EMV [was: Re: Why Blockbuster looks at your ID.]

[astiglic at okiok.com]

>
>
> On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote:
>
>> less attractive to commit credit card fraud. You are, however, not
>> making it harder. That's why I believe the credit cards companies will
>> indeed have a good, long look at smartcards. Probably not tomorrow or
>> next week but in the near future.
>
> Actually, smart cards are here today. My local movie theatre in Berkeley,
> California is participating in a trial for "MasterCard PayPass." There is
> a little antenna at the window; apparently you can just wave your card at
> the antena to pay for tickets. I haven't observed anyone using it in
> person, but the infrastructure is there right now.

Interesting, they have a card (smart card)? and key fob version.  I hope
their key fob version is not as insecure as the SpeedPass RFID transponder
token used by Exxon/Esso, which has recently been broken
http://rfidanalysis.org/
The SpeedPass implemented an authentication algorithm (I think it was a
CRC-like challenge response based on a secret that defined the polynomial
used) based on a 40-bit key.  Bono & al. figured out the algorithm (based
on a patent, which described the algorithm generically, they figured out
the constants that were chosen).
The question is why did they use a 40-bit secret?  Is there some
technological constraint preventing the use of something better?

The other thing is that many of the smart cards also have a magnetic
strip, so your security level is as strong as the weakest point (magnetic
stripe type payments).  Untill all the cards are smart cards, readers will
accept both type.

--Anton




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com