четверг, 22 мая 2014 г.

Unpredictable number is not always Unpredictable. A new attack on Chip and PIN cards.

Serious security flaw has been again identified and then presented on 19th of May at the 2014 IEEE Symposium on Security and Privacy in San Jose, California by group of researchers from Computer Science Department in Cambridge University. The Group includes Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov and Ross Anderson.

Chip and Skim: cloning EMV cards with the pre-play attack

Actually the issue with Unpredictable Number has been already presented in 2012, but this time they improve the attack by identifying a second flaw. By the way this is not a first time when same security group reported about security flaw in EMV standard. The first issue has been raised in 2010. They said: Chip and PIN is broken. Indeed, when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. So they trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want).

So it means we are living in not perfect world, and when it comes to security, we have to keep in mind, cybercriminals are not sleeping and they are just behind you...

And just to give you an idea how it could be done in a real life, please watch a BBC video below: