downloaded whatever) was delivered, but is that
sufficient?

This is a problem IS needs to solve, without forgetting how the human
element works.

Howard Brazee

unread,
Jan 11, 2010, 11:39:38 AM1/11/10
to
On 11 Jan 2010 07:21:10 -0800, Charles...@CA.COM (Hardee, Charles
H) wrote:

>I, too, don't see how they can be more secure.
>Possession is supposedly 9/10ths as the saying goes, but unless there's
>something bio-metric in the chip/card/human being relationship, I would
>have to say that the chips cards are no more, if not less, secure than
>the regular plastic we use today.

We probably need to go bio-metric - but this is including on-line


purchases. Our current system of random, unique, not-written-down
passwords does not work.

>What really peeves me is when I go into a merchant, present my plastic


>for my purchase and ma told I don't need to sign anything,
>What, no signature? But how do you know it's me? You didn't check my
>signature on the back of the plastic against my signature at the time of
>the purchase.

That seems to be a matter of $20 or less. But how closely do they


look at your signature anyway? And the places that have us sign on
glass get something that I don't recognize as my signature!

Again though - if we can buy something on the Web without a signature,
what difference does it make? Sure, they can track where the
product (or downloaded whatever) was delivered, but is that
sufficient?

This is a problem IS needs to solve, without forgetting how the human
element works.

--
"In no part of the constitution is more wisdom to be found,
than in the clause which confides the question of war or peace
to the legislature, and not to the executive department."

- James Madison

Bruno Sugliani

unread,
Jan 11, 2010, 2:39:50 PM1/11/10
to
Well chip cards need a pin number to be entered or they don't work! And i am
the only guy who knows the pin number of my card.
It is not full proof but the merchant generally knows it's you because you
have entered the proper pin number
Or did i miss something ?

Bruno Sugliani
zxnetconsult(at)free(dot)fr

On Mon, 11 Jan 2010 10:20:34 -0500, Hardee, Charles H
<Charles...@CA.COM> wrote:

>I, too, don't see how they can be more secure.
>Possession is supposedly 9/10ths as the saying goes, but unless there's
>something bio-metric in the chip/card/human being relationship, I would
>have to say that the chips cards are no more, if not less, secure than
>the regular plastic we use today.
>

>What really peeves me is when I go into a merchant, present my plastic
>for my purchase and ma told I don't need to sign anything,
>What, no signature? But how do you know it's me? You didn't check my
>signature on the back of the plastic against my signature at the time of
>the purchase.
>

>And the merchant's cashier says that just the way it works.
>
>Personally, I try to make a mental record of where this occurs and then
>attempt to NEVER return there for another purchase unless it is the ONLY
>place to do so and then I pay cash. Can't remember the last time I was
>in at H^&e D&p$t. (don't want to say the merchant's real name)
>
>Chuck

----------------------------------------------------------------------

Anne & Lynn Wheeler

unread,
Jan 11, 2010, 2:52:16 PM1/11/10
to
Charles...@CA.COM (Hardee, Charles H) writes:
> I, too, don't see how they can be more secure.
> Possession is supposedly 9/10ths as the saying goes, but unless there's
> something bio-metric in the chip/card/human being relationship, I would
> have to say that the chips cards are no more, if not less, secure than
> the regular plastic we use today.

re:
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#72 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#73 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#77 Korean bank Moves back to Mainframes (...no, not back)

as previously mentioned the "yes card" scenario for chipcard resulted in
bigger infrastructure vulnerability and more fraud than traditional
magstripe.

supposedly the chipcard was hard to counterfeit *AND* had two-factor
authentication (chip/plastic: "somthing you have" and PIN: "somthing you
know"). from three factor authentication model, misc. posts
http://www.garlic.com/~lynn/subintegrity.html#3factor

* something you have
* something you know
* something you are

the assumption that multiple factor authentication is more secure than
single factor is based on different authentication factors having
different vulnerabilities.

the problem with skimming (whether for the "yes card" or magstripe) ...
is it is possible to have a single compromise process (end-point
skimming compromise) ... invalidating the assumption about different
factors having different vulnerabilities. In the case of multi-factor
authentication magstripe (plastic/magstripe & PIN) ... a compromised
end-point skims both the magstripe information and the PIN.

in the "yes card" scenario, a compromised end-point skims the
information used by terminals to establish a valid chipcard. the crooks
then install the skimmed information (similar to information skimmed for
counterfeit magstripe) in a counterfeit "yes card" chip.

