26C3 - 26C3 1.15

26th Chaos Communication Congress
Here be dragons

Speakers
Steven J. Murdoch
Schedule
Day Day 3 - 2009-12-29
Room Saal2
Start time 17:15
Duration 01:00
Info
ID 3657
Event type Lecture
Track Hacking
Language used for presentation English
Feedback

Optimised to fail

Card readers for online banking

The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous design errors, which could be exploited by criminals.

Banks throughout Europe are now issuing hand-held smart card readers to their customers. These are used, along with the customer's bank card, for performing online banking transactions. In this talk I will describe how we reversed-engineered the cryptographic protocol used by these readers, using some custom-designed smart card analysis hardware. We discovered several flaws in this protocol, which could be exploited by criminals (and some already are). This talk will explain what vulnerabilities exist, and what the impact on customers could be.