1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel.

Slides:

Advertisements

Similar presentations

An Oyster Card update and a peek into the future Charles Monheim Director, Oyster Card Transport for London Smart Card Networking Forum 1 November, 2005.

Advertisements

IDENTITY THEFT Protect Yourself and Your Good Name ITT Employees Federal Credit Union.

Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Fraud Trends and Organized White Collar Crime Presentation by Jeff Wahl, CFE.

Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.

S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.

CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Credit Card Fraud. Credit card fraud - situation when an individual uses another individual’s credit card for personal reasons while the owner is not.

Fraud and Identity Theft Test Review. Who should you contact if you are a victim of identity theft?

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.

EMV solution for Romania 22. February 2005

EMV – What you need to know… Jay J. Davis Territory Alliance Manager

Electronic Transaction Security (E-Commerce)

Focus on Asia Workshop All Roads Lead to China. Travel Payments Direct  Founded in February 2013 by a core group of payments professionals possessing.

Credit Card Fraud PRESENTED BY THE VIRGINIA OFFICE OF THE ATTORNEY GENERAL June 2013.

ATM Security Recommendations. n There are over 200,000 ATMs in the U.S. n Cash in ATMs ranges from $15,000 in small machines to $250,000 in larger bank.

September 17, 2007 MasterCard PayPass – Tap & Go Payments The London Launch and Beyond Mike Cowen, MasterCard Global Transit Solutions.

Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.

CIS 342: e-Commerce Applications Prof Frye

Smart Cards By Simon Siu and Russell Doyle Overview Size of a credit card Small embedded computer chip – Memory cards – Processor cards – Electronic.

May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.

Preventing Identity Theft in Aspen Falls Helping citizens protect themselves IdentityTheft.

EMV Panel: Part Two (Follow up to Last Year’s Panel) Joseph D. Tinucci, AAP, CTP Kim Smith-Gross, CTP Matt Davies, AAP, CTP, CPP 2015 ROCKY MOUNTAIN SUMMIT.

Account Authority Digital Signature AADS Lynn Wheeler First Data Corporation

R U Ready? V M E EUROPAY MASTERCARD VISA EMVco was formed in 1999.

INNOV-11: Can You Please SmartID Yourself? How can you use SmartCards in your OpenEdge ® application? Wouter Dupré Senior Solution Consultant.

FIVE STEPS TO REDUCE THE RISK OF CYBERCRIME TO YOUR BUSINESS.

© 2014 CustomerXPs Software Pvt Ltd | | Confidential 1 Tentacles of Fraud #StarfishBanks CustomerXPs Software Private Limited.

ICT in Banking.

Confidential – For Discussion & General Information Purposes Only EMV to Card Not Present Fraud Gavin Levin, CTP eReceivables Consultant.

CREDIT CARD FRAUD. TYPES OF CREDIT CARD FRAUD Counterfeit credit card use. Card lost or stolen by the card holder. Fraud committed without the actual.

Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US

The next generation of payments is here. Is your business ready?

Getnationwide.com Let’s Talk about EMV Danielle Rourke.

EFTPOS and credit card payments Rachel Garcia Line 4 Due:14 th November Business Admin Michael Barry.

Smart Card Technology & Features

Review of: All You Can Eat or Breaking a Real-World Contactless Payment System Timo Kasper, Michael Silbermann, and Christof Paar Financial Cryptography.

OBJECTIVES  To understand the concept of Electronic Payment System and its security services.  To bring out solution in the form of applications to.

Langara College PCI Awareness Training

Heartland Payment Systems Hospitality Solutions Group

Section 5: Identity Theft.  Prevent myself from becoming a victim of fraud  If I become a victim of fraud, I will know what to do!

11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.

What does Chip offer Banks today?. CARD TYPES CREDIT DEBIT CHARGE PRIVATE LABEL PRE-PAYMENT MULTI FUNCTION.

What is a Smart Card Reader & Terminal. What is a smart card reader? Smart card reader, also known as smart card terminal, such as point of sale terminal,

How to Manage Risk. This is the process involves the process for any application from a: Individual Cardholder Company or Corporate cards Merchants Any.

Borrowing and saving Savings. about the risks and consequences of borrowing money that it’s important to think carefully and look at all of the information.

SAP – our anti-hacking software. Banking customers can do most transactions, payments and transfer online, through very secure encrypted connections.

Confidential and Proprietary - NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES. ASTRA EMV Review/Best.

SS.8.FL.6.7 Evaluate social networking sites and other online activity from the perspective of making individuals vulnerable to harm caused by identity.

EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.

Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.

A Brief Introduction Radiant Pay, a global provider of payment processing services to all kinds of business, Radiant Pay Services.

Presented by David Cole Background to Chip. PAYMENT SYSTEMS HISTORY A POTTED HISTORY DINERS LAUNCH 1950 AMEX LAUNCH 1958 BANK AMERICARD 1959 MASTERCHARGE.

Information Technology Security Office of the Vice President for Information Technology New Employee Orientation II.

Outline of this module By the end of this module, you will be able to: Understand what is meant by the term “advanced fee fraud”; Understand what is.

Make This Document Your Own

Done by… Hanoof Al-Khaldi Information Assurance

how to prevent them from being successful

Gift Card Risk Mitigation – Presentation A

Secure Electronic Transaction

Switchover from Teledeposit to VIRTUAL TERMINAL Moneris Solutions

Digital $$ Quiz Test your knowledge.

Tom Chothia Computer Security

Authorization for Credit Card Use

A Secret Service Perspective on Credit Card Fraud

Presentation transcript:

1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel Newcastle University Centre for Cybercrime & Computer Security

2 Financial Cryptography and Data Security 2013 What are EMV Chip & PIN Cards 1.5 Billion EMV cards in circulation Visa & MasterCard to implement in USA 2015 (TBD) Wireless access to the “contact” protocol

3 Financial Cryptography and Data Security 2013 Contactless Verify PIN Verify PIN directly on the card (offline mode) Wireless Access to Verify PIN – Accessed without the cardholders knowledge Redundant functionality – No PIN required in contactless transaction Viable attack scenario to find the PIN Amex and MasterCard have prohibited the functionality – MC “for security reasons”

4 Financial Cryptography and Data Security 2013 Door Entry Attack Scenario Day 1 PIN – 1983 PIN – 6383 XXXX Day 2 PIN – 0306 PIN – 0603 XXXX Day 3 PIN – 1234 PIN – 0683 X Always leave 1 PIN attempt remaining so the card is not locked

5 Financial Cryptography and Data Security 2013 Birthday Based PINs Bonneau et al. FC 2012 – Birthday in every 11 wallets – Bad chioces in user chosen PIN Real Life Example – Birthday used as PIN – Same PIN on 2 cards – Birthday on driving licence – £1,000 within hours

6 Financial Cryptography and Data Security 2013 Why is this Important? What are my rights if I’m a victim of fraud and my bank doesn’t give me my money back? If your bank or card company has evidence to show that you have acted fraudulently or without reasonable care then they may not refund your losses. (Source – The UK Cards Association 2010)

7 Financial Cryptography and Data Security 2013 Anti-collision loop How does it work? - Multi-card Reader Sends REQA Card(s) Respond ATQA Reader Sends SELECT(NVB,UID) Card(s) Respond UID Card Respond SAK UID Complete UID MatchedNo Match Increase Cascade Level Single Card Selected Cascade Level 1 More bytes in UID ISO – part 3

8 Financial Cryptography and Data Security 2013 How does it work? - PIN Verify

9 Financial Cryptography and Data Security 2013 Results Total attack time for a wallet containing a door entry card and a credit card Activity(ms) Identify door entry card214.4 Identify credit card and select it214.4 List credit card applications18.4 Select application (Visa, MasterCard, Amex etc.)19.2 Get the number of available PIN attempts29.8 Ask the card to generate an unpredictable number24.6 VerifyPIN (PIN)175.8 Ask the card to generate an unpredictable number12.2 VerifyPIN (PIN)177.2 Total886.0

10 Financial Cryptography and Data Security 2013 Conclusions Redundant functionality can be removed Attack scenario presents a viable exploit – Attack gives many chances to find PIN – Total Attack Time 866.0ms (2 cards) – Birthday PIN higher probability of success Undermines the security of Chip & PIN

11 Financial Cryptography and Data Security 2013 Any Questions? Thank You