28 Şubat 2008 Perşembe
Your PIN Is Not So Secret
The University of Cambridge has discovered some scary vulnerabilities to the "chip and PIN" system that is used for debit cards. As best I can tell, this is the same (or at least very similar) system to what those of us in the U.S. use for our debit card purchases. An interview with one of the certifying agencies is a must see. I would say protect yourself, but it appears there is no way to. Slashdot discussion here. I hope that I am overreacting and that this is only a UK problem, but my guess is that it is not.
Kaydol:
Kayıt Yorumları (Atom)
I work for a bank, but am not an expert on ATM systems.
YanıtlaSilThat being said, I think Wedge is overblowing the risk a bit. The kind of hack described here appears to require extended physical access to the "PED" (box you swipe your card on). If one has that kind of access, they could also do what most USA ATM thieves do: put a fake reader over a real one and have the fake reader record EVERYTHING that slides thru it or is pressed upon it. This is much simpler and more reliable for the thief.
Overall, banking should always look to make transactions more and more secure, if it can be done without putting more barriers to legitimate business. Sometimes the balance point does not allow for absolute security in all circumstances.
The one thing that still concerns me is that apparently the reader is what decrypts the card, not the system itself. Of course, if the thieves have their own reader, sounds like they can already decrypt the card.
YanıtlaSil"You see, what you do is, you give them all your credit card numbers. And if one of them is lucky, then they send you a prize."
YanıtlaSilWedge, Unfortunately, banks can not (as far as I know) enforce the specs for the readers their users make use of. They give out the specs for connecting to the system, and it is up to the store chains and/or the makers to make then secure. And, as with anything, the cheaper the product, the less secure it is bound to be.
YanıtlaSilI know that sounds like a cop-out, but it is reality. Bank's top priority in the 90s was to make debit and ATM cards ubiquitous to drive down costs. At the time, identity theft was rare and the hardware required to hack a reader was cost-prohibitive. (Why spend $10K to hack a reader, when you might only het $7000 out of it before you got caught?) Now, of course, Moore's Law has caught up and it is easier and cheaper, and identity theft is everywhere.
Even that being said, I'd worry less about CC scanners and more about the touchless/pinless cards being offered by everyone. Those pinless transactions can only be up to a certain amount, but can theoretically be read from across the room. So instead of hacking a single swiper, you can have a guy stand in the middle of Stop and Shop and harvest numbers by the hundreds.