Steven Murdoch, Saar Drimer, Mike Bond, and Ross Anderson report that Chip and PIN is broken. The consequences are pretty ugly including that a fraudulent transaction can come up as "PIN verified" on your transaction.
the attack applies to cards used online (where the merchant POS contacts the bank) as well as offline;
the attack works regardless of the amount of money spent (not just for small value amounts that are below floor limit);
the attack doesn’t work once a card has been cancelled by the bank — just like stolen cards in the past can only be used for a certain window of time once the cardholder discovers the loss;
the attack doesn’t work at ATMs (cash machines);
the failure applies to bank card schemes based on EMV – the most widely deployed standard for smartcard payments. Older national smartcard schemes may or may not be vulnerable; we don’t know.Should we be surprised? Not really. There's an obsession with control of subjects (i.e. authentication) in many financial services, which is a good start. But just ask the Baltimore Indianapolis Colts, its doesn't matter how well you do in the first half, when they keep score for the whole game. Many finacials systems go to great lengths to impose their own authentication, to get the subjects into their system that they control, but then once in that system, the security is medium assurance at best.
In this case the whole game is not simply subjects and authentication, its objects and authorization. Its the fact that many systems are simply a web front end tacked onto a mainframe backend which naively trusts what its sent - MQ and mainframes are the canonical examples here - authorization based on weak or non-existent tokens (hey! we authenticated them at the edge of our semi-medium assurance system!).
There's an obvious case that the authorization fails, this much more common than authentication fails. In fact if you factor in Madame TOCTOU you can easily say that all authorization is broken, its just a matter of degree. But certainly this is egregious, so the second "au" in the gold standard of information security - authorization - is the main culprit.
Lots of analysis and money was clearly spend on building and deploying these systems and they were still broken, so the larger system is the lack of the third "au" audit logging which must backstop the inevitable failures. Assume it'll be broken and log accordingly.
Comments