once a terminal has accepted the chipcard's validation information, it
then asks the chipcard 1) whether the correct PIN has been entered (a
"yes card" always answers "YES" ... so it isn't necessary to even
know/skim the PIN), 2) whether the transaction should be offline
("YES"), and 3) whether the transaction is within the account credit
limit ("YES").

in counterfeit magstripe scenario, the account number is eventually
invalidated at the backend database (and future transactions are
rejected). In the counterfeit "YES CARD" scenario, the terminal doesn't
go online to find out about any account number invalidation. the greater
counterfeit "YES CARD" fraud is because infrastructure business rules
have been moved into the chipcard (infrastructure relying on the
chipcard to decide whether it is online/offline transaction and whether
the transaction is within the account's credit limit).

misc. past "yes card" posts
http://www.garlic.com/~lynn/subintegrity.html#yescard

one of the issues with "something you are" biometrics ... is that
nominally biometrics information is reduced to some sort of electronic
pattern for matching against value stored in backend database. If that
value is compromised (analogous to "something you know" PIN/passwords)
... it is difficult to issue a new finger or iris. Frequently biometrics
are most dependable ... when they involve secure sensors/endpoints
... that possibly are under constant surveillance by armed guards.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

----------------------------------------------------------------------

Anne & Lynn Wheeler

unread,
Jan 11, 2010, 2:53:21 PM1/11/10
to

Howard Brazee <howard...@cusys.edu> writes:
> We probably need to go bio-metric - but this is including on-line
> purchases. Our current system of random, unique, not-written-down
> passwords does not work.

re:
http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes (...no, not back)

the issue with pin/passwords aren't that they are "something you know"
authentication ... but they are "shared secrets" ... some past posts
http://www.garlic.com/~lynn/subintegrity.html#secrets

the issue is that a unique "shared secret" is required for every unique
security domain ... as countermeasure to cross-domain attacks (say local
garage ISP and some online banking).

in "yes card" scenario ... the PIN wasn't a "shared secret" ... but was
between you and "your" chipcard. the problem was that the chipcard had
the "yes card" vulnerability ... and so the whole infrastructure wasn't
very secure.

it is possible to have a "something you know" authentication ... w/o
requiring what-ever is used ... is not "shared". In the "non-sharing"
scenario ... it would be acceptable to have the same (non-shared)
"something you know" authentication used in multiple different security
domains.

"something you are", biometric authentication is a problem in the online
scenario ... since it can be difficult to assure secure/trusted
sensor/end-point (under constant surveillance by trusted, armed guards)

part of the issue is that biometric (electronic pattern recorded in
backend database) is also frequently implemented as "shared secret". If
all biometric sensors/end-points aren't constantly secured & validated
... then the recording of the biometric electronic pattern could be
used to spoof a biometric reading ... by just directly transmitting the
pattern. In the case of a password "shared secret" compromise ... the
password can be replaced with new one ... fingers and iris are a little
harder to replace.

for a little more drift ... because of the cross-domain attack scenario,
for "shared secrets" ... current authentication is extremely
institutional-centric (unique cards & passwords per security domain).
In theory, a biometric "shared secret" implementation would require
unique biometric per security domain ... modulo nobody has quite figured
out how to implement such a thing. As a result, compensating procedures
are required for biometric "shared secrets" ... like secure/trusted
sensors/end-points under constant surveillance by armed guards.

it is possible to design a single "something you have" (like a chip) and
"somethin you know" authentication ... used in multiple different
domains ... analogous to the way that same fingerprint should work in
multiple different domains. part of the inhibitor to moving from
institutional-centric authentication to person-centric authentication
... is when things like institutional-specific business rules are
layered ontop of the authentication mechanism (like in the "yes card"
vulnerability).

In the 90s, I did quite a bit of work on AADS chip strawman for
enabling migration to a person-centric authentication infrastructure
(not limited just to biometrics)
http://www.garlic.com/~lynn/x959.html#aads

Anne & Lynn Wheeler

unread,
Jan 11, 2010, 2:54:34 PM1/11/10
to
Howard Brazee <howard...@cusys.edu> writes:
> We probably need to go bio-metric - but this is including on-line
> purchases. Our current system of random, unique, not-written-down
> passwords does not work.

re:

----------------------------------------------------------------------

Anne & Lynn Wheeler

unread,
Jan 11, 2010, 3:00:02 PM1/11/10
to
Charles...@CA.COM (Hardee, Charles H) writes:
> What really peeves me is when I go into a merchant, present my plastic
> for my purchase and ma told I don't need to sign anything,
> What, no signature? But how do you know it's me? You didn't check my
> signature on the back of the plastic against my signature at the time of
> the purchase.

re:
http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes (...no, not back)

the signature isn't a fraud countermeasure ... it is a dispute issue.
if you dispute the charge and the merchant doesn't even have signed
receipt ... there is nothing demonstrating that you agreed to the
charge.

for some low-value purchases, they've eliminated the signature
requirement ... the issue is that there aren't going to be a lot of
crooked consumers disputing low value charges ... and if they do ... it
is trivial amount (convenience offset against crooked consumers). the
infrastructure countermeasure against crooked consumers disputing large
number of (unsigned) charges ... is they revoke the card.

fraud countermeasure is the name on the piece of plastic and the clerk
checks the name against same/similar name on some other piece of
authentication (like gov. issued picture document).

there was an issue in the EU at one time regarding a privacy directive
... where electronic payment cards should be as anonymous as cash at
point of sale (i.e. no name on the payment card). this somewhat implied
that the financial infrastructure improved the authentication mechanisms
to the point that anti-fraud measures didn't require clerk matching
names on multiple documents.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

----------------------------------------------------------------------

Schwarz, Barry A

unread,
Jan 11, 2010, 3:06:20 PM1/11/10
to
Does that mean you never use self service gasoline pumps?

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@bama.ua.edu] On Behalf Of Hardee, Charles H
Sent: Monday, January 11, 2010 7:21 AM
To: IBM-...@bama.ua.edu
Subject: Re: Korean bank Moves back to Mainframes (...no, not back)

What really peeves me is when I go into a merchant, present my plastic
for my purchase and ma told I don't need to sign anything,
What, no signature? But how do you know it's me? You didn't check my
signature on the back of the plastic against my signature at the time of
the purchase.

And the merchant's cashier says that just the way it works.

Personally, I try to make a mental record of where this occurs and then
attempt to NEVER return there for another purchase unless it is the ONLY
place to do so and then I pay cash. Can't remember the last time I was
in at H^&e D&p$t. (don't want to say the merchant's real name)

----------------------------------------------------------------------

Tony Harminc

unread,
Jan 11, 2010, 4:28:18 PM1/11/10
to
2010-01-11 Hardee, Charles H <Charles...@ca.com>:

> What really peeves me is when I go into a merchant, present my plastic
> for my purchase and ma told I don't need to sign anything,
> What, no signature? But how do you know it's me? You didn't check my
> signature on the back of the plastic against my signature at the time of
> the purchase.

They know with some pretty high certainty that it's you, based on all
kinds of things related to the transaction. If it turns out it wasn't
you, then they are not going to make you pay for it; they will just
write it off, and refine their algorithms a tiny bit. And certainly
they are not going to do a no-signature transaction if you are buying
a car or some other high value item, or if the transaction takes place
5000 miles from where you live, and you haven't used the card outside
your home town in the last few years. In this kind of case they will
probably get you on the phone and ask you some questions. These days
that all works quickly and smoothly even internationally.

> And the merchant's cashier says that just the way it works.

Yup - and it makes a lot of sense. They are authorizing the
transaction; not authenticating you.

> Personally, I try to make a mental record of where this occurs and then
> attempt to NEVER return there for another purchase unless it is the ONLY
> place to do so and then I pay cash. Can't remember the last time I was
> in at H^&e D&p$t. (don't want to say the merchant's real name)

I'm not sure why this offends you so much. How would it help anything
if the cashier checked your signature? Such checking is highly
unreliable, and contributes much less to authentication than does the
data they already know about the transaction.

Tony H.

Ted MacNEIL

unread,
Jan 11, 2010, 4:32:35 PM1/11/10
to
>I disagree.
>The basic operation of a credit card at the get go was for the
customer to be authenticated by comparing the signature on the voucher with the one on the card.
>If they don't match the vendor refuses the transaction.
>This is still the basic MO for credit card transactions.

The basic MO for buying, pre-debit card, was with signed cheques.
Debit cards have PINs, and no signature required.
With the potential for more money in my bank account than my credit limit, why does this make debit cards secure?

PS: I'm assuming, possibly wrongly, that you don't order on the INTERNET, either.


-
Too busy driving to stop for gas!

----------------------------------------------------------------------

Sam Siegel

unread,
Jan 11, 2010, 4:47:48 PM1/11/10
to
On Mon, Jan 11, 2010 at 9:16 PM, Ron Hawkins
<ron.haw...@sbcglobal.net>wrote:

> I disagree. The basic operation of a credit card at the get go was for the
> customer to be authenticated by comparing the signature on the voucher with
> the one on the card. If they don't match the vendor refuses the
> transaction.
> This is still the basic MO for credit card transactions.
>

> Shops like Fry's always annoy me when they ask for my Driver's license,
> make
> a cursory comparison of the picture and my name with my face and the card,
> and then complete the transaction without even checking the signature. Even
> for transactions for 1000s of dollars. Can they really spot a counterfeit
> license?
>
> Ron


>
> >
> > the signature isn't a fraud countermeasure ... it is a dispute issue.
> > if you dispute the charge and the merchant doesn't even have signed
> > receipt ... there is nothing demonstrating that you agreed to the
> > charge.
> >
>

> Both Visa and Mastercard rules required they merchant to check the
signature on the back of the card (unless it's PIN or a no-sig type of txn)
and that's it. Merchants are not supposed to ask for additional
identification. As Ron pointed out, it is unlikely that a clerk can spot a
phony license. Also, don't forget the case where a person does not have a
license, etc.

Phil Smith

unread,
Jan 11, 2010, 4:56:09 PM1/11/10
to
On Mon, Jan 11, 2010 at 10:20 AM, Hardee, Charles H
<Charles...@ca.com> wrote:
> I, too, don't see how they can be more secure.
> Possession is supposedly 9/10ths as the saying goes, but unless there's
> something bio-metric in the chip/card/human being relationship, I would
> have to say that the chips cards are no more, if not less, secure than
> the regular plastic we use today.
>
> What really peeves me is when I go into a merchant, present my plastic
> for my purchase and ma told I don't need to sign anything,
> What, no signature? But how do you know it's me? You didn't check my
> signature on the back of the plastic against my signature at the time of
> the purchase.
>
> And the merchant's cashier says that just the way it works.
>
> Personally, I try to make a mental record of where this occurs and then
> attempt to NEVER return there for another purchase unless it is the ONLY
> place to do so and then I pay cash. Can't remember the last time I was
> in at H^&e D&p$t. (don't want to say the merchant's real name)

Why would you blame the store for this?

First, if a store has a no-signature threshold, that doesn't increase YOUR risk -- if there's an issue with a charge and there's no signature, it's not your loss. In some parts of the country, folks check signatures; where I live, they NEVER do -- and I mean NEVER. I only sign the backs of my cards because I occasionally travel to areas where they do check, and I often find that when do I get asked, the signature has worn off (that tells you how rarely it happens!).

Second, credit card fraud isn't at all of interest to the banks. Credit cards make the banks *in the US* something on the order of $150B/year. Loss due to fraud is on the order of $1B/year. "Wow", you say, "that's a lot of money". No it isn't: loss due to card default (bankruptcy) is 20++ times that amount. This is well-documented; I remember reading over 25 years ago about someone who had documented evidence of a $400 credit card fraud, and couldn't get the bank interested in following it up -- they just wrote it off.

Sometimes it's of interest to the store -- as Tony H notes, if you're buying a car, they care. That's because they're in a business where it's going to be THEIR loss if you defraud them. If I go through the McDonald's drive-thru and rip them off for a Big Mac, they probably accept the liability -- they throw out lots of food anyway. If I go through the McDonald's drive-thru and place the order from Woody Allen's _Bananas_ (1000 grilled cheese sandwiches, 300 tuna fish, 200 BLTs... yeah, I know. McD's doesn't make those, but you know what I mean) they're going to be a lot more interested in the credit card's validity. The same applies to CNP (Card-Not-Present) transactions, such as web purchases: some businesses (e.g., used books) don't even ask for the CVV (the "magic" 3- or 4-digit number) because their liability is low. Businesses with high liability (electronics dealers, for example) care. Note that the percentage paid by the merchant is higher for CNP transactions becaus!
e of the greater potential for fraud -- that's why the local mom&pop restaurant may be unhappy if your card won't swipe, even though they know you and thus aren't afraid you're ripping them off.

Third, don't confuse credit and debit cards. Credit cards are one thing; debit is another. If you haven't read http://www.nytimes.com/2010/01/05/your-money/credit-and-debit-cards/05visa.html?hp you really should.

Fourth, Magstripe cards are easy to copy; chip-and-pin cards are (supposedly) not. So if you have a chip-and-pin card and your number is compromised, it doesn't do them any good at an ATM that takes chip-and-pin (unless they get lucky and the ATM is offline). So to some extent it's "security by obscurity", but in a case where that actually makes sense and works. You need a PIN *and* the card. So it satisfies two of the four magic requirements: something you have, something you know. Biometrics can (and, I'm sure, will in the near future) add the other two: something you are, and something you do.

I've heard of the "YES" cards, and I assume they exist, but they're not the norm yet -- cloned magstripes are. So for now, at least, chip-and-pin is more secure.

As for asking for a license, sure, it doesn't guarantee anything -- but it probably stops the kid who finds a card and says "Hey, let's go buy an XBOX!". So it's not entirely worthless. If you don't think it's worthwhile, then I assume you don't bother to lock your car or house -- the true professional won't be stopped by a lousy lock, eh?

Hope this helps.
--
...phsiii

P.S. This is actually relevant to IBM-MAIN, as the large processors use z/OS and z/TPF for transaction processing. And they all use, like, computers. So it's more on-topic than a lot of threads on here...

Anne & Lynn Wheeler

unread,
Jan 11, 2010, 5:22:53 PM1/11/10
to
ph...@VOLTAGE.COM (Phil Smith) writes:
> I've heard of the "YES" cards, and I assume they exist, but they're
> not the norm yet -- cloned magstripes are. So for now, at least,
> chip-and-pin is more secure.

misc. past posts mentioning "YES CARD":
http://www.garlic.com/~lynn/2010.html#71 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#73 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#93 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010.html#95 Korean bank Moves back to Mainframes (...no, not back)

chipcards have countermeasures for some random person taking a valid
chip and extracting the necessary information ... a random person can
copy magstripe information significantly easier.

however, by at least the early 90s, there were cases of compromised
end-points recording valid information (done during the process of valid
transactions). these operations tended to be more large scale wholesale
operations ... getting information for tens of thousand (or millions)
... rather than a few tens.

in the end-point compromises ... the process was esssentially identical
for recording magstripe information and recording chipcard
authentication information (for "YES CARD" exploit).

along the way, the criminals added wireless and other remote procedures
for retrieving the skimmed/recorded information (again, little or no
difference between magstripe and chipcard).

part of the issue in the US was that there was fairly large scale
chipcard deployment in the time-frame of cartes2002 (presentation on
"yes card" and the "yes card" presentations at the ATM integrity task
force meetings) ... and then evaporated w/o a trace (which may have also
created some reluctance to try again).

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

----------------------------------------------------------------------

Anne & Lynn Wheeler

unread,
Jan 11, 2010, 6:19:08 PM1/11/10
to
to...@HARMINC.NET (Tony Harminc) writes:
> I'm not sure why this offends you so much. How would it help anything
> if the cashier checked your signature? Such checking is highly
> unreliable, and contributes much less to authentication than does the
> data they already know about the transaction.

at one point, a large merchant looked at automatically discarding all
signed receipts ... since they found that even if they automatically
settled all disputes in the favor of the customer ... those dispute
costs were still less than what they were paying (even in electronic
from) to retain all the signed receipts. The idea was abandoned when
somebody asked what might happen if the public found out that the
merchant was no longer retaining the signed receipts.

for the most part ... merchant associations don't like the idea of
clerks having to be involved in the authentication process ... partly
because they have little or no training ... partly because they have
little or no authority ... and partly because clerks tend to already
have more than enough to deal with.

in general, merchants also don't like signature debit ... since the
interchange fees (merchant discount fees, the subtracted from the total
for actual paying to the merchant) are much higher

there have been various disputes about the whole signature debit
operation ... latest is:

Best Buy Cuts off Visa Contactless with Little Risk to Sales
http://www.digitaltransactions.net/newsstory.cfm?newsid=2418

above mentions problem with it being signature debit interchange
fees. somewhat older article ...

Study: Signature Debit Fraud Runs 15 Times Higher Than on PIN Debit
http://www.digitaltransactions.net/newsstory.cfm?newsid=738

part of the interchange fee is supposedly related to fraud level of the
corresponding kind of transaction ... and there can be more than an
order-of-magnitude difference (in interchange fee) between the
transactions with lowest fraud and transactions with highest fraud.

Past merchant class action lawsuit (sometimes referred to as the
"Wal-Mart" case) over the high cost of signature debit cards:

MasterCard Puts the 13-Year-Old Wal-Mart Case in the Rear-View Mirror
http://www.digitaltransactions.net/newsstory.cfm?newsid=2256

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

----------------------------------------------------------------------

Ted MacNEIL

unread,
Jan 11, 2010, 6:34:44 PM1/11/10
to
>I'm talking about credit cards, not debit cards. What point are you trying
to make about signatures on credit cards? As for signatures on cheques, it
was the responsibility of the paying Bank to verify the signatures. The

Maybe I'm obtuse, but what is the difference in authentication for a debit or a credit card once you go to PINs?
Both, at least in Canada have the EMV chip.
So, my point (poorly expressed) was the fact that credit cards and debit cards now have a common exposure/protection regarding authentication.
Signature for debit was done away with around 1981 (when I got my first debit card from the Royal Bank of Canada).
Signature for credit card was done away with in Canada, at least, last year.

And, what does a PIN/chip have to do with anything on an INTERNET purchase?


-
Too busy driving to stop for gas!

----------------------------------------------------------------------

Jack.H...@kp.org

unread,
Jan 11, 2010, 6:49:00 PM1/11/10
to
Ron Hawkins <ron.haw...@SBCGLOBAL.NET>
>
> True, but the requirement to sign the slip with a signature that matches
the
> card would be an equal deterrent. The D/L check would be redundant if
the
> store checked the signatures in the first place.

Provided that the signature hasn't worn off, which it has on my most
commonly used credit card.

In California, a merchant is allowed to ask to see ID for a credit card
purchase, but is not allowed to write down any information from that ID. <
http://www.privacyrights.org/fs/fs15-mt.htm>


> > As for asking for a license, sure, it doesn't guarantee anything --
but it
> > probably stops the kid who finds a card and says "Hey, let's go buy an
> XBOX!".
> > So it's not entirely worthless. If you don't think it's worthwhile,
then I
> > assume you don't bother to lock your car or house -- the true
professional
> > won't be stopped by a lousy lock, eh?

P S

unread,
Jan 12, 2010, 12:31:28 AM1/12/10
to
On Mon, Jan 11, 2010 at 10:13 PM, Ron Hawkins
<ron.haw...@sbcglobal.net> wrote:
> Jack,
>
> According to the web site you referenced they can ask for ID, but for VISA
> and MasterCard they cannot refuse to complete the transaction if you do not
> comply.
>
> I'm tempted to test this the next time I'm asked...

Be prepared not to buy whatever. "Cannot" may mean "per VISA's rules";
it doesn't mean they have to do business with you, eh? You could
report them to VISA, but...

Sam Siegel

unread,
Jan 12, 2010, 2:18:51 AM1/12/10
to
On Mon, Jan 11, 2010 at 10:59 PM, Anne & Lynn Wheeler <ly...@garlic.com>wrote:

> to...@HARMINC.NET (Tony Harminc) writes:
> > I'm not sure why this offends you so much. How would it help anything
> > if the cashier checked your signature? Such checking is highly
> > unreliable, and contributes much less to authentication than does the
> > data they already know about the transaction.
>
> at one point, a large merchant looked at automatically discarding all
> signed receipts ... since they found that even if they automatically
> settled all disputes in the favor of the customer ... those dispute
> costs were still less than what they were paying (even in electronic
> from) to retain all the signed receipts. The idea was abandoned when
> somebody asked what might happen if the public found out that the
> merchant was no longer retaining the signed receipts.
>

Every state has laws regarding the retention of data related to the conduct
of business. The amount of time is typically 3 to 7 years. No keeping the
receipts (or copies thereof) could create legal problems as well.

Anne & Lynn Wheeler

unread,
Jan 12, 2010, 10:21:29 AM1/12/10
to

s...@PSCSI.NET (Sam Siegel) writes:
> Every state has laws regarding the retention of data related to the conduct
> of business. The amount of time is typically 3 to 7 years. No keeping the
> receipts (or copies thereof) could create legal problems as well.

re:
http://www.garlic.com/~lynn/2010.html#98 Korean bank Moves back to Mainframes (...no, not back)

a lot of record retention is by UCC which most states follow ...
aka like for checks:
http://www.bankersonline.com/compliance/gurus_cmp1001l.html

above references "if the items are not returned to customer" ... in
the credit card slip case ... both the consumer and the merchant have
copies.

the electronic record of the transaction data is kept (by the issuing
bank) ... question of what wasn't kept was the merchant's paper slip
copy with signature &/or electronic image of same.

the issue was resolving (potentially legal) disputes ... what side has
burden of proof and what kind of proof. merchant not having the signed
slip effectively resolves on behalf of the consumer (having the signed
slip doesn't mean that it resolves on behalf of the merchant ... the
merchant still has to show that it is the consumer's signature).

other items are like how long does consumer have to dispute items.

in any case, standard "reg. E" places burden of proof on merchant

one of the interesting flyers in the 90s was proposal about digitally
signed, public key transactions for internet transactions. consumers
would pay $100/annum for their digital certificate ... and in effort to
sweeten the deal for merchants to install the technology ... the burden
of proof (in disputes) for public key transactions ... would be switched
from merchant to consumer. the question was raised ... why would the
consumer pay $100/annum for something that would switched the burden of
proof to them.

there has been some amount of churn in the UK with their chip payment
card about something analogous ... where the dispute burden of proof is
now effectively on the consumer.

Anne & Lynn Wheeler

unread,
Jan 12, 2010, 10:23:42 AM1/12/10
to
s...@PSCSI.NET (Sam Siegel) writes:
> Every state has laws regarding the retention of data related to the conduct
> of business. The amount of time is typically 3 to 7 years. No keeping the
> receipts (or copies thereof) could create legal problems as well.

re:

--

Anne & Lynn Wheeler

unread,
Jan 12, 2010, 10:48:51 AM1/12/10
to
ly...@GARLIC.COM (Anne & Lynn Wheeler) writes:
> however, by at least the early 90s, there were cases of compromised
> end-points recording valid information (done during the process of valid
> transactions). these operations tended to be more large scale wholesale
> operations ... getting information for tens of thousand (or millions)
> ... rather than a few tens.

re:
http://www.garlic.com/~lynn/2010.html#97 Korean bank Moves back to Mainframes (...no, not back)

skimming news item from today:

ATM Skimming Incidents Increase
http://www.bankinfosecurity.com/articles.php?art_id=2059

frequently these are external attachments specifically targeting
magstripe ... however, there have been lots of cases where collecting
technology has been installed inside the end-point (pos terminal or atm
cash machine). cases have included modification of machines already
installed, replacing machine with modified machine, installing
modification at time of manufacturer ... or even criminal front
organization manufactuering machines and selling them on open market (or
on gray market ... copy of some other vendors machine).

criminal front manufactuers have even sold such machines "at cost"
(undercutting competition) because they are planning on making up the
profit with fraudulent transactions.

Howard Brazee

unread,
Jan 12, 2010, 11:11:06 AM1/12/10
to
On 11 Jan 2010 13:56:09 -0800, ph...@VOLTAGE.COM (Phil Smith) wrote:

>Fourth, Magstripe cards are easy to copy; chip-and-pin cards are (supposedly) not.

Which effectiveness can be measured.

>As for asking for a license, sure, it doesn't guarantee anything -- but it probably stops the kid
>who finds a card and says "Hey, let's go buy an XBOX!". So it's not entirely worthless.
>If you don't think it's worthwhile, then I assume you don't bother to lock your car or house
>-- the true professional won't be stopped by a lousy lock, eh?

So the kid who found a card is stopped by either technology.

I'd like to see some figures on how much professional fraud actually
gets stopped by going to the more difficult to copy cards. Sure,
chip-and-pin cards are more expensive for the pros to copy. But does
that actually cut down significantly on their stealing?

Howard Brazee

unread,
Jan 12, 2010, 11:14:00 AM1/12/10
to
Lots of people have been taught (by popular media?) to not sign their
credit cards. Instead, the vendor will ask to see their signature
on a different ID.

I don't know if this advice has been backed up by actual figures. We
get *lots* of advice from people who think their advice makes sense,
but which hasn't been tested.

Anne & Lynn Wheeler

unread,
Jan 12, 2010, 11:26:53 AM1/12/10
to
ly...@GARLIC.COM (Anne & Lynn Wheeler) writes:
> there has been some amount of churn in the UK with their chip payment
> card about something analogous ... where the dispute burden of proof is
> now effectively on the consumer.

re:
http://www.garlic.com/~lynn/2010b.html#1 Korean bank Moves back to Mainframes (...no, not back)
http://www.garlic.com/~lynn/2010b.html#2 Korean bank Moves back to Mainframes (...no, not back)

there was recent case in the UK where an individual needed a copy of the
ATM machine video recording to prove that they didn't make the
withdrawel ... since the bank wasn't able to find the recording ... it
was decided in favor of the bank (and against the individual).

there have been comments that care taken regarding video recording might
be significantly different if the bank was required to show the video
recording to prove it was the individual (as opposed to the individual
getting a copy from the bank to prove it wasn't them).

Chase, John

unread,
Jan 12, 2010, 2:46:35 PM1/12/10
to
> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Howard Brazee
>
> Lots of people have been taught (by popular media?) to not sign their
> credit cards. Instead, the vendor will ask to see their signature
> on a different ID.

I printed "REQUEST PHOTO ID" in the signature area of my credit card,
issued some three years ago. To date, exactly ONE merchant (a motel in
"somewhere, USA") has asked me for a photo ID.

-jc-

Rick Fochtman

unread,
Jan 12, 2010, 5:28:02 PM1/12/10
to
-----------------------------------<snip>------------------------------

I disagree. The basic operation of a credit card at the get go was for
the customer to be authenticated by comparing the signature on the
voucher with the one on the card. If they don't match the vendor refuses
the transaction. This is still the basic MO for credit card transactions.
----------------------------------<unsnip>------------------------------
Most "credit card acceptors" around Metro Chicago just swipe the card
through a stripe-reader and don't even look at it. Signature comparison?
HAH!!

-----------------------------------<snip>-----------------------------


Shops like Fry's always annoy me when they ask for my Driver's license,
make a cursory comparison of the picture and my name with my face and
the card, and then complete the transaction without even checking the
signature. Even for transactions for 1000s of dollars. Can they really
spot a counterfeit license?

-------------------------------------<unsnip>-------------------------
No they can't spot a phoney license. 99% of the population doesn't even
realize that birthdate and gender appear on the license on two places,
as a cross-check. Even a lot of police officers don't know where to find
the second occurance.

Rick

Howard Brazee

unread,
Jan 13, 2010, 10:30:45 AM1/13/10
to
On 12 Jan 2010 14:28:02 -0800, rfoc...@YNC.NET (Rick Fochtman)
wrote:

>-----------------------------------<snip>-----------------------------
>Shops like Fry's always annoy me when they ask for my Driver's license,
>make a cursory comparison of the picture and my name with my face and
>the card, and then complete the transaction without even checking the
>signature. Even for transactions for 1000s of dollars. Can they really
>spot a counterfeit license?
>-------------------------------------<unsnip>-------------------------
>No they can't spot a phoney license. 99% of the population doesn't even
>realize that birthdate and gender appear on the license on two places,
>as a cross-check. Even a lot of police officers don't know where to find
>the second occurance.

And the IS community has to realize that any solution is flawed if it
requires these salesmen and/or everybody who does on-line shopping to
be experts in security.

Anne & Lynn Wheeler

unread,
Jan 13, 2010, 10:56:21 AM1/13/10
to
Howard Brazee <howard...@cusys.edu> writes:
> And the IS community has to realize that any solution is flawed if it
> requires these salesmen and/or everybody who does on-line shopping to
> be experts in security.

we had been called in to consult with a small client/server startup that
wanted to do payment transactions on their server ... the startup had
also invented this technology called SSL they wanted to use. Part of the
effort was deploying something called a "payment gateway" (we
periodically claim is the original SOA) ... misc. past posts
http://www.garlic.com/~lynn/subnetwork.html#gateway

the effort is now frequently called "electronic commerce". given the
ease that crooks can harvest account numbers and use them for fraudulent
transactions ... I drew up a list of things required for commerce
servers enabled for payment transactions ... like all individuals
involved in any way needed to have FBI background checks (type required
of individuals in sensitive positions at financial institutions). part
of this was that long term numbers claim that insiders are involved in
70% of such events.

related comments about current paradigm in threads about "naked
transactions"
http://www.garlic.com/~lynn/subintegrity.html#payments

somewhat as the result of the work on "electronic commerce", in the
mid-90s, we were invited to participate in the x9a10 financial standard
working group which had been given the requirement to preserve the
integrity of the financial infrastructure for *ALL* retail payments. as
part of that activity there was detailed end-to-end threat &
vulnerability studies done of different kinds & modes of retail
payments.

x9a10 financial standard working group produced an payment standard that
slightly tweaked the paradigm and eliminate the threat and vulnerability
from having account numbers and/or other transaction information
revealed ... for *ALL* retail payments (point-of-sale, face-to-face,
unattended, credit, debit, internet, ACH, stored-value, aka *ALL*).
http://www.garlic.com/~lynn/x959.html#x959

x9.59 financial standard didn't do anything about hiding or encrypting
the information in transactions ... but eliminated the ability of the
crooks being able to use that information for fraudulent transactions.

Now the major use of "SSL" in the world today is this earlier
"electronic commerce" work to hide account numbers and transaction
details. A side effect of x9.59 financial standard eliminates the need
for that hiding and therefor the major use of "SSL" in the world today.

--
40+yrs virtualization experience (since Jan68), online at home since Mar1970

----------------------------------------------------------------------

0 new messages