Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror

Comment Re:Could somebody explain this? (Score 1) 36

That sounds like one of the master 3DES key for to generate Application Cryptogram on the chip cards has been leaked. Which is very unusal as those are highly guarded by HSM in place. And it's not the same RSA key to guard the certificates

the master key is used to derive into sub level card keys to used on each chip card.

The application cryptogram is generate on the chip card to uniquely identify the card and transaction context, and used by the EMV host to validate whether the card/transaction is geniune or not.

Comment better worry about something else (Score 1) 385

I'd be more worry about handing your card to waitress at the restaurant than worrying about your contactless card being read remotely.

obtaining the data contactlessly is not enough to create a duplicate of your credit card(assuming proper card implementation), and certainly not enough to create a "card not present" transaction such as internet, mail, or phone purchase. (only exception is probably using pre-play attack, and this requires some elaborated setup)

A properly implemented contactless card don't even have your name in the contactless interface.

seriously, your credit card company is worrying more on the fraudulant transaction then you, and so there are fairly good measurements deployed to ensure contactless duping can't be done.

Comment Re:What's the big problem? (Score 1) 675

actually, most of the Chip enabled (EMV based) credit cards does have PIN, but they are just not set as preferred CVM (Cardholdver Verification Method). where predominantly it's set to prefer signature over online PIN.

EMV Chip cards offer one of the most important protection over traditional magnetic stripe only cards, which is counterfeit protection. During each EMV transcation the card will generate a unique Application Cryptogram which identify the card, and transcation using a secret key (shared only by card and the issuing bank). meaning EMV cards can not be cloned.

 

Comment Re:Chip and Pin (Score 2) 193

it's impossible to read the secret keys over any interface of the card. So those cloning devices at most is reading what normally a contactless terminal can read from a card. meaning those cloned cards will fail all the offline and online CAM (card authentication method) since none of the relevant keys (ICC Private Key, nor the Application Cryptogram secret key) can be read.

Unlike traditional magnetic stripe cards, chip cards has robust security build-in, most of the security breach are not from counterfeit cards, (since you can't clone the relavent data from EMV cards)

Comment Re:Got one of those cards (Score 1) 449

the card you just received most likely still supports PIN, just it's not preferred using PIN as the primary method for authorization (i.e. signature preferring). In most of the situation you will not notice any difference (especially in US).

you can still use the magnetic stripe as it's a requirement for credit card, however magnetic stripe is now a *backup* method for using your credit card. Again in US you won't notice any difference as most of the terminals only support magnetic stripe, however overseas in most other countries that already migrated to EMV, during a card transaction if you swipe the magnetic stripe the terminal will prompt operator to use the chip instead. Only when terminal has problem reading the chip then it'll allow physical magnetic stripe transaction for those chip enabled cards.

If it's a chip transaction, it's really close to impossible to clone the card assuming following good implementations, unlike magnetic stripe which can be easily duped

Comment Re:What about flat cards? (Score 1) 142

EMV chip cards does way more then just VERIFY the PIN. It can perform card authentication (card can not be counterfeit/hacked), risk management, and cardholder verification.

If I have to guess, those Chip & Sign cards issed in US are usually signature preferring (at least some PIN methods are still availible on the card, but the setting in the card will always prefer signature unless it's not possible) and not signature only cards.

Comment Re:Great for CC scammers (Score 1) 222

*barely more secure*? EMV cards can't be copied, modified, or counterfeited if the Card Authentication Method (SDA/DDA/CDA) are implemented propertly. The Application Cryptogram generated by the card and host also means the transaction itself is secure (assume proper card and host implmentation).

Magnetic stripes has no protection at all. US is probably the last major country that hasn't go full chip technology.

Comment Re:Chip-and-pin is not secure (Score 1) 236

EMV card is not as simple as that.. you have layers of security, such as Offline Card Authentication (Offline CAM), Cardholder Verification (PIN, Signautere..) and online CAM (where that MAC happens), unless you have means to obtain the private/secret keys required for transaction, it's going to be extremely hard to calculate

Slashdot Top Deals

Our business is run on trust. We trust you will pay in advance.

Working...