![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
The chip-and-pin authentication system is badly broken, such that a hacker/thief with anyone's chip-and-PIN Visa or Mastercard can make arbitrary purchases. The problem appears to be that these cards can be used with chip and pin, or chip and signature, and by telling the card they're using one and the terminal they're using the other, people who know where it's broken can make purchases using any arbitrary PIN. The problem behind the problem is that there are lots of different, overlapping implementations of the security for chip-and-PIN, and lots of people with unsupported confidence that their implementations are sound.
The researchers reported this to the banking industry a couple of months ago. They note that this may explain at least some of the cases of phantom withdrawals. It may make it harder for the banking industry to deny refunds on the grounds that the challenged transactions were authenticated with a PIN: the researchers demonstrated using this attack on a system that was calling the bank for authentication, getting the authentication, and completing the transaction.
A cancelled card is still a cancelled card, and won't be authorized even with this attack. Also, it doesn't work at ATMs/cashpoints, only at merchants. But there are lots of stores that will sell any number of things that a thief either wants or can resell.
(If you're North American and don't know what chip-and-PIN is, hope that this gets fixed for real, and on a large scale, before it's implemented as "security" for our credit and debit cards.)
[via Bruce Schneier]
The researchers reported this to the banking industry a couple of months ago. They note that this may explain at least some of the cases of phantom withdrawals. It may make it harder for the banking industry to deny refunds on the grounds that the challenged transactions were authenticated with a PIN: the researchers demonstrated using this attack on a system that was calling the bank for authentication, getting the authentication, and completing the transaction.
A cancelled card is still a cancelled card, and won't be authorized even with this attack. Also, it doesn't work at ATMs/cashpoints, only at merchants. But there are lots of stores that will sell any number of things that a thief either wants or can resell.
(If you're North American and don't know what chip-and-PIN is, hope that this gets fixed for real, and on a large scale, before it's implemented as "security" for our credit and debit cards.)
[via Bruce Schneier]
Tags: