Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
When Zoe Stavri woke up with a yeast infection, she had a strange and intriguing idea: what about adding some of her vaginal candida to sourdough starter?
Nick Sousanis, who delivered his doctoral dissertation in comic book form, has a new comic in the current Nature magazine, explaining the last 25 years’ worth of climate talks, as a primer in advance of the Paris climate talks next week.
Randall “XKCD” Munroe’s Thing Explainer: Complicated Stuff in Simple Words arrives in stores today: it combines technical diagrams and wordplay in pure display of everything that makes XKCD brilliant and wonderful in every way.
The Micro Drone 2.0+ is truly in a league of its own, offering a new perspective on aerial photography, and a world of technological capabilities that make flying ridiculously fun. Simply throw it in the air at any angle and its self-correcting algorithm will stabilize for smooth sailing in no time. You’ll stay entertained with […]
Celebrate Cyber Monday with some brain food. Save on any eLearning deal in the Boing Boing Store today using coupon code: CYBERMONDAY25. Below are a couple of our favorite eLearning offers: eduCBA Tech Training Bundle: Lifetime Subscription:Welcome to your personal online classroom, where you can finally study at your own pace, on your own time (and […]
This minimalist multi-tool will see to it that instead of rocking a tool belt, you’ll carry just one. It’s shaped slightly like a key and weighs less than an ounce, so it plays nice with your keychain. The strong surgical-grade stainless steel blade will last, and is handy for everyday tasks like opening boxes and […]