Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

New paper, and a Newsnight story tonight - Chip and PIN is Broken

From: Dave Farber <dave () farber net>
Date: Thu, 11 Feb 2010 14:53:45 -0500




Begin forwarded message:


From: Dan Brickley <danbri () danbri org>
Date: February 11, 2010 2:50:36 PM EST
To: dave () farber net
Subject: Fwd: New paper, and a Newsnight story tonight - Chip and PIN is Broken 




For IP if you like...


---------- Forwarded message ----------
From: Ross Anderson <Ross.Anderson () cl cam ac uk>
Date: Thu, Feb 11, 2010 at 6:12 PM
Subject: New paper, and a Newsnight story tonight - Chip and PIN is Broken 
To: ukcrypto () chiark greenend org uk


There should be a 9-minute film on Newsnight tonight showing some
research by Steven Murdoch, Saar Drimer, Mike Bond and me. We
demonstrate a middleperson attack on EMV.  This explains how stolen
chip and pin cards can be used by criminals without knowledge of the
pin.

The flaw is that when you put a card into a terminal, a negotiation
takes place about how the cardholder should be authenticated: using a
pin, using a signature or not at all. This particular subprotocol is
not authenticated, so you can trick the card into thinking it's doing
a chip-and-signature transaction while the terminal thinks it's
chip-and-pin. The upshot is that you can buy stuff using a stolen card
and a pin of 0000 (or anything you want). We did so, on camera, using
various journalists' cards. The transactions went through fine and the
receipts say "Verified by PIN".

Our technical paper "Chip and PIN is Broken" has been accepted for the
IEEE Symposium on Security and Privacy, the top conference in computer
security. It can be found at

 http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf

while the FAQ is at

 http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/

and the press release at

 http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/press-release.html

There will apparently be a trailer on the main 6 o'clock news.

Ross





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: