Doubts about the safety of credit card chips
Credit and debit cards had previously only a magnetic strip, which could be easily copied. This took advantage of the so-called skimming scam. For several years, the cards usually follow the EMV standard and have a chip, the data is protected from the reading. That crooks can still take money without authorization from an EMV-enabled machines, now want British scientists found have.
For communication with the back end generates the respective chip card terminal, or about the ATM, a random number (nonce). In several cases, according to the researchers at the University of Cambridge, are these numbers, called Unpredicatble Numbers (UN), but by no means accidental, but simply increasing. The 32-bit wide in the UN is to ensure communication between cards, bank machine and that no old data is retransmitted.
The standard does not require randomly generated UN. It prescribes only that four sequentially executed from the terminal transmembrane cation must each use a different number. Even a simple counter fulfill this requirement, the scientists write.
Is such a simple implementation of UN chosen attacker could predict the calculated number for a certain time. They must also record ARQCs (Authorization Request Cryptogram), replace the ATM card and after entering the PIN. ARQCs these are each connected to a specific UN. Is it predictable, an attacker must wait for the right moment to deceive the bank with a previously used ARQC.
In practical experiments, the authors of the study in London have made several ATMs identify the generated predictable us. They also show that a generated based ARQCs recorded and calculated us transaction is just like a real one. It is therefore possible, without directly copying a fake card to use them, they conclude. When asked by the BBC, the British authorities declared fraud, there was "absolutely no evidence that this complicated fraud is taking place in practice."
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment