|![[Search]](https://talks.cam.ac.uk/images/search.gif?1209136071)
|![[A-Z Index]](https://talks.cam.ac.uk/images/az.gif?1209136071)
|![[Contact]](https://talks.cam.ac.uk/images/contact.gif?1209136071)
||![[University of Cambridge]](https://talks.cam.ac.uk/images/identifier2.gif?1209136071){kind=small} |
COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring. | ![[Talks.cam]](https://talks.cam.ac.uk/images/talkslogosmall.gif?1209136071) |
University of Cambridge > Talks.cam > Computer Laboratory Security Group meeting presentations > Chip and PIN is broken
Chip and PIN is brokenAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Steven J. Murdoch. Practice talk for IEEE Security and Privacy (Oakland) EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. Known to bank customers as “Chip and PIN ”, it is used in Europe; it is being introduced in Canada; and there is pressure from banks to introduce it in the USA too. EMV secures credit and debit card transactions by authenticating both the card and the customer presenting it through a combination of cryptographic authentication codes, digital signatures, and the entry of a PIN . In this paper we describe and demonstrate a protocol flaw which allows criminals to use a genuine card to make a payment without knowing the card’s PIN , and to remain undetected even when the merchant has an online connection to the banking network. The fraudster performs a man-in-the-middle attack to trick the terminal into believing the PIN verified correctly, while telling the issuing bank that no PIN was entered at all. The paper considers how the flaws arose, why they remained unknown despite EMV ’s wide deployment for the best part of a decade, and how they might be fixed. Because we have found and validated a practical attack against the core functionality of EMV , we conclude that the protocol is broken. This failure is significant in the field of protocol design, and also has important public policy implications, in light of growing reports of fraud on stolen EMV cards. Frequently, banks deny such fraud victims a refund, asserting that a card cannot be used without the correct PIN , and concluding that the customer must be grossly negligent or lying. Our attack can explain a number of these cases, and exposes the need for further research to bridge the gap between the theoretical and practical security of bank payment systems. This talk is part of the Computer Laboratory Security Group meeting presentations series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listsTravel and Expeditions Type the title of a new list here Culture of Scientific ResearchOther talksAn African orient? West Africans in World War Two India, 1943-1947 Bears, Bulls and Boers: Market Making and Southern African Mining Finance, 1894-1899 Child Kingship from a Comparative Perspective: Boy Kings in England, Scotland, France, and Germany, 1050-1250 The Galactic Centre: a template for understanding star formation and feedback in a high-pressure environment Joinings of higher rank diagonalizable actions Statistical Methods in Pre- and Clinical Drug Development: Tumour Growth-Inhibition Model Example Disease Migration Coin Betting for Backprop without Learning Rates and More Genomic Approaches to Cancer Cambridge - Corporate Finance Theory Symposium September 2017 - Day 1 Women's Staff Network: Career Conversations |
Friday 14 May 2010, 16:00-16:30