* Ulrich Kuehn:

> In 2000 someone here in Germany already demonstrated how to attack
> smart card based HBCI transactions. Those transactions are
> authorized by an RSA signature done by the card.

Here's a link: <http://www.heise.de/newsticker/meldung/9349>

> The attack relyed on the card reader not having a separate keyboard
> for PIN entry.

In this particular implementation, yes.

There are other attacks if you control the end user system:

You can display a dialog box requesting that the user enters the PIN
on the host, and not on the PIN pad.  Typical smartcard work in
various card readers (with and without PIN pads), so you can later use
the PIN to create additional transactions.

It turns out that you need not do this, though: once the end user has
entered the PIN, you can create as many signatures as you like.  In
this sense, the PIN/TAN approach is more secure than smartcards.

> Interestingly, I wonder what would happen if a reader with display
> and keyboard is used in an online attack, i.e. the adversary sneaks
> in a fraudulent transaction when the hash for the signature is
> computed. I do not know from the top of my head what is supposed to
> be displayed in the reader's display, so I do not know what impact
> such an attempt would have.

The display contents is supplied by the end user computer, not the
smartcard, so it's still possible to break this scheme just by
attacking the computer.

> Any suggestions?

Postbank's mTAN is promising because uses a separate channel which is
currently not very easy to attack, but the activation procedure is
fundamentally flawed.  Costs are probably too high to introduce this
as a general countermeasure, though.

In the long term, we need a standardized device which generates TANs
which depend on the transaction contents (target account and amount).
Standardization is important because you don't want to carry around
such a device for each plastic card you own.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to