News

European Payment Cards Security Problem

13 Feb/10

A recently released technical paper entitled “Chip and pin is broken” by security researchers Steven Murdoch, Saar Drimer, Mike Bond and Ross Anderson demonstrates a man in the middle attack that lets criminals use stolen payment cards without knowing the pin.

This is obviously a serious security problem as banks have always claimed that the security of the cards cannot be broken. The security exploit exists because the negotiation about how the cardholder should be authenticated is not authenticated itself which means that criminals can “card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN” which means that it is possible to enter any four digit Pin to complete the transaction.

Here are several facts about the attack:

  • the attack applies to cards used online (where the merchant POS contacts the bank) as well as offline;
  • the attack works regardless of the amount of money spent (not just for small value amounts that are below floor limit);
  • the attack doesn’t work once a card has been cancelled by the bank — just like stolen cards in the past can only be used for a certain window of time once the cardholder discovers the loss;
  • the attack doesn’t work at ATMs (cash machines);
  • the failure applies to bank card schemes based on EMV – the most widely deployed standard for smartcard payments. Older national smartcard schemes may or may not be vulnerable; we don’t know.

Continua a leggere – Original Link: European Payment Cards Security Problem

Technorati Tags: , , , , , , , , ,

Leggi Anche

Condividi
Condividi in DeliciousCondividi in DiggCondividi in RedditCondividi in StumbleCondividi in MixxCondividi in TecnoratiCondividi in Ok Notizie

Commenti

I commenti sono disabilitati per questo articolo.

I commenti sono chiusi.

Autore

    Spina Rosario
    Inserito da

Archivio

Iscrizione Newsletter

    Tieniti informato con tutte le novità del mondo informatico con la nostra newsletter
    Email:

    Nome:

    Auto Shop Italia
    Web Burning Blog
    Info Privacy

Meta