![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Preplay Attack on Chip and PIN
May. 21st, 2014 01:21 amhttps://www.schneier.com/blog/archives/2014/05/preplay_attack_.html
Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post:
Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post:
Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card.
When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the transaction. Part of this transaction is a number that is supposed to be random, so as to stop an authentication code being generated in advance. However, there are two ways in which the protection can be bypassed: the first requires that the Chip and PIN terminal has a poorly designed random generation (which we have observed in the wild); the second requires that the Chip and PIN terminal or its communications back to the bank can be tampered with (which again, we have observed in the wild).
