I think you are almost certainly right, but because I don't know of an exploit that demonstrates a specific vulnerability of this sort, I did not want to make a claim that could be narrowly refuted. For more details on what I was thinking, see this response: http://news.slashdot.org/comments.pl?sid=3763223&cid=43767955

That's a fair question, and I probably should have written something like "arguably, there was no security breach in these specific incidents." I don't think it would be a very good argument, but I wanted to 'immunize' my post against a sort of argument that has been used against me elsewhere (e.g. http://slashdot.org/comments.pl?sid=3682437&cid=43544497 ) This 'so far, so good' fallacy takes several forms, such as 'the incidents [so far] have caused no losses / have only occurred in the lab / have all been caught [so far as we know]', 'the losses [so far] have been minimal / reversed'... In this particular case, an apologist for the system might say 'none of the incidents reported here involve covert subversion of [what passes for] the security of these systems'.

With regard to the specific incidents reported in this article, that seems to me to be true, but irrelevant. All 'so far, so good' fallacies share two problems. The first is that they ignore the fact that such incidents are good evidence that the system is not trustworthy, and the second is that the person making the fallacy is either unaware of its bogosity, or is deliberately trying to hide it. That means the commentator (and the organization she represents) is either incompetent (in the first case) or untrustworthy (in the second) on the subject of security.

The article includes another bogus argument: "the system has been extensively tested"... but the incidents are irrefutable evidence that the testing did not work. Another bogus argument that has been used in other cases is "there is nothing wrong with the standard, the problem was in the vendor's implementation"... but a standard without effective verification of compliance is useless.

By attempting to immunize my comment, I brought on your response instead, but that's OK, because we agree over what matters here.

While these incidents do not involve a security breach, they do indicate a sloppiness in the implementation, and so raise the concern that the system has been developed without the attention to detail that is a necessary (but not sufficient) prerequisite for security.

Part of the problem is that 'obvious' has gained a special meaning in this context, partly as a result of case law, and that meaning is not the obvious one. Lawyers aren't paid to be reasonable.

Good point. If I recall correctly from my brief encounters with the patent system, if you don't bring the examiner's attention to what could arguably be considered prior art, it explicitly counts against you should your patent be challenged. It may be that large corporations have realized that 'possession is nine-tenths of the law' definitely applies here, and they can cause a lot of trouble for a competitor even with a shaky patent, for example by dragging things out to the point where it becomes moot, or by using the threat of doing so to get cross-licensing agreements.

You imposed such a sweeping constraint on any planning beyond the personal (no-one in charge) as to render it pointless:

To be consistent, it would have to be your position that the energy sector, which you acknowledge in your subsequent reversal as being capable of planning, generally practices planning under this constraint.

On considering your later attempts to reinterpret the record, it seems possible that you had intended 'anyone' to refer specifically to either governments or government-like entities, but your placement of 'government' in a nonrestrictive clause rules it out. That would have been a different discussion.

But reason for what? You are attempting to make the case that country-level planning is an activity in which it is impossible, not just difficult, to do better than doing nothing at all. Unless you can demonstrate complete coverage, a list of ways things can go wrong doesn't get the job done.

You tacitly acknowledge this whenever you attempt to transfer your burden of proof to me. That's a common dogmatist move (most often employed to convince one another that their views are beyond question), but neither I nor any other rational reader need to go down that path.

I'm sure you will dispute all of this with more of the same, and it is clearly inevitable that you will have the last word, regardless of how many repetitions it takes. Go ahead - I am happy to leave any rational reader who might wander by to make up their own minds.

In other contexts, your observations about the difficulties of central planning would be useful contributions to the discussion, but they do not work as justifications for a self-contradictory piece of dogma.

The record stands for itself.

While going to jail has become an issue for Murdoch's editors in the UK, I don't think they are much at risk in the US.

The inevitability of flaws is not an excuse to foreclose on the question of whether the implementers of this system are trying hard enough to minimize them, and I belive the evidence shows they are not.

Leaving the implementation open for banks and card manufacturers to screw up was one of the bad decisions that indicate that the people who developed this system were not quite up to the job. in security, half a fence is no fence: you have to control everything.

