Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
Dip your dollar into liquid anhydrous ammonia, dry it, and repeat. The surface tension of the boiling and evaporating ammonia shrinks the bill. Caveat: It could prove difficult to use a mini-dollar and mutilating a bill may even be illegal. (Applied Science via Weird Universe)
In many states in America, legislatures have erected punitive, vindictive barriers for women seeking contraception, requiring them to get prescriptions for safe, widely taken medications.
Designer Art Donovan writes, “I’m always looking for new and unique inspiration for my lighting commissions and the latest, cutting edge scientific devices offer a boatload of great design inspiration. From the cool, new ‘James Webb Space Telescope’ to the myriad of complex details in the L.H.P.C. at Cern- it’s a cornucopia of rich imagery.”
Folks used to rely on alarms to protect their home – and before that, the family dog. Now, anyone looking to guard their homes can choose from some high-tech options, including the Amaryllo iCamPRO FHD Home Security Camera (now just $219 in the Boing Boing Store).In fact, this 2015 CES “Best of Innovation” award-winner boasts so many features, it’s […]
If you want a quality vaping experience, it’s usually going to cost you. Vaporizers that deliver a fast, controlled burn will set you back up to $300, which is why the FEZ Vaporizer (now just $99) is an absolute steal.The FEZ dry herb pen does everything that more expensive models handle at a reduced price. It heats up […]
Taking pictures can be challenging. There are a million factors that can influence each shot you take – and unless you’re a trained photographer, you often just focus, click…and cross your fingers.Of course, you can take some of the ambiguity out of your picture-taking with this Hollywood Art Institute Photography Course & Certification package, now […]