7

Out of curiosity: how do electronic Visa/Master Card debit/credit cards with microchips authenticate a transaction?

Are they stupid storage for a key which is simply read by a reader or do they somehow sign the requested transaction details using an internal key which is never revealed? (The latter is my guess how it should be done but I'm not sure if you can expect the chip to have enough computing power)

lampak
  • 173
  • 1
  • 4

2 Answers2

6

EMV cards and smart cards in general do indeed have an embedded private key and enough horsepower to do the crypto math needed to sign a transaction without revealing the secret.

https://secure.wikimedia.org/wikipedia/en/wiki/EMV
https://secure.wikimedia.org/wikipedia/en/wiki/Smart_card

Steve Dispensa
  • 3,441
  • 16
  • 20
5

Here's an interesting paper about the security of smart cards (in debit cards) used for online banking security in the UK under the CAP scheme.

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

Here's a link from the UK with nice details about chip and pin systems: http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/

We demonstrate a middleperson attack on EMV which lets criminals use stolen chip and PIN cards without knowing the PIN.

Our technical paper Chip and PIN is Broken explains how. It has been causing quite a stir as it has circulated the banking industry privately for over 2 months, and it has been accepted for the IEEE Symposium on Security and Privacy, the top conference in computer security. (See also our FAQ and the press release.)

The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.

And here's another (less relevant) one where a UK petrol / gas supplier temporarily stopped using chip and pin in all 600 of their outlets when they realised there was a problem with the "tamper proof" pin input devices.

http://www.lightbluetouchpaper.org/2006/05/10/the-mythical-tamper-proof-pin-pad/

Smartcards usually have a fallback to a magstripe, which is an attack vector for some criminals.

DanBeale
  • 2,064
  • 3
  • 18
  • 27
  • 1
    The second link is 5 years old and the particular company cited (Shell) currently all have "Pay @ Pump" facilities in my area. How relevant is it to the OP's question? – MisterSquonk Aug 29 '11 at 01:02
  • @Mistersquonk - you're right, I've made some edits to put it into proper context and added a much better link. – DanBeale Aug 29 '11 at 08:23