Cracking Chip & PIN

482
-1

Published on

Chris Jarman, one of the original technical architects of the Chip & Pin scheme, explains its development and how various hacks have been attempted.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
482
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cracking Chip & PIN

  1. 1. Risk Management<br />First lesson of Banking – no Risk, no Profit.<br />Financial Security models are always a balance.<br />No System is Secure but it can be judged Secure Enough.<br />Bankers have been evaluating risk and profit since the days of barter.<br />No Security model exists in isolation.<br />Chip & PIN builds on a considerable existing security framework<br />
  2. 2. Business Objectives<br />Driven by simple commercial proposition<br />Augmented by reputational elements<br />Incorporate behavioural evolution<br />Needs to account for and predict technology.<br />Needs to be viable for all parties.<br />Subject to review and planned to continuously evolve.<br />
  3. 3. Crypto<br />Basis of Trust<br />RSA Public Key Scheme<br />Static Data Authentication<br />Dynamic Data Authentication<br />Triple (Double Length) DES<br />Online mutual Authentication<br />PIN<br />What you have: Token<br />What you know: Crypto engine / Keys / PIN<br />
  4. 4. Attack Scenarios<br />Forced attack / threat e.g. Theft<br />Card not present / non PIN verified e.g. Internet<br />Mobile Commerce<br />International e.g. Fallback<br />
  5. 5. Attack Scenarios<br />Hard Attack of Crypto – RSA or 3*DES<br />Exploit Procedural Elements e.g. Relay<br />Transaction flow logistics e.g. Terminal Minder<br />Disintermediate parties e.g. Wedge<br />Technology Element e.g. Differential Power Analysis<br />
  6. 6. Investment / Reward<br />800 Million cards and growing.<br />Fraud is a commercial business.<br />Cost / Benefit model based.<br />Requires significant resource dedication.<br />Limited skill set availability.<br />Requires greater resource to exploit.<br />Active detection methods can rapidly terminate activity.<br />
  7. 7. Chip & PIN Today<br />Overall scheme security remains intact and strong<br />Hard card attack scenarios provide poor business case<br />Soft card attack scenarios exploit interfaces and provide little business case<br />Largest exposure remains non-chip usage<br />New channels building in support to leverage chip and PIN – e.g. HomePay reader at home<br />Still fit for purpose !!<br />
  8. 8. Chip & PIN @ Home<br />HomePay<br /><ul><li> Secure e-commerce payments with Chip & PIN
  9. 9. Remote authentication to remote services such as home banking
  10. 10. P2P, B2B, and G2P payment processing</li>

×