1. Review of: All You Can Eat or Breaking a Real-World Contactless Payment System Timo Kasper, Michael Silbermann, and Christof Paar Financial Cryptography and Data Security, Lecture Notes in Computer Science, Volume 6052. IFCA/Springer-Verlag Berlin Heidelberg, 2010, p. 343 22 nd August 2012Jacob Dodunski

2. Quick Summary The paper investigates: – ID-cards with wireless capability that store personal information, credit and security keys – How easy it is to access and manipulate that information “Our subsequent analysis of the ID-Card payment system reveals obvious vulnerabilities that pose a great threat to its overall security”.

3. Appreciation Rather than just trying to break or hack the system by themselves the authors researched into the past attacks on the MIFARE classic ID cards. Their approach was well thought out and implemented throughly rather than a quick messy hack job. The authors used the knowledge gained to benefit their system.

4. Appreciation Continued Example : Past attack: A nonce number is used in the authentication process which is generated by the card. The time between the power up of the card and the issuing of the authentication command from the reader showed a relationship with the nonce number generated. What this means: The same nonce number could be generated with some some probability by controlling the timing. What was done: The authors implemented a precise timing feature to their card reader so that they could fully control the communication between the reader and the card.

5. Critical The writers of the paper offered NO advice to counter or fix the problem. “Using basic cryptographic knowledge, countermeasures could be implemented to obtain a higher security level” The authors published a paper (publicly) explaining how to cheat the system.

6. Question If you discover a security exploit in a established public system, do you contact the company and keep it quiet or publish your findings to the public?