Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Journal of nicholas (3034)

Friday February 12, 2010
12:31 PM

Chip and Pin counterfud exposed.

[ #40178 ]

So, Chip and Pin is broken.

But the fun part is in the comments. Comment 19 from the anonymous "Scrutineer" includes:

The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.

Which of course misses the point - it's about the interval between theft and discovery of theft - the time that someone else has your card before you're able to successfully report it stolen. This attack changes the game from "the PIN protects you better than a signature - now if someone steals your card they need to guess your PIN" back to "They only need to steal your card" (and actually easier, because they don't need to learn to forge signatures).

But the best bit is comment 22:

The chap “Scrutineer” who posted comment 19 seems to have forgotten to sign it!
Anyway he’s not very good at anonymity:

$ whois
address: APACS (Administration) Ltd
address: 14 Finsbury Square
address: London
address: EC2A 1BR
address: England, UK

Pity APACS couldn’t get it together to put up a spokesman for Newsnight


Update: It's really someone at APACS. Not an exercising in framing, taking advantage of a proxy:

A spokeswoman for UK Card Association said the posts violated staff internet-use guidelines.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.