We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Magstripe
Comments
-
You're kidding right?
The TPM keys have been able to be cracked for about 2 years now.
One such paper (very interesting if you're a bit techie)
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
Except the attack you show doesn't show the keys have been cracked.
The attack shown requires a man-in-the-middle device to essentially replace the 'is pin valid' response with a 'yes'.
They then rely on the banks not putting together the IAD and the TVR response to see that the terminal was fooled.
Now - here: http://www.h-online.com/security/news/item/Hacker-extracts-crypto-key-from-TPM-chip-927077.html - someone was able to extract the keys.
But he did it with a focused ion beam microscope and a lot of knowledge of chip composition.
Hardly fraudster's choice of tool.
As far as I've seen, the PIN is still secure for day-to-day purposes.
M.0 -
As far as I've seen, the PIN is still secure for day-to-day purposes.
I'd say that the first link invalidates that claim, if the PIN isn't verified then it isn't suitable for day-to-day purchases. Although they were using a laptop, it would be simple to port it to a Raspberry Pi for example and intercept it that way.
Although it's possible that the person will report their card lost, the fraudster can also act quickly as people are unable to report their cards stolen the instant it happens as they may be a victim of pickpocketing or other crimes.0 -
Thanks for all the advice. One of my friends gave me a decent piece of advice as well. If you have a nectar card near your card in the wallet and try and swipe it through on the machine (Not using barcode but using top bit on chip and pin machine) it should be in a similar condition to credit card but Mondos advice also worked, when I swiped it through it said "Magstripe mandates chip reader use" so clearly had to be able to read the magstripe for it to know that.0
-
I'd say that the first link invalidates that claim, if the PIN isn't verified then it isn't suitable for day-to-day purchases. Although they were using a laptop, it would be simple to port it to a Raspberry Pi for example and intercept it that way.
Although it's possible that the person will report their card lost, the fraudster can also act quickly as people are unable to report their cards stolen the instant it happens as they may be a victim of pickpocketing or other crimes.
Except that the contents of that link also show then even if bypassed, the resultant fields that are sent to the banks will reveal the failure to authenticate.
It's just down to the bank to double check them.
It also requires the person on the till not to notice the wires coming out of the card and going up the person's arm (which is what the paper claims would be required).
The PIN cannot be extracted* is my point.
M.
* Through normal conventional means - as I admitted, someone did get the keys through a focused ion beam microscope.0 -
* Through normal conventional means - as I admitted, someone did get the keys through a focused ion beam microscope.
Not the kind of thing that a typical person has in their spare bedroom then!
(Although I do have access to one at work, but I wouldn't have a clue where to begin or what to look for, or even how to switch the thing on)0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.3K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.8K Spending & Discounts
- 244.3K Work, Benefits & Business
- 599.5K Mortgages, Homes & Bills
- 177.1K Life & Family
- 257.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards