Chip and PIN is Broken
in [Cryptography]
|
Prev: Another informative pronouncement from Smug Doug Gwyn
Next: Protecting 3x16 bits with 16 bits ? (Which error correcting code for mode 3?)
From: Richard Outerbridge on 13 Feb 2010 10:03 In article <hl6b9r$lgh$1(a)orkan.itea.ntnu.no>, Kristian Gj�steen <kristiag+news(a)math.ntnu.no> wrote: > Richard Outerbridge <outer(a)interlog.com> wrote: > >In article <hl5m2l$fl2$1(a)orkan.itea.ntnu.no>, > > Kristian Gj�steen <kristiag+news(a)math.ntnu.no> wrote: > > > >> Richard Outerbridge <outer(a)interlog.com> wrote: > >> >I understand this entirely. I have no doubt they were able to perform > >> >the attack. But I do not believe the attack can be amplified, and as > >> >such it is more a proof-of-concept attack against EMV than a practical > >> >widespread compromise of Chip&PIN. > >> > >> Why couldn't their tools be replicated and mass-produced, leading to > >> significant compromise? > > > >Two key sentences: > > > >"The card itself may permit the terminal to attempt signature > >verification if PIN verification fails, but in practice merchants > >will normally reject the transaction." > > > >"The issuer, which can decode the IAD, does not know which cardholder > >verification method was used, and so cannot use it to prevent the > >attack." > > > >But the Issuer knows which verification methods are allowed by their > >cards, and can decode the IAD. If the Issuer has allowed signature > >fallback, or no verification, or has not included the IAD in the ARQC, > >the ambiguity arises and the attack goes through. > > > >But if, as suggested by the first sentence, offline PIN verification > >by the card itself is the only option for online transactions, then > >there is no ambiguity - except as permitted by the specification and > >perhaps implemented by incautious Issuers. > > I don't understand. Why should this be an obstacle for me with a copy > of their tools, but not an obstacle for them with the exact same tools? They got to choose the perhaps incautious Issuers' cards they attacked?
From: Kristian Gj�steen on 13 Feb 2010 10:55 Richard Outerbridge <outer(a)interlog.com> wrote: >They got to choose the perhaps incautious Issuers' cards they attacked? Do you know what fraction of issuers are "incautious"? -- Kristian Gj�steen
From: Richard Outerbridge on 13 Feb 2010 15:26 In article <hl6i0m$n9n$1(a)orkan.itea.ntnu.no>, Kristian Gj�steen <kristiag+news(a)math.ntnu.no> wrote: > Richard Outerbridge <outer(a)interlog.com> wrote: > >They got to choose the perhaps incautious Issuers' cards they attacked? > > Do you know what fraction of issuers are "incautious"? I have no idea, I'll grant you that.
From: Peter Fairbrother on 14 Feb 2010 06:28 Kristian Gj�steen wrote: > Richard Outerbridge <outer(a)interlog.com> wrote: >> They got to choose the perhaps incautious Issuers' cards they attacked? > > Do you know what fraction of issuers are "incautious"? > Afaik 100% of UK-issued cards allow signature fallback. That's not likely to change, for complex legal and political reasons I won't go into as it's a very long story. Forbidding all fallback methods would be a fix, but it would mean issuing new cards, and it would make eg unverified transactions impossible, as well as signature fallback of course. Merchants and cardholders wouldn't like it, and as I say it's a legal problem too, so I don't think it will happen - especially as there are better fixes if the banks are issuing new cards and/or terminals anyway. Some other comments: it's not a new attack, it has been known about for quite some time. The Cambridge people did demonstrate it effectively though, and their writeup in the paper is very good. Afaik it's the first paper on the attack. However for them to say they discovered the attack, as they do on their FAQ page, is not true (unless they discovered it independently). They weren't the first to describe their previous big story, the relay attack, either. Both attacks were described and available on the 'net, authored by other people, for at least a year before they wrote papers on them. In both cases they were aware of the earlier descriptions. That isn't mentioned in either paper, which I think is a little grabby of them. Ross is on his consumer high horse yet again, but I think the immediate victims of this attack are probably not the cardholders, but the merchants. The issuing bank "knows" from the IAD that cardholder verification was by signature, and will (or should) ask the retailer for the signed slip, which he can't produce as it never existed. However the acquiring bank will probably (I'm not entirely sure of this) "know" that the verification was done by PIN, from data the terminal sends to the acquiring bank. So (if that's the case) the attack will be detectable after the fact, if the issuing and acquiring banks can compare notes (which may be another legal problem). But chip and PIN is broken anyway. Even random PIN trial by thieves will net some rewards, and the cardholders in these cases will lose out if, as seems to be the case, the regulator and ombudsman accept that PINs are "infallible". Not to mention relay attacks, attacks on the PIN retry counter, and so on. -- Peter Fairbrother
From: Kristian Gj�steen on 14 Feb 2010 09:38
Peter Fairbrother <zenadsl6186(a)zen.co.uk> wrote: >Kristian Gj�steen wrote: >> Richard Outerbridge <outer(a)interlog.com> wrote: >>> They got to choose the perhaps incautious Issuers' cards they attacked? >> >> Do you know what fraction of issuers are "incautious"? >> > >Afaik 100% of UK-issued cards allow signature fallback. In Norway, the banks say that the domestic payment system does not allow signature fallback. Since almost every card are also part of either the Mastercard or Visa system, I wonder if those systems might allow signature fallback, and if so, if it is possible to make the cards use the Mastercard/Visa system instead of the domestic system. It would be rather daft it that was possible... -- Kristian Gj�steen |