Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
Hydraulic Press Channel shows why carbon fiber and variants like carbon nanotubes have so many uses: depending on the configuration, they can hold up against the hydraulic press.
Roald Dahl spent the last of his days in a special armchair that he modded to help him with back pain from a WWII injury; now, in honour of the Dinner at the Twits interactive theatre events, the craft 40FT Brewery has swabbed some yeast from Dahl’s chair and cultured it to brew Mr. Twit’s […]
A Mars science news update from NASA’s Jet Propulsion Laboratory, in Pasadena, California.
If you’re looking to earn a top salary in the tech industry, there’s no better career than coding. However, sometimes the hardest part of entering this career path is knowing where to begin.We took the Complete Web Developer Course because it took that decision out of our hands. This course teaches beginner-friendly coding languages that will also help land an immediate […]
To be a Pokémon master, you’ll need a phone that won’t constantly die on you. Because nothing is worse than seeing the screen go black right as you’ve finally found the Charizard of your dreams.That’s why we’re so excited about the LinearFlux PokeCharger Portable Battery ($39.99). With its 3.0 Amp HyperCharging technology, this slim battery will […]
The tech industry is constantly innovating, and in order to stay competitive, you’ll need to keep up. The Programming Into the Future Bundle was created to teach you the skills employers are looking for at this very moment, including in-demand coding languages like Google Go.The bundle of courses includes instruction on a range of innovative tools that advanced coders […]