Fine words butter no parsnips
|
|
|
Industry body to investigate Chip and PIN flaw
THE BLOKES who created the specification for the Chip and PIN security system are investigating claims that the technology has been hacked.
The specification body, EMVCo, said it is looking at a paper penned by boffins at Cambridge University,who demonstrated an attack with a valid payment card that did not require a valid PIN to be entered to complete a transaction.
EMVCo is owned by American Express, JCB, MasterCard and Visa, which will also be looking at the paper just as soon as they change their pants.
"EMVCo will conduct its own analysis and draw its own conclusions. The payment systems will do the same," the body said in a statement.
The Cambridge researchers found a flaw that allowed them to build a device that modified and intercepted communications between a card and a point-of-sale terminal. It could fool the terminal into accepting that a PIN verification had succeeded when a PIN had not actually been entered.
Professor Ross Anderson of Cambridge University, who led the Chip and PIN research, said it would not be easy to fix the protocol and it was pretty much broken.
In another statement , MasterCard confirmed that it would be working with the other card-payment providers to review the security of the Chip and PIN system. However it said there was nothing to really worry about, since it was constantly reviewing security.
The UK Payments Administration, which advises card-payment providers, claims that the attack was detectable. It said that it would be possible to establish whether the consumer was liable after the crime has been committed.
Its fear is that the banks will make customers liable if the Chip and PIN system is hacked.
But in the case of the Cambridge research, one of the team used his own Halifax bank card to make a transaction without a PIN, and that researcher had not been alerted to the transaction by his bank.
However he said it is possible for banks to write software that would stop the attack described by his research team. It would be necessary to compare the different parts of the transaction process to see whether the means of authentication used was real. µ
Share this:
Share
This is great news for terminal vendors - lots of new software to write, test and charge to download!
Not so good for Visa, MasterCard et al who will presumeably have to pay for it....
If you read it you see the researchers suggest querying the terminal for the method used to authenticate the card/user.
It is done in a way that can be authenticated hence it can't be spoofed like the original attack requires.
The downside is that it probably requires new cards and certainly new backend software.
"The Cambridge researchers found a flaw that allowed them to build a device that modified and intercepted communications between a card and a point-of-sale terminal. It could fool the terminal into accepting that a PIN verification had succeeded when a PIN had not actually been entered."
It was reported on BBC News and they stated that entering 0000 would allow the payment to go through. You can enter any number and it will work, the news also called this company up and they said the flaw was already fixed a long time ago. Yet did nothing to acknowledge the fact the transaction still worked and paid for the item so it cant of been fixed.
It takes a few bits and bobs to get it working but the end of the day theives would do it because they can get anything they want with this flaw.
And so the security guys keep on trying to stay ahead of the hacking guys... and so life goes on. And they lived happy forever. The End.