Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×

Comment Re: Doesn't sound very credible to me (Score 1) 179

Whether or not it's true is irrelevant (although it is true by any rational measurement. That petrol is worse than thought does not make it worse than diesel). It's politicians so we expect them to be using 10 year old research to justify decisions that make their constituents happy. It does not require some worldwide conspiracy.

Comment Re: Doesn't sound very credible to me (Score 1) 179

So, despite that "particulate emissions from petrol cars are so low that they are not routinely measured" and can "emit 25 to 400 times more mass of particulate black carbon and associated organic matter ("soot") per kilometer" the fact that petrol cars may release twice as much particulate means that they've suddenly caught up?

Pull the other one, it's got bells on. Twice "barely measureable" makes "less barely measureable" and even in the worst case that means that diesel emits 12 to 200 times more. That's "a much higher level" by my reckoning. No-one's saying petrol is saintly.

With the most modern DPFs this would probably not be an issue - or at least not as much an issue as it is now - but we don't live in an ideal world. And the current state of play is that diesel is implicated in having (if not proven to have) measurable health effects in dense urban environments which is a specific use-case. Anecdotally, the rise of diesel is making buildings grimier than they have been since the smogs of London and Paris were beaten into submission. London cannot control car policy nationwide so it has to broad brush like this but the real solution would be refusing to grant MoT approval for diesels without adequate DPFs.
That's not the point I was responding to, though. I was pointing out that it's not some vast conspiracy, it has to do with the either perceived or real health impacts of lots of diesel in a small area.

Comment Re:EMV chip cloning (Score 1) 145

Yeah, I was aware of that one and actually meant (but forgot) to add a qualifer. However, that article title is misleading - the attack used was against a stolen card and the author is incorrect in that you cannot record everything "bar the unpredectible number" from the chip, clone it and expect to validate a transaction. The cryptographic key isn't revealed. Now if the unpredictable numbers are too predictable it may be possible to eventually get that key which would be a serious issue which WOULD allow cloning.
The unpredictable number is transmitted with everything else so it's, on it's own, inherently insecure in a cryptographic sense and given a raw message buffer I could read it for you without any tools. But it was not designed to be random (it's not called a random number, after all), it was designed to add a small element of "unpredictability" as an input to an althgorithm that's run on the card chip itself with key that's present on that chip and cannot be read.

Are there insecurities in an EMV payment system? Yes. Is it possible to use a stolen card? Yes (but much harder than a magstripe to the point of being very difficult indeed if you want to use it in a card-present scenario). Is is possible to clone a chip card? Not, as far as we know, at this point.

Comment Re:Fuck You Slashdot (Score 1) 145

Why couldn't you just use the first stolen card's body?

You need the original chip intact and the thickness increased from 0.4mm to 0.7mm. This made it harder to get into the reader so I assume it was to prevent the chip on top being pressured which may screw up the contact to the chip below, and also the card would look weird if it was half again as thick.

As for the PIN, if it's wrong in an offline environment you'd never know. At best, you can reduce windows and thresholds for requiring allowing cards to be used offline. You can't stop this attack with the current hardware while still allowing offline transactions.

True, but the customer's never going to see it!

There are 3 verification steps with EMV, card verification, cardholder verification and transaction verification. They were pretty coy about what they did but they said that they'd coupled the card, cardholder and transaction verification in a way that made this attack more difficult. As I said, it's pretty generic and they won't say how they did it.

Comment Re:Fuck You Slashdot (Score 1) 145

Stolen chip with malicious chip soldered on top. No idea why you need a second stolen card for the body as shown in the image.

So the card didn't have the chip protruding, which would have made it look tampered with. It may also have allowed the card to be inserted without damaging the new chip.

This was done in France in 2011. EMVCo claims they've fixed this or made it harder. They won't say how. No one believes them.

The will say how, they just won't give details. The basic problem is that you have offline PIN validation where the chip can validate the entered PIN and say "yo, it's all good, I've verified the PIN". This method is allowed for low-value stuff (think metro tickets) up to a bank-defined threshold for a bank-defined number of transactions, then the card is forced online.
To allow this, the original implementations allowed completely separate PIN validation and Transaction validation. They said that they increased the coupling so that if the PIN is wrong the application request cryptogram will no longer validate correctly, I believe.

Comment Re:We can safely ignore Chip&Pin (Score 4, Informative) 145

Chip and PIN is secure if used:
1. With the card present
2. With a PIN pad
3. With online validation

Which is all it ever guaranteed.

Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)

However what this attack enables is allowing stolen cards to be used because the fake chip would pass through the request to generate the ARQC to the chip card. So if your card's stolen, report it quickly. It's the same problem with the contactless cards. If it's stolen it can be used until it's blocked for the smaller amounts that it allows, but it's difficult to clone (I won't say impossible but I have not heard of it being done) because there's cryptographic key on the chip which generates a cryptogram that has to validate before the transaction will be approved.

Chip of any flavour does not stop card-not-present fraud, so internet fraud and over-the-phone purchase fraud will continue unabated. It solves a different problem.

Comment Re:Only needs one person to accomplish (Score 1) 153

It would be trivial for one guy to write the code to have low NOx during testing, and high efficiency/performance otherwise. However, half the company would have to know they were cheating.

Actuallly, it wouldn't because the car has to detect when it's in a test condition anyway the way that the tests are run require that the traction control be disabled. So the code changng behaviour because of the test condition is legit. However, the code gaming the thing that was being measured was not. Given that the test condition flag had to be available to other systems (the aforementioned traction control) it could have been a small group that managed this. Probably the R & D group which the departing president ran...

Comment Re:Another deflationary pressure on oil prices. (Score 1) 106

Like, for instance, in South Africa, where electricity delivery is very unreliable and most businesses have diesel generators as backups. This also goes for large portions of the continent where power delivery is very unreliable for a host of reasons. (this was aimed at the GP, in case anyone's wondering.)

What this country needs is a dime that will buy a good five-cent bagel.