Recently I was contacted by a Falklands veteran who was a victim of what appears to have been a classic pre-play attack; his story is told here. Almost ten years ago, after we wrote a paper on the pre-play attack, we were contacted by a Scottish sailor who’d bought a drink in a bar in … Continue reading The Pre-play Attack in Real Life
Yesterday the Financial Conduct Authority (the UK bank regulator) issued a report on Fair treatment for consumers who suffer unauthorised transactions. This is an issue in which we have an interest, as fraud victims regularly come to us after being turned away by their bank and by the financial ombudsman service. Yet the FCA have … Continue reading FCA view on unauthorised transactions
In the latest edition of Communications of the ACM, Ross Anderson and I have an article in the Inside Risks column: “EMV: Why Payment Systems Fail” (DOI 10.1145/2602321). Now that US banks are deploying credit and debit cards with chips supporting the EMV protocol, our article explores what lessons the US should learn from the … Continue reading EMV: Why Payment Systems Fail
I will be trying to liveblog Financial Cryptography 2014. I just gave a keynote talk entitled “EMV – Why Payment Systems Fail” summarising our last decade’s research on what goes wrong with Chip and PIN. There will be a paper on this out in a few months; meanwhile here’s the slides and here’s our page … Continue reading Financial cryptography 2014
Today we release a paper on security protocols and evidence which analyses why dispute resolution mechanisms in electronic systems often don’t work very well. On this blog we’ve noted many many problems with EMV (Chip and PIN), as well as other systems from curfew tags to digital tachographs. Time and again we find that electronic … Continue reading Why dispute resolution is hard
Today, the UK Cards Association (UKCA) published their summary of bank fraud for 2012. This provides an important insight into banking fraud, and the level of detail which the UK banks provide is very welcome. The UKCA figures go back to 2007, but I’ve collected the figures from previous releases going back to 2004. This … Continue reading UK bank fraud up by 11% in 2012, but how much do customers lose?
In the very first paper I wrote on ATM fraud, Why Cryptosystems Fail, the very first example I gave of a fraud came from the case R v Moon at Hastings Crown Court in February 1992. Mr Moon was a teller at the TSB who noticed that address changes weren’t audited. He found a customer … Continue reading An old scam still works
Steven Murdoch, Saar Drimer, Mike Bond and I have just won the IEEE Security and Privacy Symposium’s Best Practical Paper award for our paper Chip and PIN is Broken. This was an unexpected pleasure, given the very strong competition this year (especially from this paper). We won this award once before, in 2008, for a … Continue reading IEEE best paper award
The annual Cambridge Science Festival is running during 8–21 March, where there are over 150 talks, demonstrations and other events, open to the public. On Saturday 13th March (16:00–16:45), I will be talking about my recent work on Chip and PIN security. In the same session, there will also be presentations from Leila Luheshi on … Continue reading Cambridge Science Festival: Science research now!
On the 1st of January 2010, many German bank customers found that their banking smart cards had stopped working. Details of why are still unclear, but indications are that the cards believed that the date was 2016, rather than 2010, and so refused to process a transaction supposedly after their expiry dates. This problem could … Continue reading Encoding integers in the EMV protocol