Ross Anderson
Abstract
What lessons might we learn from the chip cards used for payments in Europe, now that the U.S. is adopting them too?
- Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S., and Anderson, R. Chip and skim: Cloning EMV cards with the pre-play attack. In Proceedings of the IEEE Symposium on Security and Privacy (San Jose, CA, May 18--21, 2014).Google Scholar
Digital Library
- Drimer, S. and Murdoch, S.J. Keep your enemies close: Distance bounding against smartcard relay attacks. In Proceedings of the USENIX Security Symposium (Boston, MA, Aug. 6--10, 2007). Google ScholarDigital Library
- Drimer, S., Murdoch, S.J., and Anderson, R. Thinking inside the box: System-level failures of tamper proofing. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May 18--21, 2008). Google ScholarDigital Library
- Murdoch, S.J. and Anderson, R. Security protocols and evidence: Where many payment systems fail. In Proceedings of Financial Cryptography and Data Security (Barbados, Mar. 3--7, 2014).Google ScholarCross Ref
- Murdoch, S.J., Drimer, S., Anderson, R., and Bond, M. Chip and PIN is broken. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA, May 16--19, 2010). Google ScholarDigital Library
Index Terms
- EMV: why payment systems fail
Recommendations
Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards Without the PIN
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityIn this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, ...
e-EMV: emulating EMV for internet payments with trusted computing technologies
STC '08: Proceedings of the 3rd ACM workshop on Scalable trusted computingThis paper shows how the functionality associated with EMV-compliant payment cards can be securely emulated in software on platforms supporting Trusted Computing technology. We describe a detailed system architecture encompassing user enrolment, card ...
Enhancing EMV Online PIN Verification
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01EMV (Europay MasterCard Visa) is a globally accepted standard for chip card-based payment transactions, which benefits from the intrinsic security characteristics of chip cards. The EMV specification is relatively flexible and can be deployed in both ...
Reviews
Barrett Hazeltine
This article outlines lessons from the European deployment of smart cards. The intended audience is not coders, but system designers from banks, merchants, regulators, and consumers. European experience should be useful in the US, although the context is somewhat different as consumer protection is more strongly entrenched in the US, and the real battle will probably be about interchange fees, $30 billion, rather than fraud, $3 or $4 billion. In any case, the full effect of implementing smart cards will not be felt for many years until all automated teller machines (ATMs) and point-of-sale (POS) terminals have been updated; newly issued smart cards will continue to have a magnetic strip. Customer identification with smart cards can be done with a personal identification number (PIN) verified on the card or using the existing signature procedure. Some US banks will use PINs, others signatures. The article describes various fraudulent techniques. In the UK, some terminals were not tamper-proof. Fraud losses actually increased in the UK after smart cards were introduced, although they subsequently declined. The increase also reflects card-not-present (CNP) fraud, transactions through the Internet. Another fraud, relay attack, used a fake terminal to gain access to a customer's account. In other frauds, random numbers used in transactions were predictable by accessing a stolen telephone. A stolen card can be used without knowing the PIN through a device between the card and the terminal causing the terminal to believe the card verifies with a signature. The use of PINs puts the customer at a disadvantage in dispute resolution. This article is readable, even fascinating. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments