Skip to main content
SpringerLink
Log in

Optimised to Fail: Card Readers for Online Banking

  • Conference paper
Financial Cryptography and Data Security (FC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5628))

Included in the following conference series:

Abstract

The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.J., Needham, R.M.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995)

    Google Scholar 

  2. APACS: Online banking usage amongst over 55s up fourfold in five years (August 2007), http://www.apacs.org.uk/media_centre/press/08_24_07.html

  3. APACS: APACS announces latest fraud figures (September 2008), http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm

  4. RedTeam: iTAN online-banking security system. CAN-2005-2779 (August 2005), http://www.redteam-pentesting.de/advisories/rt-sa-2005-014.txt

  5. EMVCo, LLC: EMV 4.1. (June 2004), http://www.emvco.com/

  6. Taylor, M.: Police think French pair tortured for pin details. The Guardian (July 2008), http://www.guardian.co.uk/uk/2008/jul/05/knifecrime.ukcrime

  7. Jenkins, R.: ‘brainless thugs’ get life term. The Times (May 2008), http://www.timesonline.co.uk/tol/news/uk/crime/article3850647.ece

  8. Wong, R.M., Berson, T.A., Feiertag, R.J.: Polonium: an identity authentication system. In: IEEE Symposium on Security and Privacy, p. 101 (1985)

    Google Scholar 

  9. Drimer, S., Murdoch, S.J.: Keep your enemies close: Distance bounding against smartcard relay attacks. In: USENIX Security Symposium (August 2007)

    Google Scholar 

  10. Finn, C.: MTN not budging on fraud issue. IOL technology (May 2008), http://www.ioltechnology.co.za/article_page.php?iSectionId=2885&iArticl%eId=4402087

  11. Lomas, N.: Government gateway 2.0 looks to fatter future. silicon.com (October 2007), http://www.silicon.com/publicsector/0,3800010403,39168629,00.htm

  12. Make Card Readers Optional (2008), http://www.stopthecardreaders.org/

  13. Samuel, H.: Chip and pin scam ‘has netted millions from British shoppers’. Telegraph (October 2008), http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346%/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

  14. ZKA: ZKA-TAN-Generator: Belegungsrichtlinien für die Dynamisierung der TAN (January 2008), http://www.hbci-zka.de/dokumente/spezifikation_deutsch/Belegungsrichtli%nien%20TAN-Generator%20ve1.3%20final%20version.pdf

  15. Rütten, C., Bachfeld, D.: Ausweispflicht: Sicheres home-banking mit der chipkarte. c’t (17), 98–103 (2008), http://www.heise.de/kiosk/archiv/ct/08/17/098_Ausweispflicht

  16. Cronto: Products datasheet, http://www.cronto.com/download/Cronto_Products_Datasheet.pdf

  17. Davida, G., Frankel, Y., Tsiounis, Y., Yung, M.: Anonymity control in E-cash systems. In: Luby, M., Rolim, J.D.P., Serna, M. (eds.) FC 1997. LNCS, vol. 1318, pp. 1–16. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  18. Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires 9, 5–38 (1883)

    Google Scholar 

  19. Bohm, N., Brown, I., Gladman, B.: Electronic commerce: Who carries the risk of fraud? The Journal of Information, Law and Technology (3) (October 2000), http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/

  20. Banking Code Standards Board: The banking code (March 2008), http://www.bankingcode.org.uk/

  21. Drimer, S., Murdoch, S.J., Anderson, R.: Thinking inside the box: system-level failures of tamper proofing. In: IEEE Symposium on Security and Privacy, Oakland, May 2008, pp. 281–295 (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Laboratory, University of Cambridge, UK

    Saar Drimer, Steven J. Murdoch & Ross Anderson

Authors
  1. Saar Drimer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Steven J. Murdoch
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ross Anderson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. The Tor Project, Dedham, MA, USA

    Roger Dingledine

  2. Palo Alto Research Center, 3333 Coyote Hill Rd, 94304, Palo Alto, CA, USA

    Philippe Golle

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Drimer, S., Murdoch, S.J., Anderson, R. (2009). Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds) Financial Cryptography and Data Security. FC 2009. Lecture Notes in Computer Science, vol 5628. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03549-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03549-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03548-7

  • Online ISBN: 978-3-642-03549-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation