

"Chip and PIN is broken" - lucifer
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

======
NateLawson
Chip and PIN (EMV) is the main payment protocol for credit transactions in
Europe. It is a big deal. The problem is that the cardholder authentication
step is not properly tied to the bank authorization. Instead the bank only
finds out "verification succeded" without knowing which type of verification
was used (signature or PIN).

In particular, the MITM between the card and terminal does not interfere until
the Terminal tries to send the PIN to the card. It blocks this message and
instead says:

(As Card) "Dear Terminal, the entered PIN is ok"

(As Terminal) "Dear Card, let's assume I took a signature and continue
straight on to authorizing the transaction"

I think the best decision would have been for the card to include the
authentication method as part of the MAC for the transaction (PIN, signature,
etc.) In particular, if the TVR message had the auth type requested (not just
error codes), it would be MACd in the ARQC message and the bank could verify
if the Terminal is lying in saying the card verified the PIN ok.

------
RiderOfGiraffes
This submission:

<http://news.ycombinator.com/item?id=1118659>

links to the web site version which is here:

[http://www.lightbluetouchpaper.org/2010/02/11/chip-and-
pin-i...](http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-
broken/)

~~~
lucifer
Thanks, didn't see that.

~~~
RiderOfGiraffes
You're welcome. I have a knack for spotting duplicates. Some call it useful,
others call it incredibly irritating.

~~~
carbocation
Upvoted, because I find it to be both.

~~~
RiderOfGiraffes
Thank you - you made me smile.

However, I refer you to this comment and its parents:
<http://news.ycombinator.com/item?id=1122023>

I'm not going to bother flagging such duplication any more. Even though I find
it frustrating to see conversations split across effectively duplicate
submissions, it will continue to happen, and I'm just wasting time.

