About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Is the use of cash stable or falling? | Main | Once again, it's "PIN fraud" not "chip and PIN fraud" »

Don't panic!

By Dave Birch posted Feb 26 2008 at 10:34 PM

[Dave Birch] Just a note to assure everyone that the sky isn't falling in, despite the rash of press reports about contactless payment card security over the last few days. A number of articles have pointed to Adam Laurie's recent demonstration that American Express "ExpressPay" chips work exactly as per their specification and in line with the relevant international standards:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible. As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing. However, Laurie noted that the captured account number could still be used for online transactions.

[From The hands-free way to steal a credit card | Defense in Depth - computer security, hacking, crime, viruses - CNET News.com]

Adam is a great guy and he does excellent work, but on this one he's wrong. You cannot use the alias PAN (ie, the PAN given up via the contactless interface, not the one printed on the card) in anything except a contactless transaction and you cannot use it to make a bent contactless card because you need the Amex security keys in order to generate the right digital signature. If you attempt to use the alias PAN in an online transaction, the Amex host will decline it.

I hate to add my usual rant about the reporting of contactless security issues, but it does annoy me that some of the media reports have a tone to them that sort of asks how come Amex (and by extension, their consultants!) are so dumb that they design and build a new payment scheme that can be trivially defeated? The assumption that card issuers know nothing about security is, frankly, slightly offensive.

Anyway, must run. Just off to get a cup of tea, put my feet up, and watch BBC Newsnight:

Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We'll be asking what are the banks going to do about it?

[From BBC NEWS | Talk about Newsnight | Tuesday, 26 February, 2008]

Sounds good.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


CobaltCredit.com offers credit cards for all credit types, as well as several other financial services, such as payday loans, credit repair, debt consolidation and more.

I believe the requirements came from ISO9564. Here it is required that a PED is tamper evident if the key management system allows backward protection (i.e. unique key per transaction techniques) but tamper responsiveness otherwise. In practice PEDs are built with some form of tamper responsiveness (varying degrees of sophistication). I don't think an economic PED can be tamper resistant.

The terminology in this area is a bit of a mess. The actual requirement is that a terminal should deactivate itself if tampered (tamper-resistant or tamper-responsive), or such tampering should be obvious to a customer (tamper-evident).

Thanks for the link Stephen. At the risk of retreading old ground (!), I wonder about the use of the words "tamper resistant". Is it really the case that terminals are supposed to be tamper-resistant or do they only have to be tamper-evident to obtain certification?

Also can't resist asking Ian, why do you think European institutions are better? Sounds like a good idea for a blog post -- if you do it we'll link to it!

> The assumption that card issuers know nothing about security is, frankly, slightly offensive.

I think it is clear that they know something about security.

What is offensive is that the put themselves out as _the experts_, they have total control over the arrangement, and then try and shift the risks onto the user.

In this control-not-risk approach they are showing themselves to not be bankers, and leaving themselves wide open to attacks (by journalists and security researchers). Unfortunately, once they take the track of shifting the risk to the user for their systems, the bar of professionalism is lowered for all.

It's worth pointing out that as a generalism, European institutions are much better at security.

The Newsnight segment was a bit light on details, but we have more details, and links to further resources, on our website: http://www.cl.cam.ac.uk/research/security/banking/ped/

The comments to this entry are closed.