All these responses that say 'that problem has been fixed' ignore the point that when you see one bad decision, it is almost certainly a sign that there are others that have just not surfaced. To give an example where lives were at risk, when it was found during the construction of the Los Angeles class submarines that a faulty weld on a torpedo rack had passed multiple inspections, it immediately threw doubt on every weld on every ship constructed under the program, because the inspection process for hull and reactor welds was not substantively different from the one that failed.

In addition, your use of non-sequiturs in your arguments, such as "this doesn't affect all cards", indicates that you are unwilling or unable properly evaluate the significance of the evidence.

Maybe this time it is better, but I am deeply concerned by how you, as someone involved in testing these systems, doesn't get these points and writes as an advocate for the thing you are supposed to be testing.
 

And if you were to objectively read it and other papers on the topic you would see that there is good evidence that these or similar attacks have been used to commit fraud without the collusion of the cardholder. Furthermore, when one case of a poor design decision is found, we can reasonably assume it is not the only one, and that poor decision-making was pervasive.

As you are a self-proclaimed expert deeply involved in the testing of this system, I find your attitude deeply disturbing. You write, and presumably act, as an advocate for the system rather than as an impartial analyst and investigator, and I would not be surprised if that attitude is widespread in the organization you work for. Bruce Schneier, among others, has written about the necessity for people working on security to think like an attacker.

The point I have been making is that experience elsewhere is that the new systems have, in practice, been found to be vulnerable, and it is naive to adopt policies that are predicated on an unjustified and unrealistic assumption of invulnerability.

So, after the 'short period of time', who is liable for fraud when the merchant has upgraded to to chip technology? There seems to be an assumption that with the technology in place, fraud will be impossible, at least without the collusion of the cardholder. That was the assumption in Britain, and on that basis, liability was legally transferred to the cardholder. It turned out, however, that fraud (without the cardholder's participation) was both definitely still possible and almost certainly happening, but as far as I know, the cardholder is still legally on the hook.

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

The particular error covered here may not be repeated in the US (though I would not automatically assume that), but perfection is unlikely. It looks to me that the banks have themselves a deal whereby, for continuing to bear the cost of fraud for a short time, they get the new system rolled out beyond the point of no return, after which they transfer the liability for whatever happens from then on to the merchants and cardholders. I'm not celebrating yet.

'Secure' and 'better than magstripe' are two different things, and as you acknowledge, it is the second of them that is most accurate. Nevertheless, it is a valid point that chip technology is much more secure than magnetic stripe.

Three things bother me, however. The first is that while the security is better, it has not, so far, been state-of-the-art. There is a team at Cambridge University that has found a number of exploits of the British chip 'n pin system, and good evidence that these exploits are being exploited by criminals. Some of the poor design decisions that opened the way for these exploits fall in the 'what were they thinking' class. A change of this magnitude only happens once in a couple of decades, and it is in something that matters a great deal. Is it unreasonable to expect that a great deal of care should be taken to make sure it is done as well as possible, such as by employing and paying attention to people who are at least as competent as the researchers (and the criminals, for that matter) who have been able to break these schemes? We cannot expect or demand perfection, but a significant reduction in gratuitous and easily avoided mistakes appears to be achievable and reasonable to expect.

The second thing (which may also be particular to the British experience) is that the banks have lobbied successfully to change the law so that the cost of fraud is transferred to the merchants and the cardholders. It has been revealed that this transfer was a major motivation for the banks to make the change in the first place (they would prefer to be secure than not, but what they really care about is not paying for fraud.) The lobbying for these changes included what turned out to be unjustified claims about the level of security the system provided. One particular aspect of this liability transfer is that they have been able to do it without producing the log files that might have exonerated those on whom the cost was being transferred.

The third thing is that these security blunders keep on happening - we have seen the same sort of complacent mediocrity (or outright incompetence) in electronic locks and voting machines, to pick just a couple of examples. What is it going to take for security to be taken seriously? For all I know, the chip card system being developed for the US may be better than that in the UK, but past experience makes me skeptical.

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf

This sudden reversal on planning might get you out of the hole you dug for yourself over how you expect thinking ahead to have any effect without planning, but at the cost of rendering your initial post in this thread, and most of what you have said since to justify it, pointless.