Community

Is the QR-code the same all the time or is it generated dynamically for each purchase? That would make it very secure (can't be skimmed).

Other security can easily be added such as PIN-code so you could use it for higher value payments.

Another interesting thing about this technology is that it could be extended to P2P payments since smart phones have cameras too.

I hope this will make it possible to buy and sell apps in more than just 13 countries (http://market.android.com/support/bin/answer.py?hl=en&answer=138294).

I don't think Apple can kill Flash. Sure, lots of developers will eventually concider using HTML5 instead for menus, ads and movies, but what about games? Is there any alternative to Flash for games that can run in various browsers and operating systems?

If this is something "a first year electronic engineering student could achieve", then it's even more likely that criminals have used this attack already.

Steven,

"Are you referring to the ISO 8583 Point of service entry mode? I saw this mentioned in a blog post by Dave Birch. There is apparently a single-digit field which states how cardholder verification occurred, but I haven't been able to find out the encoding."

Actually, this single-digit field does not necessarily include how cardholder verification occured. I just added a comment about this on Dave's blog.

Adam.

Richard,

The attack doesn't work on ATMs. This is explained in the report on page 3.

Steven mentioned ATM above to explain that this non-ATM attack is more efficient than attacking ATMs. You can get £10,000, in cash, in an hour, compared to £500 per day from an ATM.

"Are you referring to the ISO 8583 Point of service entry mode?"

Yes, in ISO 8583 it's part of that field.

In addition to CVMR, the terminals usually sends similar information in a general (non-EMV) field to the aquirer. This field has previously been used for magstripe transactions and should have correct values for chip as well. If this is included in APACS 70 and if this is sent to the issuer by the acquirer, then the issuer could use it instead of CVMR to detect the attack by comparing it to the IAD.

"the issuer will use the legitimate CVMR from the terminal"

So including the CVMR in the CDOL will make the terminal send the CVMR separately to the chip and to the acquirer, even if the CVMR wasn't part of the terminal/acquirer protocol?

You also mentioned the possibility "that terminals do not set the CVMR correctly". If this is the case, then the issuer still cannot use it, since it would lead to false positives, right?

Seems like the Norwegians made the right decision requiring online PIN for their BankAxept brand (with fallback to offline signature). I think there is a similar solution for the Dancard in Denmark.

Here in Sweden there are many cards with offline PIN. However, CVMR is a requirement in the transaction data, so I hope the issuers can and do take advantage of that, at least for domestic transactions.

You suggest that the issuer could include the CVMR in the CDOL of the chip. What if the attacker then tries to alter the CVMR when it's sent from the terminal to the chip?