Chip-and-PIN is broken

You like crafts? You like DIY? We do too! Post stuff you have made, found online that cools cool, or anything that deals with crafts and DIY!

Moderators: verdilak, hippie_mama

Chip-and-PIN is broken

PostPosted by verdilak » Fri Feb 12, 2010 4:06 am

Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer.
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ wrote:The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.

But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.

ImageImage
"I'm imagining Kiera Knightly, Katherine Zeta-Jones, Angelina and Meg Fox sitting around your map wearing bandanas vigorously shaking fists full of d20s." - Aval Penworth, in regards to a map I made
"We're talking about the GM that made us fight giant Fruit, Verd is totally unpredictable." - Nikurasu (one of my players)
Everyone is an atheist about some gods, we just went one god further. - Richard Dawkins
Ism's in my opinion are not good. A person should not believe in an -ism, he should believe in himself. I quote John Lennon, "I don't believe in Beatles, I just believe in me."--Ferris Bueller, 1986
To the human body, a spoonful of flour and a spoonful of sugar are identical.
"Seeing, contrary to popular wisdom, isn't believing. It is where belief stops, because it isn't needed any more." - Terry Pratchett, Pyramids
User avatar
verdilak
l33t
l33t
 
Posts: 8739
Joined: Sun Jul 27, 2008 2:34 am
Location: twitter.com/rpgaming
Favorite System: TS, GG, SoZ, ect.
Security: NO

Return to Crafts, DIY, and Technology!

Who is online

Users browsing this forum: No registered users and 0 guests

cron