In this first of a two or three part instalment. In them Laurent Simon and I comment on our impressions of David Birch’s Tomorrow’s Transactions Forum, which we attended thanks to Dave’s generosity. NOTE: Although written in first person, what follows results from a combination of Laurent’s and my notes. This was a two day … Continue reading Current issues in payments (part 1)
I was a guest the annual meeting of the European branch of ATM Industry Association. This was a two day event in London (May 22–23, 2012). I was there thanks to Tom Harper, founder of ATM Marketplace, that is, a B2B website for ancillary cash machine equipment (established circa 1997). Although my interest was to … Continue reading European ATM Conference & the Cashless Society
During my MPhil within the Computer Lab (supervised by Markus Kuhn) I developed a card-sized device (named Smart Card Detective – in short SCD) that can monitor Chip and PIN transactions. The main goal of the SCD was to offer a trusted display for anyone using credit cards, to avoid scams such as tampered terminals … Continue reading The Smart Card Detective: a hand-held EMV interceptor
In the very first paper I wrote on ATM fraud, Why Cryptosystems Fail, the very first example I gave of a fraud came from the case R v Moon at Hastings Crown Court in February 1992. Mr Moon was a teller at the TSB who noticed that address changes weren’t audited. He found a customer … Continue reading An old scam still works
A few days ago, BBC2’s Newsnight approached me to have a look inside what might have been some kind of smartcard, but had long been suspected to be part of a simple-minded and dangerous fraud that may already have cost lives.
On the 1st of January 2010, many German bank customers found that their banking smart cards had stopped working. Details of why are still unclear, but indications are that the cards believed that the date was 2016, rather than 2010, and so refused to process a transaction supposedly after their expiry dates. This problem could … Continue reading Encoding integers in the EMV protocol
Yesterday, the Dutch TV programme “Goudzoekers” featured Saar Drimer and me demonstrating a relay attack against the recently introduced Chip and PIN system in The Netherlands. The video can be found online, in both Windows Media or Silverlight formats as well as Flash below. The production team have published a synopsis (translated version) on their … Continue reading Relay attack featured on Dutch TV
Today, Finextra (a financial technology news website), has published a video interview with me, discussing my research on banks using card readers for online banking, which was recently featured on TV. In this interview, I discuss some of the more technical aspects of the attacks on card readers, including the one demonstrated on TV (which … Continue reading Interview with Steven Murdoch on Finextra
Tomorrow at Cryptographic Hardware and Embedded Systems 2009 I’m going to be presenting a frequency injection attack on random number generators formed from ring oscillators. Random numbers are a vital part of cryptography — if predictable numbers are being used an attacker may be able to read secret messages, impersonate either party, or replay transactions. … Continue reading Tuning in to random numbers
When you transact with an EMV payment card (a “Chip and PIN” card), typical UK operation is for the bank to exchange three authentication “cryptograms”. First comes the request from the card (the ARQC), then comes the response from the bank (the ARPC) and finally the transaction certificate (TC). The idea with the transaction certificate … Continue reading A truly marvellous proof of a transaction