Today, Tuesday 6/6/6, Mike Bond and George Danezis published our department’s 666-th technical report titled “A pact with the Devil”. In this devious research paper, they explore the risks of a whole new generation of malware that exploits not only computer users’ inexperience to propagate, but also their greed, malice and short-sightedness. Continue reading TR-666: A pact with the Devil
We’ve got emails from several people complaining that after their card had been stolen, someone did a fraudulent transaction on it — without knowing the PIN. In some cases the victim had never used the card in a retail transaction and didn’t know the PIN.
An article in yesterday’s Daily Mail hints at how. In technical language, you read the card, which gives you everything except the MAC key. You now write this data to a fresh card, for which you know the PIN. If this clone card is used in an offline terminal, the transaction will go through and the log will show the PIN was correctly entered. The moral, I suppose, is that customers in dispute with their banks should demand that the banks disclose the MAC key and show that the MAC on the transaction log was correct. Whether their systems support this is of course another story.