UK Banks Expected To Move To DDA EMV Cards

Anne & Lynn Wheeler lynn at garlic.com
Thu Jun 8 15:21:00 EDT 2006 

UK Banks Expected To Move To DDA EMV Cards
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=11497625028614136145&block=

... from above ...

Of the 6.2 billion card transactions in the UK each year, one in five 
occurs offline, which increases the risk of cloned cards being used at a 
retailer’s POS terminal. In short, a cloned credit or debit card may go 
unidentified if a transaction is not sent to a bank for approval.

... snip ...

re:
http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-And-PIN 
Security Flaw

note that the counterfeit "yes card" attack (from the late 90s) isn't on 
valid cards programmed to do offline (or online) transactions; the 
counterfeit "yes card" attack (built from skimmed "SDA" data) is on 
chip&pin terminals programmed to do what any authenticated card tells it 
to do (part of the chip&pin terminal standard):
http://www.garlic.com/~lynn/2006l.html#33

the countermeasure to counterfeit "yes card" attacks on chip&pin 
terminals is to program the terminal to ignore what the card tells it to 
do, and always do an online transcation. this makes chip&pin deployments 
subject to the same "account flagging" countermeasure that has been long 
used for magstripe cards. The counterfeit "yes card" exploit always 
doing offline transactions (making it immune to account flagging 
countermeasures) was somewhat prompted somebody several years ago to 
make the comment about spending several billion dollars to prove that 
chips were less secure than magstripe.

part of what had prompted the aads chip strawman effort
http://www.garlic.com/~lynn/x959.html#aads

in the 90s was the frequent comment about deployments being forced into 
doing "SDA" chip deployments because technology cost for "DDA" chip 
deployments was too uneconomical. Part of the aads chip strawman was to 
demonstrate technology doing dynamic data authentication (as 
countermeasure to skimming, harvesting and replay attacks) at the 
highest possible integrity ... for less cost than any "SDA" technology
(as well as being able to meet transit contactless power and timing 
profile requirements).
http://www.garlic.com/~lynn/aadsm23.htm#56 UK Detects Chip-And-PIN 
Security Flaw

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list