[Infowarrior] - Optimised to Fail: Card Readers for Online Banking

[Richard Forno]

url: http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

Optimised to Fail:  Card Readers for Online Banking
Saar Drimer, Steven J. Murdoch, and Ross Anderson
Computer Laboratory, University of Cambridge, UK
http://www.cl.cam.ac.uk/users/
{sd410,sjm217,rja14}

Abstract. The Chip Authentication Programme (CAP) has been intro-
duced by banks in Europe to deal with the soaring losses due to online
banking fraud. A handheld reader is used together with the customer’s
debit card to generate one-time codes for both login and transaction au-
thentication. The CAP protocol is not public, and was rolled out with-
out any public scrutiny. We reverse engineered the UK variant of card
readers and smart cards and here provide the first public description  
of
the protocol. We found numerous weaknesses that are due to design er-
rors such as reusing authentication tokens, overloading data semantics,
and failing to ensure freshness of responses. The overall strategic  
error
was excessive optimisation. There are also policy implications. The move
from signature to PIN for authorising point-of-sale transactions shifted
liability from banks to customers; CAP introduces the same problem for
online banking. It may also expose customers to physical harm.

Keywords: banking security, reverse engineering, authentication,  
liability,
chip and PIN

Paper @  url: http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf