

Chip and Pin is Broken (Credit Card Security Issue) - djcapelis
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

======
adg001
How many more victim cardholders will be blamed for fraud now just because the
allegedly infallible computer system says “PIN verified”?

As noted by Frank Stajano, it is amazing the comment by "the UK Cards
Association (02:06 in the video clip) that the method will never present a
real threat to our customers’s cards because… drum roll… it requires
possession of a customer’s card.

A bit like going from “it would be very hard for a thief to steal your card
AND at the same time figure out your PIN in 3 tries or less” to “it would be
very hard for a thief to steal your card”."

------
lucifer
From cryptome.org:

"To: ukcrypto[at]chiark.greenend.org.uk Subject: New paper, and a Newsnight
story tonight - Chip and PIN is Broken Date: Thu, 11 Feb 2010 17:12:27 +0000
From: Ross Anderson <Ross.Anderson[at]cl.cam.ac.uk>

There should be a 9-minute film on Newsnight tonight showing some research by
Steven Murdoch, Saar Drimer, Mike Bond and me. We demonstrate a middleperson
attack on EMV. This explains how stolen chip and pin cards can be used by
criminals without knowledge of the pin.

The flaw is that when you put a card into a terminal, a negotiation takes
place about how the cardholder should be authenticated: using a pin, using a
signature or not at all. This particular subprotocol is not authenticated, so
you can trick the card into thinking it's doing a chip-and-signature
transaction while the terminal thinks it's chip-and-pin. The upshot is that
you can buy stuff using a stolen card and a pin of 0000 (or anything you
want). We did so, on camera, using various journalists' cards. The
transactions went through fine and the receipts say "Verified by PIN".

Our technical paper "Chip and PIN is Broken" has been accepted for the IEEE
Symposium on Security and Privacy, the top conference in computer security. It
can be found at

[http://www.cl.cam.ac.uk/research/security/projects/banking/n...](http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf)

while the FAQ is at

[http://www.cl.cam.ac.uk/research/security/projects/banking/n...](http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/)

and the press release at

[http://www.cl.cam.ac.uk/research/security/projects/banking/n...](http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/press-
release.html) "

