Shamir acknowledges chip-and-PIN attack as his favorite

Every year Adi Shamir, one of the inventors of the RSA algorithm, brings something new to the table at the annual RSA Conference Cryptographers’ Panel. This year, he gave a shout-out to Ross Anderson, Steven J. Murdoch, Saar Drimer and Mike Bond for their work on breaking chip-and-PIN authentication in credit cards. That team released a paper in early February that explained how to use a man in the middle attack to take down the technology, which is widely used in Europe and Canada as a means of authenticating the card and customer in a transaction.

Credit cards carry an embedded chip and when the card is run through a reader, it asks the customer to enter a PIN. Via a series of digital signatures and cryptography, both ends are authenticated on the card, not on the back end, and the transaction goes through.

Shamir said Ross et al’s research learned that the cards returned a message with the number 900 verifying that the password was authenticated. “No matter what any other details might be, if it’s happy with the password, it sends back 900,” Shamir said.”All you have to is replace a card with one that will always report 900 no matter what PIN is entered, and you’re done!”

So is chip and PIN apparently