Steven M. Bellovin wrote:

> Designing a system that deflects this sort of attack is challenging.
> The right answer is smart cards that can digitally sign transactions

No, it isn't! A handwritten signature is far better, it gives post-facto
evidence about who authorised the transaction - it is hard to fake a
signature so well that later analysis can't detect the forgery, and few
people would bother to do it that well anyway, while it is easy enough to
enter a PIN with "digital reproducibility".

Also there are several attacks on Chip n' PIN as deployed here in the UK,
starting with the fake reader attacks - for instance, a fake reader says you
are authorising a payment for $6.99 while in fact the card and PIN are being
used to authorise a transaction for $10,000 across the street. They get
quite complex, there's the double-dip, where the $6.99 transaction is also
made, and the delayed double dip, where a reader belonging to a crook makes
the $10,000 transaction several days later (the crook has to skip town with
the money in this attack - so far. Except of course he never existed in the
first place, and maybe ...).

Then there's probably a Bank-wide attack, where an expensive attack on one
card can break all the cards used by one bank - ouch! because the Banks
haven't actually issued cards that digitally sign the transaction (and it
would make little difference to many of the fake reader attacks if they
had), but just reuse one key or a key with an offset or XOR on the card to
generate a keyed hash of the transaction for authorisation.

There are some more classes of attacks too. It's a bit early to say about
many of them, but it looks like there are a goodly number of going-to-be
successful attacks.

This might not matter that much except to the banks, but the liability for
what appears to be a PIN-authorised transaction is being foisted off on the
cardholder, who has litle recourse to proof that he didn't make the
transaction when one of these attacks is made.

I don't have any Chip n' PIN cards, and I don't want any either. I'm
sticking with signatures.

Peter Fairbrother

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to