Chip and PIN ‘not fit for purpose’, says Cambridge researcher
">
Chip and PIN ‘not fit for purpose’, says Cambridge researcher

Sunday, February 14, 2010

University of Cambridge security expert Professor Ross Anderson has blasted the EMV system used worldwide for credit and debit card transactions, and known in the UK as Chip and PIN, after his research team discovered a serious vulnerability. The group were able to carry out purchases using a card, even without knowing the associated personal identification number (PIN), by using a “man-in-the-middle” attack.

Retail terminals at the point of sale require the cardholder to insert their card and enter their secret PIN before a transaction can be authorised. They then communicate with the microchip built in to the card itself, which holds the PIN. If the correct number has been given, this chip returns a standard verification code (0x9000) to the terminal.

In the researchers’ attack they inserted a genuine card into a second reader, connected to a laptop. The laptop is linked by thin wires to a fake card, which is inserted into the retailer’s terminal. The laptop relays the communications between the terminal and the stolen, but genuine, card, up until the stage where the PIN is to be checked. At this point it intercepts and responds with the verification code, no matter what number was entered. The retailer’s terminal then believes that the correct PIN has been entered, and the card can be told that a signature was used to verify the cardholder instead.

Their technique has been tested successfully on cards from six different issuers: Bank of Scotland, Barclaycard, Co-operative Bank, Halifax, HSBC and John Lewis.

All the banks are lying. They are maliciously and wilfully deceiving the customer […] The system is not fit for purpose.

The group say that not much technical skill is required for the attack, and suggested the equipment needed could be kept in a backpack, with the wires to the fake card running down a user’s sleeve. They believe the equipment could be miniaturised to the size of a remote control.

“In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do,” said Dr Steven Murdoch who worked on the project.

Professor Anderson claimed that the attack could already be in use by criminals. “We have many examples of people who have had their cards stolen and then purchases made using the chip and pin,” he said. “They are adamant they didn’t use it but if the banks say chip and pin has been used you have to pay. I think many of these people would have been victim of the kind of technique we have developed.”

He was scathing about bank claims that the system was secure. “The banks are wrong. All the banks are lying. They are maliciously and wilfully deceiving the customer. If there was any justice then the police would be looking into this. The system is not fit for purpose.”

Consumer group Which? have also called for an investigation, stating that in a recent survey one in seven people said that money had been taken from their accounts without authorisation. Around half of these did not have the money refunded by the bank.

“We want the banks to look into these potential flaws,” said Cathy Neal from Which? Money, “because we have had many examples where the banks have said a pin was used and the customer said it hasn’t.”

Over 90 percent of UK card transactions at point-of-sale use chip and PIN, according to the UK Payments Administration. The attack does not affect ATM transactions, which use different standards. Mark Bowerman, a spokesman for the group which represents card companies, said that there was no evidence the attack was in use and emphasised that card fraud had fallen with the introduction of chip and PIN.

HAVE YOUR SAY
Do you trust bank security systems? Have you ever experienced card fraud?
Add or view comments
We strongly refute the allegation that chip and PIN is broken

“We are taking this paper very seriously, as maintaining excellent levels of card security is paramount,” he said. “However, we strongly refute the allegation that chip and PIN is broken.”

The research paper has been made available as a working draft, and is due to be published at the IEEE Security and Privacy Symposium in May 2010. Members of the banking industry were informed of the vulnerability in early December last year.

Posted in Uncategorized | No Comments »
‘Earned It’ earns The Weeknd his first Grammy
">
‘Earned It’ earns The Weeknd his first Grammy

Wednesday, February 17, 2016

On Monday, at the 58th Grammy Awards ceremony, Canadian singer The Weeknd won his first Grammy Award, Best R&B Performance, for his song Earned It, which was also featured on the soundtrack of the 2015 Fifty Shades of Grey movie based on E.L. James’s erotic novel Fifty Shades of Grey.

The Weeknd also won the Grammy Award for Best Urban Contemporary Album for his second studio album Beauty Behind the Madness. Abel Tesfaye — The Weeknd — had seven nominations in total including Record of the Year for his song Can’t Feel My Face and Album of the Year.

The YouTube video of the song received more than 179 million views and more than 1.1 million likes.The Weeknd was also nominated for Grammy Award for Best Pop Solo Performance, but British singer Ed Sheeran won the golden gramophone for his song Thinking Out Loud.

Last year, Beyoncé won the Award for Best R&B Song for Drunk in Love featuring her husband Jay-Z.This awards ceremony marked the first Grammy wins for The Weeknd, Justin Bieber and Ed Sheeran.

Posted in Uncategorized | No Comments »
Category:Jewellery
">
Category:Jewellery

This is the category for jewellery.

Refresh this list to see the latest articles.

  • 8 April 2014: Scottish artist Alan Davie dies at age 93
  • 12 August 2011: Three killed amongst Birmingham, England riots
  • 13 July 2011: 21 people killed and 113 reported injured in three blasts in Mumbai
  • 4 July 2011: Hidden treasure worth billions of dollars discovered in Indian temple
  • 26 November 2010: Bernie Ecclestone attacked outside London headquarters; no arrests made
  • 6 September 2009: Man charged with attempted murder in £40 million London jewel heist
  • 13 August 2009: British gemstone expert killed by mob in Voi, Kenya
  • 11 August 2009: Thieves steal £40 million from London jeweller
  • 31 May 2009: Thief steals over €6 million worth of jewels from Paris store
  • 18 March 2009: Madoff prosecutors want assets from wife and children
?Category:Jewellery

From Wikinews, the free news source you can write.

Sister projects
  • Commons
  • Wikipedia
  • Wikisource
  • Wiktionary

Pages in category “Jewellery”

Posted in Uncategorized | No Comments »

Next Entries »