Optimised to Fail: Card Readers for Online Banking
作者: Saar Drimer , Steven J. Murdoch , Ross Anderson
DOI: 10.1007/978-3-642-03549-4_11
关键词:
摘要: The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due online banking fraud. A handheld reader is used together customer's debit card generate one-time codes for both login and transaction authentication. CAP protocol not public, was rolled out without any public scrutiny. We reverse engineered UK variant of readers smart cards here provide first description protocol. found numerous weaknesses that are design errors such as reusing authentication tokens, overloading data semantics, failing ensure freshness responses. overall strategic error excessive optimisation. There also policy implications. move from signature PIN authorising point-of-sale transactions shifted liability customers; introduces same problem banking. It may expose customers physical harm.
springer.com
harvard.edu
core.ac.uk
saardrimer.com参考文章(7)
Saar Drimer, Steven J Murdoch, None, Keep your enemies close: distance bounding against smartcard relay attacks usenix security symposium. pp. 7- ,(2007)
George Davida, Yair Frankel, Yiannis Tsiounis, Moti Yung, Anonymity Control in E-Cash Systems financial cryptography. pp. 1- 16 ,(1997) , 10.1007/3-540-63594-7_63
Nicholas Bohm, Brian Gladman, Ian Brown, Electronic commerce: who carries the risk of fraud? Journal of Information, Law and Technology. ,vol. 2000, ,(2000)
Raymond M. Wong, Thomas A. Berson, Richard J. Feiertag, Polonium: An Identity Authentication System ieee symposium on security and privacy. pp. 101- 101 ,(1985) , 10.1109/SP.1985.10001
Saar Drimer, Steven J. Murdoch, Ross Anderson, Thinking Inside the Box: System-Level Failures of Tamper Proofing ieee symposium on security and privacy. pp. 281- 295 ,(2008) , 10.1109/SP.2008.16
Ross Anderson, Roger Needham, Robustness Principles for Public Key Protocols international cryptology conference. pp. 236- 247 ,(1995) , 10.1007/3-540-44750-4_19
Advances in Cryptology — CRYPTO’ 99 Springer Berlin Heidelberg. ,(1999) , 10.1007/3-540-48405-1