Security Bytes

Mar 2 2010   11:36PM GMT

Shamir acknowledges chip-and-PIN attack as his favorite

Michael Mimoso Profile: maxsteel


Every year Adi Shamir, one of the inventors of the RSA algorithm, brings something new to the table at the annual RSA Conference Cryptographers’ Panel. This year, he gave a shout-out to Ross Anderson, Steven J. Murdoch, Saar Drimer and Mike Bond for their work on breaking chip-and-PIN authentication in credit cards. That team released a paper in early February that explained how to use a man in the middle attack to take down the technology, which is widely used in Europe and Canada as a means of authenticating the card and customer in a transaction.

Credit cards carry an embedded chip and when the card is run through a reader, it asks the customer to enter a PIN. Via a series of digital signatures and cryptography, both ends are authenticated on the card, not on the back end, and the transaction goes through.

Shamir said Ross et al’s research learned that the cards returned a message with the number 900 verifying that the password was authenticated. “No matter what any other details might be, if it’s happy with the password, it sends back 900,” Shamir said.”All you have to is replace a card with one that will always report 900 no matter what PIN is entered, and you’re done!”

So is chip and PIN apparently

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: