Optimised to fail
- Type
- Paper
- Tags
- bank, credit card
- Authors
- Steven J. Murdoch
- Event
- Chaos Communication Congress 26th (26C3) 2009
- Indexed on
- Mar 25, 2013
- URL
- http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
- File name
- fc09optimised.pdf
- File size
- 2.0 MB
- MD5
- 8336a8d573310d226bdd5be3969d009e
- SHA1
- 2d02333519bd4d39056efaad58e9b7666394a6b8
The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous design errors, which could be exploited by criminals. Banks throughout Europe are now issuing hand-held smart card readers to their customers. These are used, along with the customer's bank card, for performing online banking transactions. In this talk I will describe how we reversed-engineered the cryptographic protocol used by these readers, using some custom-designed smart card analysis hardware. We discovered several flaws in this protocol, which could be exploited by criminals (and some already are). This talk will explain what vulnerabilities exist, and what the impact on customers could be.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
