“Optimised to Fail: Card Readers for Online Banking,” by Saar Drimer, Steven J. Murdoch, and Ross Anderson.
The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
EDITED TO ADD (3/12): More info.
Posted on March 5, 2009 at 12:45 PM •
Surely this isn’t new:
Suspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register’s computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval confirmation code. The clerk was then given a number to call which was answered by another person in the scam who approved the purchase and gave a bogus confirmation number. The suspects then left the store with the unpaid for merchandise.
Anyone reading this blog would know enough not to call a number given to you by the potential purchaser, but presumably many store clerks don’t have good security sense.
Posted on January 19, 2009 at 1:23 PM •
There’s a new report from Sandia National Laboratories (written with Lawrence Berkeley National Laboratory) titled “Guidelines to Improve Airport Preparedness Against Chemical and Biological Terrorism.” It’s classified, but there’s an unclassified version available. (Press release. Unclassified report.)
I haven’t read it yet, but it looks interesting.
Posted on November 14, 2005 at 3:19 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.