[Info-vax] One possible market for VMS: secure credit card
Bob Gezelter
gezelter at rlgsc.com
Mon Mar 23 03:01:21 EDT 2015
On Sunday, March 22, 2015 at 10:08:12 PM UTC-4, JF Mezei wrote:
> On 15-03-22 19:26, johnwallace4 at yahoo.co.uk wrote:
>
> > E.g.
> > http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
>
> Thanks. Very interesting read. However, this proof of concept assumes
> newer cards do not block transactions unless PIN authentication has been
> performed by them.
>
> (in short: man in middle intercepts the PIN authentication request being
> sent to the card, responds with "PIN OK", so the terminal thinks the
> user enterered the right PIN, and the card never was asked to veryfy the
> PIN and so is unaware a bad PIN was entered.
>
> > What C+P is 'helpful' for is shifting the liability from the card
> > processors to someone else (the customer, the trader).
>
> This depends on countries and banks. In Canada, there hasn't been such a
> shift. However. I suspect most fraud transactions are now down with
> "card not present" over the internet.
>
> Not that VISA does offer a fairly basic form of authentication on the
> Internet. When I buy train tickets for instance, I am sent to a VISA
> page where I have to enter either personal info or a passopwrd I had
> registered with VISA. VISA then tells Via Rail that the transaction has
> been accepted.
JF,
Another interesting read about vulnerabilities in EMV implementations is some research (also from Cambridge) on replay attacks. See http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
- Bob Gezelter, http://www.rlgsc.com
More information about the Info-vax
mailing list