Abstract
The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, R.J., Needham, R.M.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995)
APACS: Online banking usage amongst over 55s up fourfold in five years (August 2007), http://www.apacs.org.uk/media_centre/press/08_24_07.html
APACS: APACS announces latest fraud figures (September 2008), http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm
RedTeam: iTAN online-banking security system. CAN-2005-2779 (August 2005), http://www.redteam-pentesting.de/advisories/rt-sa-2005-014.txt
EMVCo, LLC: EMV 4.1. (June 2004), http://www.emvco.com/
Taylor, M.: Police think French pair tortured for pin details. The Guardian (July 2008), http://www.guardian.co.uk/uk/2008/jul/05/knifecrime.ukcrime
Jenkins, R.: ‘brainless thugs’ get life term. The Times (May 2008), http://www.timesonline.co.uk/tol/news/uk/crime/article3850647.ece
Wong, R.M., Berson, T.A., Feiertag, R.J.: Polonium: an identity authentication system. In: IEEE Symposium on Security and Privacy, p. 101 (1985)
Drimer, S., Murdoch, S.J.: Keep your enemies close: Distance bounding against smartcard relay attacks. In: USENIX Security Symposium (August 2007)
Finn, C.: MTN not budging on fraud issue. IOL technology (May 2008), http://www.ioltechnology.co.za/article_page.php?iSectionId=2885&iArticl%eId=4402087
Lomas, N.: Government gateway 2.0 looks to fatter future. silicon.com (October 2007), http://www.silicon.com/publicsector/0,3800010403,39168629,00.htm
Make Card Readers Optional (2008), http://www.stopthecardreaders.org/
Samuel, H.: Chip and pin scam ‘has netted millions from British shoppers’. Telegraph (October 2008), http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346%/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html
ZKA: ZKA-TAN-Generator: Belegungsrichtlinien für die Dynamisierung der TAN (January 2008), http://www.hbci-zka.de/dokumente/spezifikation_deutsch/Belegungsrichtli%nien%20TAN-Generator%20ve1.3%20final%20version.pdf
Rütten, C., Bachfeld, D.: Ausweispflicht: Sicheres home-banking mit der chipkarte. c’t (17), 98–103 (2008), http://www.heise.de/kiosk/archiv/ct/08/17/098_Ausweispflicht
Cronto: Products datasheet, http://www.cronto.com/download/Cronto_Products_Datasheet.pdf
Davida, G., Frankel, Y., Tsiounis, Y., Yung, M.: Anonymity control in E-cash systems. In: Luby, M., Rolim, J.D.P., Serna, M. (eds.) FC 1997. LNCS, vol. 1318, pp. 1–16. Springer, Heidelberg (1997)
Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires 9, 5–38 (1883)
Bohm, N., Brown, I., Gladman, B.: Electronic commerce: Who carries the risk of fraud? The Journal of Information, Law and Technology (3) (October 2000), http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/
Banking Code Standards Board: The banking code (March 2008), http://www.bankingcode.org.uk/
Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: IEEE Symposium on Security and Privacy, Oakland, May 2008, pp. 281–295 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Drimer, S., Murdoch, S.J., Anderson, R. (2009). Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-03549-4_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03548-7
Online ISBN: 978-3-642-03549-4
eBook Packages: Computer ScienceComputer Science (R0)