Yet another insecure banking system

The banks are thinking about introducing a new anti-phising meaure called the ‘chip authentication protocol’. How it works is that each customer gets a device like a pocket calculator in which you put your ‘chip and PIN’ (EMV) card, enter your PIN (the same PIN you use for ATMs), and it will display a one-time … Continue reading Yet another insecure banking system

How to use a chip card whose PIN you don't know

We’ve got emails from several people complaining that after their card had been stolen, someone did a fraudulent transaction on it — without knowing the PIN. In some cases the victim had never used the card in a retail transaction and didn’t know the PIN. An article in yesterday’s Daily Mail hints at how. In … Continue reading How to use a chip card whose PIN you don't know

The Pre-play Attack in Real Life

Recently I was contacted by a Falklands veteran who was a victim of what appears to have been a classic pre-play attack; his story is told here. Almost ten years ago, after we wrote a paper on the pre-play attack, we were contacted by a Scottish sailor who’d bought a drink in a bar in … Continue reading The Pre-play Attack in Real Life

FCA view on unauthorised transactions

Yesterday the Financial Conduct Authority (the UK bank regulator) issued a report on Fair treatment for consumers who suffer unauthorised transactions. This is an issue in which we have an interest, as fraud victims regularly come to us after being turned away by their bank and by the financial ombudsman service. Yet the FCA have … Continue reading FCA view on unauthorised transactions

Another scandal about forensics

The FBI overstated forensic hair matches in nearly all trials up till 2000. 26 of their 28 examiners overstated forensic matches in ways that favoured prosecutors in more than 95 percent of the 268 trials reviewed so far. 32 defendants were sentenced to death, of whom 14 were executed or died in prison. In the … Continue reading Another scandal about forensics

EMV: Why Payment Systems Fail

In the latest edition of Communications of the ACM, Ross Anderson and I have an article in the Inside Risks column: “EMV: Why Payment Systems Fail” (DOI 10.1145/2602321). Now that US banks are deploying credit and debit cards with chips supporting the EMV protocol, our article explores what lessons the US should learn from the … Continue reading EMV: Why Payment Systems Fail

Financial cryptography 2014

I will be trying to liveblog Financial Cryptography 2014. I just gave a keynote talk entitled “EMV – Why Payment Systems Fail” summarising our last decade’s research on what goes wrong with Chip and PIN. There will be a paper on this out in a few months; meanwhile here’s the slides and here’s our page … Continue reading Financial cryptography 2014

Why dispute resolution is hard

Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic … Continue reading Why dispute resolution is hard