[Info-vax] One possible market for VMS: secure credit card

[JF Mezei]

On 15-03-23 04:46, johnwallace4 at yahoo.co.uk wrote:

> If JF's just read the one paper I linked (where rja was a contributor)
> then he's missed out on a lot of good stuff. But I was trying to keep
> it simple to start with...


One has to be careful about these research papers. They are often
published AFTER banks have had a chance to fix the problem. In
particular, the second one with the predicable random numbers used by
ATMs in UK.

In the first case, it depends on how cards are encoded. Again, this
research involves older generation cards, not necessarily cards being
issued today.  That particular weakness is interesting though because to
enable NFC transactions, the cards have to allow transactions without
PIN. (for those who didn't read it, the weakness is through a "card in
the middle" where the request to authenticate PIN coming from the
terminal is interecepted before it reaches the card, and a "PIN OK"
response is blindly returned. The card never sees that an invalid pin
was entered since it never seen the PIN authentication request.


In Canada, the stores are given the limit for NFC transactions, so not
sure if individual cards can have logic of not allowing PIN-less
transactions above a certain amount.