[Cryptography] Insecure Chip 'n' PIN starts tomorrow
Phillip Hallam-Baker
phill at hallambaker.com
Fri Oct 2 10:52:04 EDT 2015
On Thu, Oct 1, 2015 at 11:47 PM, John Levine <johnl at iecc.com> wrote:
> >>> Are there any attacks against EMV that don't involve using the payment
> >>> mechanisms that only require the card number?
>
> Since nobody else seems to have sent it in, the paper you want is
> "Chip and PIN is Broken" by Murdoch et al. at Cambridge. They found a
> bug in the protocol that lets a MITM device fake a PIN verified
> transaction:
>
>
> https://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
So, what they can do is to downgrade a Chip and PIN transaction to a
Chip-only transaction.
Its only a break in the protocol if the designers weren't aware of the
tradeoff.
It is fixable, but in 2010 the fixin's I would use were patented.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151002/979c86cb/attachment.html>
More information about the cryptography
mailing list