Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
“A sneezing monkey, a walking fish and a jewel-like snake are just some of a biological treasure trove of over 200 new species discovered in the Eastern Himalayas in recent years,” reports the World Wildlife Foundation today.
Three scientists won the world’s top science prize today, for their “mechanistic studies of DNA repair.” Their work mapped how cells repair deoxyribonucleic acid (DNA) to prevent damaging errors from appearing in genetic information. Tomas Lindahl, Paul L. Modrich and Aziz Sancar today received the Nobel Prize in Chemistry for “having mapped and explained how […]
Maciej Ceglowski (previously) spoke to a O’Reilly’s Strata Big Data conference this month about the toxicity of data — the fact that data collected is likely to leak, and that data-leaks resemble nuclear leaks in that even the “dilute” data (metadata or lightly contaminated boiler suits and tools) are still deadly when enough of them […]
Watching Netflix, Hulu or other streaming services can unfortunately be difficult while traveling outside the US. Rather than bypass these restrictions with the help of a complex and slow VPN, choose a faster and simpler solution with Getflix. Instead of rerouting all your Internet traffic through a different server, this handy service only routes the […]
Shake, stir, and muddle your way to delicious homemade cocktails with this must-have bar set. Expect only the finest quality tools from MakersKit — enabling you to unleash your inner mixologist.Top 12 Favorite Things of 2014, Sunset MagazineQuart-size vintage-style Mason jar shakerRetro double jigger for accurate measurementsStrainer & spouts for a mixologist-style smooth pourHardwood muddler […]
The Lytro Illum dares to be different, boasting even more robust features than its first generation predecessor and a sleek design reminiscent of professional DSLRs. What’s so cool about it? Most cameras capture the position of light rays, producing a statoc 2D image.