Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cracking Chip & PIN


Published on

Chris Jarman, one of the original technical architects of the Chip & Pin scheme, explains its development and how various hacks have been attempted.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cracking Chip & PIN

  1. 1. Risk Management<br />First lesson of Banking – no Risk, no Profit.<br />Financial Security models are always a balance.<br />No System is Secure but it can be judged Secure Enough.<br />Bankers have been evaluating risk and profit since the days of barter.<br />No Security model exists in isolation.<br />Chip & PIN builds on a considerable existing security framework<br />
  2. 2. Business Objectives<br />Driven by simple commercial proposition<br />Augmented by reputational elements<br />Incorporate behavioural evolution<br />Needs to account for and predict technology.<br />Needs to be viable for all parties.<br />Subject to review and planned to continuously evolve.<br />
  3. 3. Crypto<br />Basis of Trust<br />RSA Public Key Scheme<br />Static Data Authentication<br />Dynamic Data Authentication<br />Triple (Double Length) DES<br />Online mutual Authentication<br />PIN<br />What you have: Token<br />What you know: Crypto engine / Keys / PIN<br />
  4. 4. Attack Scenarios<br />Forced attack / threat e.g. Theft<br />Card not present / non PIN verified e.g. Internet<br />Mobile Commerce<br />International e.g. Fallback<br />
  5. 5. Attack Scenarios<br />Hard Attack of Crypto – RSA or 3*DES<br />Exploit Procedural Elements e.g. Relay<br />Transaction flow logistics e.g. Terminal Minder<br />Disintermediate parties e.g. Wedge<br />Technology Element e.g. Differential Power Analysis<br />
  6. 6. Investment / Reward<br />800 Million cards and growing.<br />Fraud is a commercial business.<br />Cost / Benefit model based.<br />Requires significant resource dedication.<br />Limited skill set availability.<br />Requires greater resource to exploit.<br />Active detection methods can rapidly terminate activity.<br />
  7. 7. Chip & PIN Today<br />Overall scheme security remains intact and strong<br />Hard card attack scenarios provide poor business case<br />Soft card attack scenarios exploit interfaces and provide little business case<br />Largest exposure remains non-chip usage<br />New channels building in support to leverage chip and PIN – e.g. HomePay reader at home<br />Still fit for purpose !!<br />
  8. 8. Chip & PIN @ Home<br />HomePay<br /><ul><li> Secure e-commerce payments with Chip & PIN
  9. 9. Remote authentication to remote services such as home banking
  10. 10. P2P, B2B, and G2P payment processing</li>