UK Banks Expected To Move To DDA EMV Cards
Anne & Lynn Wheeler
lynn at garlic.com
Thu Jun 8 15:21:00 EDT 2006
UK Banks Expected To Move To DDA EMV Cards
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=11497625028614136145&block=
... from above ...
Of the 6.2 billion card transactions in the UK each year, one in five
occurs offline, which increases the risk of cloned cards being used at a
retailer’s POS terminal. In short, a cloned credit or debit card may go
unidentified if a transaction is not sent to a bank for approval.
... snip ...
re:
http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-And-PIN
Security Flaw
note that the counterfeit "yes card" attack (from the late 90s) isn't on
valid cards programmed to do offline (or online) transactions; the
counterfeit "yes card" attack (built from skimmed "SDA" data) is on
chip&pin terminals programmed to do what any authenticated card tells it
to do (part of the chip&pin terminal standard):
http://www.garlic.com/~lynn/2006l.html#33
the countermeasure to counterfeit "yes card" attacks on chip&pin
terminals is to program the terminal to ignore what the card tells it to
do, and always do an online transcation. this makes chip&pin deployments
subject to the same "account flagging" countermeasure that has been long
used for magstripe cards. The counterfeit "yes card" exploit always
doing offline transactions (making it immune to account flagging
countermeasures) was somewhat prompted somebody several years ago to
make the comment about spending several billion dollars to prove that
chips were less secure than magstripe.
part of what had prompted the aads chip strawman effort
http://www.garlic.com/~lynn/x959.html#aads
in the 90s was the frequent comment about deployments being forced into
doing "SDA" chip deployments because technology cost for "DDA" chip
deployments was too uneconomical. Part of the aads chip strawman was to
demonstrate technology doing dynamic data authentication (as
countermeasure to skimming, harvesting and replay attacks) at the
highest possible integrity ... for less cost than any "SDA" technology
(as well as being able to meet transit contactless power and timing
profile requirements).
http://www.garlic.com/~lynn/aadsm23.htm#56 UK Detects Chip-And-PIN
Security Flaw
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list