Bitcoin
$9,760.27 -0.52%
BTC · 27w

How Smartcard Payment Systems Fail (Black Hat 2014)

By Ross Anderson"The USA is starting to introduce EMV, the Europay-Mastercard-Visa system for making payments using chip cards instead of the old mag strip variety. EMV is already in wide use in Europe, and has started to appear in countries from Canada to India.In theory, smartcards should have reduced fraud by making bankcards much harder to copy and by enabling banks to authenticate users at the point of sale using PINs rather than signatures. The practice has been different. In Britain, for example, fraud first went up, then down, and is now headed upwards again. There have been many fascinating attacks, which I'll describe. The certification system wasn't fit for purpose, so terminals that were certified as tamper-resistant turned out not to be. We even saw Trojans inserted in the supply chain. A protocol flaw meant that a crook could use a stolen card without knowing the PIN; he could use a man-in-the-middle device to persuade the terminal that the card had accepted the PIN, while the card was told to do a signature-only transaction. Merchant refunds were not authenticated, so a crook could pretend to the bank that he was a merchant, and credit his card back after making a purchase.The most recent series of attacks exploit the freshness mechanisms in the EMV protocol. To prevent transaction replay, the terminal generates an ""unpredictable number"" while the card supplies an ""application transaction counter"" or ATC that is supposed to increase monotonically and never repeat. Yet the unpredictable numbers often aren't (in many of the terminals we looked at, they seem to be just counters) while many banks don't bother to check the ATC, as writing code to deal with out-of-order offline transactions is too much bother. As a result, we've seen some interesting attacks where cardholders unlucky enough to shop at a dishonest merchant find themselves dunned for a lot of large transactions later. In fact these ""preplay"" attacks behave just like card cloning, and...

Continue on youtu.be
Recent news
BTC -0.52% · cryptopolitan.com · 8h

New EU crypto law set to boost mainstream crypto adoption

As the new EU crypto law comes into effect following the implementation of ‘Fifth Anti-Money Laundering Directive’ (AMLD5), the sector will receive a much-awaited push in the region. As per the new re...
BTC -0.52% · anchor.fm · 10h

Bitcoin Rapid-Fire: Rapid-Fire: Jeff Vandroux

Jeff Vandroux is an attorney, CPA, bodybuilder, BTCPayServer Contributor, and the founder of Keykeeper IRA. I came to know Jeff via his discussion with Marty Bent on the Tales from the Crypt Podcast. ...