Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
With so many costumes adorning this election season, you might think the Halloween get-ups are overkill. Think again, because David Ng and B.R. Cohen are here to present the official universal survey about your candy favorites for the 2016 hierarchical delineation of candy virtue.
University of Zurich researchers used transcranial magnetic stimulation, a noninvasive method of inhibiting activity in parts of the brain, to “turn off” people’s ability to control their impulses. They focused on the temporoparietal junction, an area of the brain thought to play an important role in moral decisions, empathy, and other social interactions. They hope […]
Are you jonesing for a dose of optimism and possibility? In the mood to contemplate the cosmos? Want to experience a musical message for extraterrestrials the way it was meant to be played? The Voyager Golden Record: 40th Anniversary Edition, a project I launched with Timothy Daly and Lawrence Azerrad, is a lavish vinyl box […]
If you like to DIY and you like helicopters, you’re going to really love the Flexbot Hexacopter Kit. This copter blows traditional models out of the water: it includes everything you need to actually build your own hexacopter, and then pilot it like a pro, too.The construction is complicated enough to give you a challenge, […]
This week’s top deals from the Boing Boing Store range from lobster to wine to desk organization. 1. Get Maine Lobster (50% Off)With these discounted packages from Get Maine Lobster, you can experience the sweet, fresh flavor of world-renowned Maine lobster right at your own dinner table. There are four options to choose from, each at […]
Nothing is more frustrating than needing to edit or sign a PDF and not having access to the original document. That’s why PDFpenPRO is a must-have app in our books.With this extremely useful app, you can merge, markup, and create PDF documents without ever having to convert your PDFs into word processor file formats. Type directly onto […]