Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
In 1958 in an Illinois creek bed, an amateur fossil collector named Francis Tully discovered the fossilized remains of a bizarre creature that resembled a mollusk, insect, and worm yet was none of those things. Since then, thousands of 300 million-year-old fossilized “Tully Monsters” have turned up and the creature was officially named as the […]
Frog tongue mechanism has been well-documented, but only recently have scientists started looking at the remarkable combo of tongue softness and frog spit’s chemical makeup.
Elenco’s Night ‘n Day Mechanical Globe uses a system of translucent, exposed gears to rotate an internally illuminated globe that displays the seasonally adjusted, real-time night/day terminator as it spins.
Wireless headphones aren’t a mind-bending thing anymore now that Apple made them the standard thing-to-be-outraged-over-in-the-new-iPhone fare, thereby killing the cool factor. But let’s be reasonable here. Wires really are a pain when you’re running, trying to get off the bus, or even just standing up from your desk. Wireless headphones make sense, they just don’t […]
Python is such a commonly used general-purpose programming language and features such (comparatively) simple syntax, that most veteran programmers consider it an excellent foundation for aspiring programmers. The Python 3 Bootcamp Bundle packs over 30 hours of training into nine courses to build that foundation for you.If you’ve never had any introduction to code at […]