[Info-vax] One possible market for VMS: secure credit card

[johnwallace4 at yahoo.co.uk]

On Monday, 23 March 2015 07:01:25 UTC, Bob Gezelter  wrote:
> On Sunday, March 22, 2015 at 10:08:12 PM UTC-4, JF Mezei wrote:
> > On 15-03-22 19:26, johnwallace4 at yahoo.co.uk wrote:
> > 
> > > E.g. 
> > > http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
> > 
> > Thanks. Very interesting read. However, this proof of concept assumes
> > newer cards do not block transactions unless PIN authentication has been
> > performed by them.
> > 
> > (in short: man in middle intercepts the PIN authentication request being
> > sent to the card, responds with "PIN OK", so the terminal thinks the
> > user enterered the right PIN, and the card never was asked to veryfy the
> > PIN and so is unaware a bad PIN was entered.
> > 
> > > What C+P is 'helpful' for is shifting the liability from the card
> > > processors to someone else (the customer, the trader).
> > 
> > This depends on countries and banks. In Canada, there hasn't been such a
> > shift. However. I suspect most fraud transactions are now down with
> > "card not present" over the internet.
> > 
> > Not that VISA does offer a fairly basic form of authentication on the
> > Internet. When I buy train tickets for instance, I am sent to a VISA
> > page where I have to enter either personal info or a passopwrd I had
> > registered with VISA.  VISA then tells Via Rail that the transaction has
> > been accepted.
> 
> JF,
> 
> Another interesting read about vulnerabilities in EMV implementations is some research (also from Cambridge) on replay attacks. See http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
> 
> - Bob Gezelter, http://www.rlgsc.com

Thanks for that.

http://www.cl.cam.ac.uk/~rja14 is where the aforementioned Prof Anderson
posts his stuff.

If JF's just read the one paper I linked (where rja was a contributor)
then he's missed out on a lot of good stuff. But I was trying to keep
it simple to start with...