Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel.

Published byLeo Perry Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel."— Presentation transcript:

1 1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel Newcastle University Centre for Cybercrime & Computer Security

2 2 Financial Cryptography and Data Security 2013 What are EMV Chip & PIN Cards 1.5 Billion EMV cards in circulation Visa & MasterCard to implement in USA 2015 (TBD) Wireless access to the “contact” protocol

3 3 Financial Cryptography and Data Security 2013 Contactless Verify PIN Verify PIN directly on the card (offline mode) Wireless Access to Verify PIN – Accessed without the cardholders knowledge Redundant functionality – No PIN required in contactless transaction Viable attack scenario to find the PIN Amex and MasterCard have prohibited the functionality – MC “for security reasons”

4 4 Financial Cryptography and Data Security 2013 Door Entry Attack Scenario Day 1 PIN – 1983 PIN – 6383 XXXX Day 2 PIN – 0306 PIN – 0603 XXXX Day 3 PIN – 1234 PIN – 0683 X Always leave 1 PIN attempt remaining so the card is not locked

5 5 Financial Cryptography and Data Security 2013 Birthday Based PINs Bonneau et al. FC 2012 – Birthday in every 11 wallets – Bad chioces in user chosen PIN Real Life Example – Birthday used as PIN – Same PIN on 2 cards – Birthday on driving licence – £1,000 within hours

6 6 Financial Cryptography and Data Security 2013 Why is this Important? What are my rights if I’m a victim of fraud and my bank doesn’t give me my money back? If your bank or card company has evidence to show that you have acted fraudulently or without reasonable care then they may not refund your losses. (Source – The UK Cards Association 2010)

7 7 Financial Cryptography and Data Security 2013 Anti-collision loop How does it work? - Multi-card Reader Sends REQA Card(s) Respond ATQA Reader Sends SELECT(NVB,UID) Card(s) Respond UID Card Respond SAK UID Complete UID MatchedNo Match Increase Cascade Level Single Card Selected Cascade Level 1 More bytes in UID ISO 14443 – part 3

8 8 Financial Cryptography and Data Security 2013 How does it work? - PIN Verify

9 9 Financial Cryptography and Data Security 2013 Results Total attack time for a wallet containing a door entry card and a credit card Activity(ms) Identify door entry card214.4 Identify credit card and select it214.4 List credit card applications18.4 Select application (Visa, MasterCard, Amex etc.)19.2 Get the number of available PIN attempts29.8 Ask the card to generate an unpredictable number24.6 VerifyPIN (PIN)175.8 Ask the card to generate an unpredictable number12.2 VerifyPIN (PIN)177.2 Total886.0

10 10 Financial Cryptography and Data Security 2013 Conclusions Redundant functionality can be removed Attack scenario presents a viable exploit – Attack gives many chances to find PIN – Total Attack Time 866.0ms (2 cards) – Birthday PIN higher probability of success Undermines the security of Chip & PIN

11 11 Financial Cryptography and Data Security 2013 Any Questions? Thank You

Download ppt "1 Financial Cryptography and Data Security 2013 Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nick Little, Aad van Moorsel."

Similar presentations

An Oyster Card update and a peek into the future Charles Monheim Director, Oyster Card Transport for London Smart Card Networking Forum 1 November, 2005.

An Oyster Card update and a peek into the future Charles Monheim Director, Oyster Card Transport for London Smart Card Networking Forum 1 November, 2005.
IDENTITY THEFT Protect Yourself and Your Good Name ITT Employees Federal Credit Union.

IDENTITY THEFT Protect Yourself and Your Good Name ITT Employees Federal Credit Union.
Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.

Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.

Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
Fraud Trends and Organized White Collar Crime Presentation by Jeff Wahl, CFE.

Fraud Trends and Organized White Collar Crime Presentation by Jeff Wahl, CFE.
Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.

Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.
S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.

S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.
CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.

CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Credit Card Fraud. Credit card fraud - situation when an individual uses another individual’s credit card for personal reasons while the owner is not.

Credit Card Fraud. Credit card fraud - situation when an individual uses another individual’s credit card for personal reasons while the owner is not.
Fraud and Identity Theft Test Review. Who should you contact if you are a victim of identity theft?

Fraud and Identity Theft Test Review. Who should you contact if you are a victim of identity theft?
Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.
EMV solution for Romania 22. February 2005

EMV solution for Romania 22. February 2005
EMV – What you need to know… Jay J. Davis Territory Alliance Manager 360-831-7055

EMV – What you need to know… Jay J. Davis Territory Alliance Manager
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Focus on Asia Workshop All Roads Lead to China. Travel Payments Direct  Founded in February 2013 by a core group of payments professionals possessing.

Focus on Asia Workshop All Roads Lead to China. Travel Payments Direct  Founded in February 2013 by a core group of payments professionals possessing.
Credit Card Fraud PRESENTED BY THE VIRGINIA OFFICE OF THE ATTORNEY GENERAL June 2013.

Credit Card Fraud PRESENTED BY THE VIRGINIA OFFICE OF THE ATTORNEY GENERAL June 2013.
ATM Security Recommendations. n There are over 200,000 ATMs in the U.S. n Cash in ATMs ranges from $15,000 in small machines to $250,000 in larger bank.

ATM Security Recommendations. n There are over 200,000 ATMs in the U.S. n Cash in ATMs ranges from $15,000 in small machines to $250,000 in larger bank.
September 17, 2007 MasterCard PayPass – Tap & Go Payments The London Launch and Beyond Mike Cowen, MasterCard Global Transit Solutions.

September 17, 2007 MasterCard PayPass – Tap & Go Payments The London Launch and Beyond Mike Cowen, MasterCard Global Transit Solutions.
Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.

Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.

Similar presentations

Ads by Google