8 comments

[ 8.3 ms ] story [ 53.1 ms ] thread
Thanks, didn't see that.
You're welcome. I have a knack for spotting duplicates. Some call it useful, others call it incredibly irritating.
Upvoted, because I find it to be both.
Thank you - you made me smile.

However, I refer you to this comment and its parents: http://news.ycombinator.com/item?id=1122023

I'm not going to bother flagging such duplication any more. Even though I find it frustrating to see conversations split across effectively duplicate submissions, it will continue to happen, and I'm just wasting time.

tie goes to the runner, type of deal?
This topic was also posted at http://news.ycombinator.com/item?id=1118779 — I’m adapting my comment from there as it is relevant to the issue of the topic disappearing.

I’m not why this topic has got so little interest. Maybe because it looks like a UK-only issue? EMV chip and pin has been introduced in Canada, and the authors say it is being adopted in the USA. The scheme is designed to put liability with the card holder, so insecurities should be given widespread attention to stop banks from being able to blame their customers for problems with the system.

Chip and PIN (EMV) is the main payment protocol for credit transactions in Europe. It is a big deal. The problem is that the cardholder authentication step is not properly tied to the bank authorization. Instead the bank only finds out "verification succeded" without knowing which type of verification was used (signature or PIN).

In particular, the MITM between the card and terminal does not interfere until the Terminal tries to send the PIN to the card. It blocks this message and instead says:

(As Card) "Dear Terminal, the entered PIN is ok"

(As Terminal) "Dear Card, let's assume I took a signature and continue straight on to authorizing the transaction"

I think the best decision would have been for the card to include the authentication method as part of the MAC for the transaction (PIN, signature, etc.) In particular, if the TVR message had the auth type requested (not just error codes), it would be MACd in the ARQC message and the bank could verify if the Terminal is lying in saying the card verified the PIN ok.