[Cryptography] EMV as a fraud enabler
John Levine
johnl at iecc.com
Wed Oct 29 10:45:24 EDT 2014
>If I read that article correctly, the main issue is that certain banks
>didn't bother to verify signatures and as a secondary issue don't
>bother checking nonce uniqueness either. http://xkcd.com/1181/
Assuming you mean crypto signatures and not ink signatures, right. In
this case it was just bizarre, since the network was approving chip
transactions for an issuer that wasn't yet certifed to issue chip
cards.
A long-standing problem with chip cards is that the banks don't use
the data they have to validate transactions. If they actually use the
data, and track the sequence numbers, they're pretty secure. But
through a combination of laziness and the duct-tape-and-baling-wire
architecture of banking networks, they don't. When I was attending
the weekly security seminars at Cambridge a few years ago, this was a
frequent topic of discussions, ever more ways that banks got chip+pin
wrong.
R's,
John
More information about the cryptography
mailing list