1. Home
  2. Electronics Design
  3. A bit OT: For our european friends

A bit OT: For our european friends

Date: Thu, 11 Feb 2010 18:29:12 -0500 =46rom: David Magda Subject: EMV busted

Seems that the EMV standard has been compromised:

"Chip and PIN is fundamentally broken," Professor Ross Anderson of > Cambridge University told ZDNet UK. "Banks and merchants rely on the =

words

'Verified by PIN' on receipts, but they don't mean anything."

formatting link

More reports:

formatting link
formatting link
formatting link

Anderson's paper is available:

formatting link

EMV is called often called "Chip and PIN", as well as "Chip Card" in = Canada.

Some financial institutions put a lot of stock in the security of this:

You are responsible for the full amount of all authorized activity or > other Transactions resulting from use of the Card or Connect ID and PIN=

or

Password by any person, including any entry error or fraudulent or > worthless deposit at an ABM or other machine. You are responsible for =

the

full amount of all unauthorized activity or other Transactions which =

occur

before we receive notification that your PIN, Password or Card was lost=

or

stolen or that your Connect ID, PIN or Password may have become known =

to

an unauthorized person. On receiving such notice from you we will =

block

the Card's, PIN's or Connect ID's ability to access our services and/or > the use of a Card or the Account.

formatting link
(column 9)

In many cases, the banks' (now no longer trust-worthy) logs are the definitive record:

Our records will be conclusive proof of use of a Card or the Account or > electronic services and will be considered your written request to =

perform

the Transaction. Even though you may be provided with a Transaction > receipt, verification or confirmation number, or interim statement by =

or

through an ABM or other machine, the following applies to all =

Transactions

or other activity on the Account: > * our acceptance, count and verification of Transactions or deposits > will be considered correct and binding unless there is an obvious error > [...]

(Ibid.)

Some are a bit more reasonable, but if your card has been cloned (and put back in your wallet/purse), you may not notice the problem until too = late:

If someone uses your Visa Card and your PIN or your Visa Account number > with any other security code to make unauthorized purchases or =

otherwise

obtain the benefits of your Visa Card, you will not be responsible for > those charges provided that you (i) are able to establish to our > reasonable satisfaction that you have taken reasonable steps to protect > your Visa Card [...] and (ii) cooperate fully with our > investigation. [...] > You are not responsible for unauthorized use of your Visa Card or your > Visa Account number in transactions in which neither a PIN nor a =

security

code is used as the cardholder verification method.

formatting link

--=20 Transmitted with recycled bits. Damnly my frank, I don't give a dear

----------

Reply to
JosephKK
Loading thread data ...

It's actually an old hat. The cards in question have been exchanged already. ciao Ban

Reply to
Ban

Yes, very nice. As far as I understand, the terminal sends the PIN to the Cip on the card (or the device between them) and the card (*or*

*the* *device*) answers "PIN OK".

My cards have not been replaced since 2/10/2010 ;-)

The good thing is, that courts will no longer beleive the banks, when they claim, that this procedure is safe.

For our american friends: "The most widely known implementations of EMV standard are:

  • VSDC - VISA * MChip - MasterCard * AEIPS - American Express * J Smart - JCB"

see

formatting link

Falk

Reply to
Falk Willberg

No. This is a novel and fairly severe security weakness that the Cambridge team has uncovered. It made BBCs NewsNight last week. See:

formatting link

It is more sophisticated than the simple description above but not that much more - they demonstrated it for the BBC with pin 0000. They don't like 3D secure either (which by design looks like a phishing attack).

formatting link

It isn't the only one. ISTR Belgian cryptographers broke the encryption on the French ecash system and the same team destroyed the cryptographic security on the wireless OysterCard London underground (which incidentally includes a lot of secure buildings pass systems).

Previous weaknesses only allowed them to skim enough information to make a magnetic stripe card forgery that would work to take money out overseas or a chipped card that always says yes. These fail in a live online transaction where the bank computer can talk to the terminal and challenge the card for a response. This new methodology defeats the EMV protocol and causes a PIN OK message to be sent to the banks by the merchants terminal allowing any transaction.

For obvious reasons some details of how the new attack works have been kept back. It will be a nightmare to sort out and close these loopholes.

Regards, Martin Brown

Reply to
Martin Brown

formatting link

A fingerprint system would have been better. As a worst case, you get the fingerprint of the perp.

--
Dirk

http://www.transcendence.me.uk/ - Transcendence UK
http://www.theconsensus.org/ - A UK political party
http://www.blogtalkradio.com/onetribe - Occult Talk Show
Reply to
Dirk Bruere at NeoPax

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.