Search the Community
Showing results for tags 'Protocol'.
Found 2 results
Chip-and-PIN payment cards are coming to the United States after a long head start as a standard card-present payment method in Europe and Asia. Already, retailer Target accelerated its plan to move its branded debit and credit cards to chip-and-PIN, also known as EMV (Europay, MasterCard and Visa), in short order following a devastating data breach during the Christmas shopping season. Other retailers are sure to follow, especially with an October 2015 deadline approaching imposed by Visa where it will institute a liability shift where the party causing a fraudulent transaction will be responsible for losses if chip-and-PIN is not part of the transaction. While chip-and-PIN may shore up some of the authentication anxiety surrounding payment card transactions, it’s not a cure-all for fraud, and it does come with its share of security baggage and vulnerabilities. The latest evidence came in a recently published paper by computer scientists at the University of Cambridge in the U.K. The report describes two critical problems, an implementation flaw and a serious issue in the protocol that the researchers say will be much more difficult to fix. The team Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov and Ross Anderson said that the chip in EMV cards that generates what is supposed to be an unpredictable number, or nonce, for each transaction to ensure its integrity does quite the opposite because of an implementation flaw. “Some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce,” the paper said. “This exposes them to a ‘pre-play’ attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically.” EMV chips are in place largely to ward off card cloning, which is facilitated much easier by cards with just a magnetic strip storing data. The researchers explain in the paper how attacks can be carried out against ATMs and other payment terminals. “We found flaws in widely-used ATMs from the largest manufacturers,” the paper said. “We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit.” As with other random number generators, the predictability of the number is a serious issue for a determined thief. “This might create the opportunity for an attack in which a criminal with temporary access to a card (say, in a Mafia-owned shop) can compute the authentication codes needed to draw cash from that ATM at some time in the future for which the value of the [unpredictable number] can be predicted,” the paper said. The protocol vulnerability, meanwhile, arose out of studying the problem with random nonce generation wherein an attacker can swap out the random number generated by an ATM or payment terminal with one from a cloned card. “This variant of the pre-play attack may be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer,” the paper said. An attacker would have to be in a man-in-the-middle position between the card and payment terminal or between the terminal and the acquiring bank. Malware infecting the terminal can attack the EMV protocol as well, the paper said. “The banks appear to have ignored this, perhaps reasoning that it is difficult to scale up an attack that involves access to specific physical cards and also the installation of malware or wiretaps on specific terminals,” the paper said. “We disagree. The Target compromise shows that criminals can deploy malware on merchant terminals widely and exploit it to earn serious money.” Source
Microsoft confirmed today it will support HTTPS Strict Transport Protocol (HSTS) in Internet Explorer 12, bringing its browser in line with other major vendors in its support of the protocol. Browsers supporting HSTS force any sessions sent over HTTP to be sent instead over HTTPS, encrypting communication to and from a website. According to OWASP, HSTS protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates. The protocol denies users the ability to override invalid certificate messages. HSTS also protects users from HTTPS websites that also may include HTTP links or serve content unencrypted. IE 12 is expected to be released this year; IE 11 was introduced in October 2013 and is the default browser in Windows 8.1. IE 12’s support of HSTS puts it on an even keel with other browsers, some such as Chrome and Firefox have supported the protocol since 2011. Apple added HSTS support on Safari upon the release of Mavericks 10.9. According to the Electronic Frontier Foundation’s Encrypt the Web report, a few leading technology companies already support HSTS on their websites, including Dropbox, Foursquare, SpiderOak and Twitter. Others such as Facebook, LinkedIn, Tumblr, and Yahoo also plan to do so this year; Google too for select domains. EFF staff technologist Jeremy Gillula said today that developers either are unaware of the availability of HSTS, or have been stymied by incomplete support in browsers. “This is changing though: we noticed that Apple quietly added HSTS support to Safari in OS X 10.9,” Gillula said. “For now, Internet Explorer doesn’t support HSTS—which means that there’s basically no such thing as a secure website in IE.” Until that happens, much of the security burden falls on the user to either rely on a browser that supports HSTS, or use something such as the HTTPS Everywhere browser extension. “For now all a savvy user can do is to always carefully examine the address of the site you’ve loaded, and verify that it’s secure by checking to make sure it has “https” in the front and is the precise address you want to visit,” Gillula said. “Unfortunately this assumes that you know ahead of time (and remember) whether or not a site should be secure, and are meticulous with every website you visit.” Secure protocols such as HTTPS, HSTS and Perfect Forward Secrecy have been given greater priority now that the depths of NSA and government surveillance have been exposed. Experts urge developers to consider encryption technologies such as these a minimum standard for web-based services such as email. Just this week, Yahoo caught up to many of its contemporaries when it announced that it had encrypted traffic moving between its data centers; Snowden documents revealed that the NSA and Britain’s GCHQ were able to tap into overseas fiber optic cables and copy data as it moved to the company’s data centers. Yahoo also announced its intention to support HSTS, Perfect Forward Secrecy and Certificate Transparency this year. Source