Chip and Pin

4 replies [Last post]
Fri, 02/12/2010 - 11:23
altonius
altonius's picture
Offline
Newbie
Joined: 03/30/2009

Hi Pat and Listeners,

Looks like Chip and Pin is broken (did we ever think it wouldn't happen). It looks like they hit the big guns (BBC) for a story too.

http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

Worth having a read.

Altonius

Top
Fri, 02/12/2010 - 14:22
#1
Patrick Gray
Patrick Gray's picture
Offline
Veteran Member
BloggerNetcasterSite Owner
Joined: 03/02/2009
Not a HUGE deal...

Ok, so people can use stolen cards. That's a bummer.

But saying chip and pin is broken is a massive overstatement.

The primary purpose for the switch to smart cards is to prevent cloning. The example the BBC provides of "cloning" isn't the real deal... they're sucking enough data off the cards to dummy up mag-stripe cards that can then be used in countries that don't have chip and pin terminals.

In fact, I'm told the use of stolen UK data in Australia is a massive problem.

But cloning the protected storage area of a smart card isn't currently feasible.

It's interesting research, but chip and pin is NOT dead.

Heh -- I guess chip and pin is the new SSL -- everyone loves to claim it's broken.

Top
Tue, 03/02/2010 - 20:24
#2
Anonymous
Anonymous's picture
Not dead, but definitely delayed...

Right now anyone planning on rolling out chip and pin just went back to the drawing board. Why invest the cash now when you can wait for the fix and not have potentially costly firmware updates or card recalls to do?

The end result is a mag-stripe gets to hang around longer than it should while they sort this mess out.

Top
Wed, 03/03/2010 - 00:47
#3
Patrick Gray
Patrick Gray's picture
Offline
Veteran Member
BloggerNetcasterSite Owner
Joined: 03/02/2009
I didn't think of that

But it makes perfect sense, especially in countries that haven't started rolling it out in earnest yet.

Oh well, the bad guys being busy means more work for everyone. Hooray! :)

Top
Fri, 03/05/2010 - 08:50
#4
Anonymous
Anonymous's picture
not broken

While I love the research produced by the lightbluetouchpaper guys, the have pulled the "oh noes, chip and pin is ultimate fail" story out far too many times.

Yes, this is a flaw, but the only issue is that a transaction that is not PIN verified gets reported back as being PIN verified. There are implications for fraud profiling, but thats about it.

Now, I thoroughly agree with them on 3D Secure, which is full of fail.

Top

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.