26C3 - 26C3 1.15
        26th Chaos Communication Congress
        
        Here be dragons
      
| Speakers | |
|---|---|
|   | Steven J. Murdoch | 
| Schedule | |
|---|---|
| Day | Day 3 - 2009-12-29 | 
| Room | Saal2 | 
| Start time | 17:15 | 
| Duration | 01:00 | 
| Info | |
| ID | 3657 | 
| Event type | Lecture | 
| Track | Hacking | 
| Language used for presentation | English | 
| Feedback | |
|---|---|
| Did you attend this event? Give Feedback | 
Optimised to fail
Card readers for online banking
 
  The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous design errors, which could be exploited by criminals.
Banks throughout Europe are now issuing hand-held smart card readers to their customers. These are used, along with the customer's bank card, for performing online banking transactions. In this talk I will describe how we reversed-engineered the cryptographic protocol used by these readers, using some custom-designed smart card analysis hardware. We discovered several flaws in this protocol, which could be exploited by criminals (and some already are). This talk will explain what vulnerabilities exist, and what the impact on customers could be.
