UK Detects Chip-And-PIN Security Flaw
Anne & Lynn Wheeler
lynn at garlic.com
Wed Jun 7 09:21:44 EDT 2006
UK Detects Chip-And-PIN SecurityFlaw
http://www.cardtechnology.com/article.html?id=20060606I2K75YSX
APACS says the security lapse came to light in a recent study of the
authentication technology used in the UK's new "chip-and-PIN" card system.
... snip ...
this was documented as the "yes card" in 2002 regarding chip&pin
rollouts that had been done in the 99-2002 time-frame
since the "yes card" vulnerability is an attack against the pos terminal
(not the card) ... and since the vulnerability is part of the standard
... even if all new cards were rolled w/o the "fix" ... the
infrastructure might still be vulnerable if POS terminals could be
convinced to communicate using the vulnerable standard (this is somewhat
analogous to attacker attacking protocols and convincing parties to
downgrade to lower encryption).
misc. posts discussing the "yes card" vulnerability as well as
mentioning possible man-in-the-middle attack against the fix for "yes
card" vulnerability.
http://www.garlic.com/~lynn/aadsm15.htm#25 WYTM?
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#25 Single Identity. Was: PKI
International Consortium
http://www.garlic.com/~lynn/aadsm17.htm#42 Article on passwords in Wired
News
http://www.garlic.com/~lynn/aadsm18.htm#20 RPOW - Reusable Proofs of Work
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#29 Meccano Trojans coming to a
desktop near you
http://www.garlic.com/~lynn/aadsm22.htm#33 Meccano Trojans coming to a
desktop near you
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new
tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#47 Court rules email addresses
are not signatures, and signs death warrant for Digital Signatures
http://www.garlic.com/~lynn/aadsm23.htm#2 News and Views - Mozo,
Elliptics, eBay + fraud, naïve use of TLS and/or tokens
http://www.garlic.com/~lynn/aadsm23.htm#15 Security Soap Opera -
(Central) banks don't (want to) know, MS prefers Brand X, airlines
selling your identity, first transaction trojan
http://www.garlic.com/~lynn/aadsm23.htm#20 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#25 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were
replaced by "repairworkers"?
http://www.garlic.com/~lynn/aadsm23.htm#30 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#43 Spring is here - that means
Pressed Flowers
http://www.garlic.com/~lynn/2003o.html#37 Security of Oyster Cards
http://www.garlic.com/~lynn/2004g.html#45 command line switches [Re:
[REALLY OT!] Overuse of symbolic constants]
http://www.garlic.com/~lynn/2004j.html#12 US fiscal policy (Was: Bob
Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#13 US fiscal policy (Was: Bob
Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#14 US fiscal policy (Was: Bob
Bemer, Computer Pioneer,Father of ASCII,Invento
http://www.garlic.com/~lynn/2004j.html#35 A quote from Crypto-Gram
http://www.garlic.com/~lynn/2004j.html#39 Methods of payment
http://www.garlic.com/~lynn/2004j.html#44 Methods of payment
http://www.garlic.com/~lynn/2005u.html#13 AMD to leave x86 behind?
http://www.garlic.com/~lynn/2006d.html#31 Caller ID "spoofing"
http://www.garlic.com/~lynn/2006e.html#3 When *not* to sign an e-mail
message?
http://www.garlic.com/~lynn/2006k.html#1 Passwords for bank sites -
change or not?
http://www.garlic.com/~lynn/2006l.html#27 Google Architecture
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list