Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment

taler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment

From:	Christian Grothoff
Subject:	Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal
Date:	Tue, 18 Jun 2024 10:28:13 +0200
User-agent:	Mozilla Thunderbird

On 6/18/24 09:41, Jaap-Henk Hoepman via Taler wrote:

On 18/06/2024 09:37, Christian Grothoff wrote:
On 6/18/24 07:54, Marc Stibane via Taler wrote:
and the wallet can be programmed to enforce a maximum balance, toaddress AML concerns.
Nope. Open source, anyone could remove the limit.
Eh, Free Software. Plus, compliance != security, so having a limit inthe canonical app and in the terms of service _may_ suffice. So thisis really one for actual specialists to figure out, not for usamateurs to guess around.
If it is relevant for AML, the 'bad people' will try to avoid such alimit; terms of service are irrelevant that category of users ;-) Itneeds to be strictly enforced by soft- and hardware.

Let me re-iterate this: Compliance != security. Yes, we're bothprofessors in info sec, and thus think security. Very natural. Butpossibly totally wrong from a compliance perspective.

To ensure I kind of know what I am doing, I *did* recently take anactual AML training for anti-money laundering compliance specialists ofSwiss financial service providers -- and talked with banks and actuallawyers about these things for years now. From what I have learned, youare possibly wrong, but as they often say "it depends".

For example, Swiss banks can *today* totally enforce per-customer(=human) withdraw limits by sending a PIN/TAN via SMS to a mobile phonenumber. Yes, the bad guys can buy multiple phone numbers. Yes, very badguys can hack SS7 and have as many numbers as they like, or at leastreceive all the SMS they need. It is thus not secure, but nevertheless*compliant* according to FINMA. Security is not the objective, so infosec professors need to turn off that part of their brain if they want towork on compliance.

Plus, remote attestation is evil and Taler must not rely on it as itfundamentally violates informational self-determination and we do FreeSoftware for a reason.

[Prev in Thread]

Current Thread

[Next in Thread]

[Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Jaap-Henk Hoepman, 2024/06/17
- Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Christian Grothoff, 2024/06/17
  - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Jaap-Henk Hoepman, 2024/06/17
    - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Marc Stibane, 2024/06/18
    - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Jaap-Henk Hoepman, 2024/06/18
    - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Pau, 2024/06/18
    - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Christian Grothoff, 2024/06/18
    - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Jaap-Henk Hoepman, 2024/06/18
    - Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal, Christian Grothoff <=

Prev by Date: Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal
Previous by thread: Re: [Taler] A hybrid approach to allow Taler payments at an EMV payment terminal
Next by thread: Re: [Taler] Taler releases
Index(es):
- Date
- Thread