A group of researchers from the University of Cambridge have discovered a vulnerability in the security system that carry smart cards. Under this method, you could get a credit card cloning and making a fraudulent transaction.
EMV is an interoperability standard developed by Europay, MasterCard and Visa in the 90 to authenticate payments through credit cards and debit cards. This new system was proposed to replace the insecure magnetic stripe cards, the security system was not enough to prevent cloning.
For several years, the cards are abandoning insecure magnetic stripe for embedded chip containing encrypted information. Access to information requires a secret PIN code for the operation to be carried out correctly. Broadly speaking, the process when a transaction is as follows:
When a terminal or ATM (Automatic Teller Machine) wants to start a transaction, it sends all information (number, currency, date, etc ...) to the card is inserted, along with a code called A (Unpredictable Number) the cashier terminal generates flight or at the time of the transaction.
The card uses a secret encryption key which is stored on the chip, to generate a code authorizing the request (ARQC) from the transaction data and facilitated by the A terminal. The ARQC is sent back to the terminal.
The ATM sends ARQC code along with the PIN encryption and plain text A bank card in question.
Finally, the bank ARQC decrypts and validates the information contained therein. It also validates the ARQC A containing the terminal that sent in plain text. If the two match, the transaction is valid and authorized.
A business "lid" controlled by the attackers, could use a modified terminal to save the information on the card and the PIN that the customer has to make a payment introduced legal. While that transaction is done, you can force the card to generate another code ARQC for a transaction with a specific future date. The UN is a number that attackers know that will be generated by a specific model in the future terminal. After receiving the second card ARQC code, the attacker can create a cloned card with legitimate information card and program it with the code that contains information ARQC the future transaction. Finally, the attacker will be able to make a single transaction with that card for the date that was set.
In summary, it would have an effect similar to that exists today cloning with magnetic strips, but protected chip card.
Researchers warned those responsible for the poor development of the randomness of A by some terminals. Apparently, they have not received much attention.
They end with a harsh criticism of banks they accuse of knowing the risks involved in this payment system and still hide. Meanwhile, the Financial Fraud Action (organization that is responsible for controlling the financial fraud in Britain) has insisted that they never said that the effectiveness of these new cards plus it was absolute, although attackers can fraudulent operations, would be very risky
_________________________________________
miss things in life ........... Life and Time ........ the first is inevitable ....... the second is unforgivable
EMV is an interoperability standard developed by Europay, MasterCard and Visa in the 90 to authenticate payments through credit cards and debit cards. This new system was proposed to replace the insecure magnetic stripe cards, the security system was not enough to prevent cloning.
For several years, the cards are abandoning insecure magnetic stripe for embedded chip containing encrypted information. Access to information requires a secret PIN code for the operation to be carried out correctly. Broadly speaking, the process when a transaction is as follows:
When a terminal or ATM (Automatic Teller Machine) wants to start a transaction, it sends all information (number, currency, date, etc ...) to the card is inserted, along with a code called A (Unpredictable Number) the cashier terminal generates flight or at the time of the transaction.
The card uses a secret encryption key which is stored on the chip, to generate a code authorizing the request (ARQC) from the transaction data and facilitated by the A terminal. The ARQC is sent back to the terminal.
The ATM sends ARQC code along with the PIN encryption and plain text A bank card in question.
Finally, the bank ARQC decrypts and validates the information contained therein. It also validates the ARQC A containing the terminal that sent in plain text. If the two match, the transaction is valid and authorized.
A business "lid" controlled by the attackers, could use a modified terminal to save the information on the card and the PIN that the customer has to make a payment introduced legal. While that transaction is done, you can force the card to generate another code ARQC for a transaction with a specific future date. The UN is a number that attackers know that will be generated by a specific model in the future terminal. After receiving the second card ARQC code, the attacker can create a cloned card with legitimate information card and program it with the code that contains information ARQC the future transaction. Finally, the attacker will be able to make a single transaction with that card for the date that was set.
In summary, it would have an effect similar to that exists today cloning with magnetic strips, but protected chip card.
Researchers warned those responsible for the poor development of the randomness of A by some terminals. Apparently, they have not received much attention.
They end with a harsh criticism of banks they accuse of knowing the risks involved in this payment system and still hide. Meanwhile, the Financial Fraud Action (organization that is responsible for controlling the financial fraud in Britain) has insisted that they never said that the effectiveness of these new cards plus it was absolute, although attackers can fraudulent operations, would be very risky
_________________________________________
miss things in life ........... Life and Time ........ the first is inevitable ....... the second is unforgivable
Last edited:
