Noted security researcher Ross Anderson and colleagues have published a paper showing how "Chip-and-PIN" (the European system for verifying credit- and debit-card transactions) has been thoroughly broken and cannot be considered secure any longer. I remember hearing rumbles that this attack was possible even as Chip-and-PIN was being rolled out across Europe, but that didn't stop the banks from pushing ahead with it, spending a fortune in the process.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it's doing a chip-and-signature transaction while the terminal thinks it's chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists' cards. The transactions went through fine and the receipts say "Verified by PIN".
It's no surprise to us or bankers that this attack works offline (when the merchant cannot contact the bank) -- in fact Steven blogged about it here last August.
But the real shocker is that it works online too: even when the bank authorisation system has all the transaction data sent back to it for verification. The reason why it works can be quite subtle and convoluted: bank authorisation systems are complex beasts, including cryptographic checks, account checks, database checks, and interfaces with fraud detection systems which might apply a points-scoring system to the output of all the above. In theory all the data you need to spot the wedge attack will be present, but in practice? And most of all, how can you spot it if you're not even looking? The banks didn't even realise they needed to check.
Chip and PIN is broken
(Image: Smartcard3.png, Wikimedia Commons)
Ant Lab's Adrian Smith (previously) writes, "No one had ever filmed how ants inject venom when they sting something. I study ants and I make videos, so I went to work on getting that footage. It involved filming something smaller than a human hair moving faster than the blink of an eye. But, I got […]
Just for your information, there are some very teeny and some quite enormous trees. keshitsubo grass, wheat sunflower, Apple tree Rocky Mountain Juniper, Socotra Dragon tree olive, Salix Babylonica Common Hawthorn, Southern Live oak Mediterranean cypress, Stone Pine Limber Pine, Palm tree Baldcypress, Sycamore Araucaria Araucana, Common Oak Brazil Nut, Kauri Eucalyptus, Patagonian cypress Noble […]
Above is a three-millimeter long maggot launching itself into the air for a distance of up to 36 times its body length. Researchers from Duke University and their colleagues studied how these larvae of gall midges leap between plants with the greatest of ease, even rivaling some jumping insects with legs. Their research could have […]
If your office works at all, it uses Microsoft Office. Those icons for Word, PowerPoint, and Outlook are as familiar around some workplaces as the coffee machine. So familiar, in fact, that they get taken for granted – and rarely used to their full potential. Whether you need a crash course in the essential tools […]
It’s a great time to be a maker. 3D printers are on store shelves for anyone to buy, and coder kits like Arduino and Raspberry Pi are letting kids as young as 9 or 10 dive into the Internet of Things. Here are a few examples of our favorite tech toys, all priced low enough […]
Want to make a hit? The right software is out there for anyone, but any music producer will tell you that finding the right sound can still take time and talent. Still, the right tools are a great shortcut, which makes this Synth & Sound Pack Bundle absolutely priceless. And now that it’s on sale […]