Showing posts with label EMV. Show all posts
Showing posts with label EMV. Show all posts

Sunday, 30 May 2010

German Police publishes ATM Crime Numbers

The german federal police has published the 2009 numbers for ATM fraud. 964 ATM machines have been manipulated, that#s 20% more than 2008. Usually the PIN is spied out and the magnetic stripe data of the banking card is read. The data is transferred via a wireless connection who make a copy of the card and use that at another ATM.

Usually customers won't note the manipulations. Removing the magnetic stripe would improve the situation, but note that the cards must be authenticated with a real challenge-response protocol if a real security improvement is the target.
Posted by at No comments:
Labels: , ,

Friday, 12 February 2010

EMV Broken by Inventing Card Response

EMV user verification uses several methods, one of them is a PIN entered by the user. However, please note that this proves the user identity to the card, not to the terminal. If no-one checks the security state of the card, this is pretty pointless. They simply catch the verification request sent to by the terminal to the card, throw it away and reply with a code that means "PIN was OK".
So what now? Actually, the responsibility for a correct transaction is with the merchant, because only the merchant has at least a possibility to ensure a correct transaction: If a proper terminal is used and there is no strange cable coming out of the card (see the video on the linked page) the transaction is still good. However, the damage goes to the customer, not the merchant.
And, of course, there is a huge hole in the protocol.
There is only one way to do it properly:
  • User enters PIN
  • Terminal asks card to sign the transaction
  • card signs the transaction if and only if it has received the correct PIN
And everything done with mutual authentication end, message confidentiality and message integrity.

Where is the problem with this? It requires chips that are a little more expensive than the most simple ones. It's called "dynamic data authentication"and "Transaction Cryptogram" in the EMV world, but unfortunately it is not used in this case.
Posted by at 1 comment:
Labels: , ,

Monday, 16 November 2009

"Anomalies" in Spain Speed up EMV Transition

It's not really clear what has happened there. It seems that massive amounts of credit card data were lost at a spanish credit card processor. New cards are sent to customers. At least some of these actually have an EMV chip. Another nail in the coffin of the obsolete magnetic stripes.
Update: Tonight it was in the news: more than 100 000 cards have been exchanged.
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)