Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
The PocketLab is billed as a “Swiss Army Knife of science.” Launched via Kickstarter, the small device contains numerous sensors to measure acceleration, force, angular velocity, magnetic field, pressure, altitude, and temperature and send that data to smartphones or laptops. According to inventor Clifton Roozeboom, it’s a tool for students and citizen scientists who can’t […]
In the 2015 Sense About Science lecture (MP3), Tracey Brown discusses the worst casualty of politicization of science, from fluoride to climate change — the truth.
A booming biotech business in South Korea has new customers in America, because everyone wants to clone their dog.
Power up your gadgets in the most unexpected places with the extremely compact SolarJuice battery pack. SolarJuice charges up at home like your average battery pack, but also lets you add extra juice on-the-go using its built-in solar panel—so you’ll never be left unplugged from the digital world.4.5 Stars on Amazon!Simultaneously charges 2 devices at […]
Hold your camera to higher standards with the brand-new iBlazr 2, the most advanced LED flash to date. Simply attach to your smartphone, tablet, or DSLR camera. Conveniently sized and wireless, this premium flash will let you easily take amazing photos in low light situations. It’s a literal snap to use: simply attach to your […]
Moment of truth: Is “Microsoft Office Expert” on your resume, but not totally accurate? This pay what you want bundle will not only help you brush up on old skills, but teach you advanced techniques that will impress your current and future boss. From intricate Excel formulas to Outlook organization hacks, you’ll not only boost […]