Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
Chip and PIN is broken
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
(Image: Smartcard3.png, Wikimedia Commons)
To demonstrate the Magnus effect, YouTuber PeterSripol grabbed a couple of KFC buckets and tricked out an RC plane. The resulting trial and error is mostly the latter.
One of the weirdest places in Antarctica is Blood Falls, a five-story cascade of blood-red liquid pouring from Taylor Glacier. Researchers finally traced its source: a saltwater lake millions of years old trapped under the glacier.
Fetal lambs survived for weeks in an experimental artificial womb, and scientists hope that the breakthrough could lead to new treatments for premature babies and perhaps the dreamed-of machine utopia where humans are kept mindlessly writhing in translucent plastic sheaths filled with psuedoamniotic liquid. Physicians at the Children’s Hospital of Philadelphia placed fetal lambs into […]
Bamboo has lots of uses beyond just being panda food. Things like bikes, roads, scaffolding, and musical instruments are made from the fast-growing grass. But unless you are participating in a tropical-themed LARP, you probably wouldn’t want a shirt made from bamboo stalks. So why do bamboo bed sheets make any sense? Because yarn extracted from […]
If you want to work in tech, but don’t have any desire to code web apps to help businesses sell things to other business, you might want to consider a career in cybersecurity. Judging from the apparent complete infiltration of Russian hackers in American cyberspace, it seems fair to speculate that there’s a major shortage of […]
All moms are different. But all moms like getting flowers on Mother’s Day, and that’s a fact (not, however a fact we can document in any fashion.) Instead of getting chewed out for forgetting to call her on the second Sunday of May, you can take care of it ahead of time with Teleflora’s flower […]