[Cryptography] cost-watch - the cost of the Target breach

Anne & Lynn Wheeler lynn at garlic.com
Sun Dec 7 01:45:40 EST 2014


at the start of the century,there was large pilot deployed in the US based
being told it had fixed all the problems ... but there was myopic focus on
lost/stolen card ... even tho attack on POS terminals for skimming attacks
had been around for at least a decade. It turns out this was during the
"YES CARD" period ... where it was as trivial to create a
counterfeit chip&pin from effectively the same skimming exploits used to
harvest magstripe information. In the wake of the "YES CARD" ... the pilot
appeared to disappear w/o a trace and there was conjecture it wouldn't be
tried again in the US until other places were used to better work out all
the kinks & vulnerabilities.

old trip report of "YES CARD" presentation at CARTES 2002 (gone 404 but
lives on at the wayback machine) ... bottom of the page
http://web.archive.org/web/20030417083810/http://www.smartcard.co.uk/resources/articles/cartes2002.html

federal LEOs gave a more detailed description at a ATM Integrity Task
force meeting ... that prompted somebody in the audience to comment
that they managed to spend billions of dollars to prove chips are
less secure than magstripe.

A particular issue was that they had moved business rules into the
chip ... so that the terminal would ask the chip 1) if the correct
PIN was entered, 2) if the transaction should be done offline, and
3) if the transaction was within the credit limit. The "YES CARD"
designation comes from a counterfeit card answering "YES" to all
three questions. "Worse than magstripe" comes from the fact
that countermeasure to counterfeit magstripe is to disable the account
... and online transaction wouldn't be approved. There was no
countermeasure to to "YES CARD", since the transaction didn't go
online (to discover that the account had been disabled).

Also, skimming didn't even need to harvest the PIN since
a "YES CARD" would always answer "YES" to whether correct
pin had been entered, regardless of what had been actually
entered.

-- 
virtualization experience starting Jan1968, online at home since Mar1970


More information about the cryptography mailing list