UK Banks Expected To Move To DDA EMV Cards

Fri, 09 Jun 2006 07:20:58 -0700 

UK Banks Expected To Move To DDA EMV Cards
http://www.epaynews.com/index.cgi?survey=&ref=browse&f=view&id=11497625028614136145&block=

... from above ...
Of the 6.2 billion card transactions in the UK each year, one in five occurs offline, which increases the risk of cloned cards being used at a retailer’s POS terminal. In short, a cloned credit or debit card may go unidentified if a transaction is not sent to a bank for approval. 

... snip ...

re:
http://www.garlic.com/~lynn/aadsm24.htm#1 UK Detects Chip-And-PIN Security Flaw
note that the counterfeit "yes card" attack (from the late 90s) isn't on valid cards programmed to do offline (or online) transactions; the counterfeit "yes card" attack (built from skimmed "SDA" data) is on chip&pin terminals programmed to do what any authenticated card tells it to do (part of the chip&pin terminal standard): 
http://www.garlic.com/~lynn/2006l.html#33
the countermeasure to counterfeit "yes card" attacks on chip&pin terminals is to program the terminal to ignore what the card tells it to do, and always do an online transcation. this makes chip&pin deployments subject to the same "account flagging" countermeasure that has been long used for magstripe cards. The counterfeit "yes card" exploit always doing offline transactions (making it immune to account flagging countermeasures) was somewhat prompted somebody several years ago to make the comment about spending several billion dollars to prove that chips were less secure than magstripe. 

part of what had prompted the aads chip strawman effort
http://www.garlic.com/~lynn/x959.html#aads
in the 90s was the frequent comment about deployments being forced into doing "SDA" chip deployments because technology cost for "DDA" chip deployments was too uneconomical. Part of the aads chip strawman was to demonstrate technology doing dynamic data authentication (as countermeasure to skimming, harvesting and replay attacks) at the highest possible integrity ... for less cost than any "SDA" technology (as well as being able to meet transit contactless power and timing profile requirements). http://www.garlic.com/~lynn/aadsm23.htm#56 UK Detects Chip-And-PIN Security Flaw 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to