Optimised to Fail: Card Readers for Online Banking

Saar Drimer, Steven J. Murdoch, Ross Anderson

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.
Original languageEnglish
Title of host publicationFinancial Cryptography and Data Security
Subtitle of host publication13th International Conference, FC 2009, Accra Beach, Barbados, February 23-26, 2009. Revised Selected Papers
EditorsRoger Dingledine, Philippe Golle
Place of PublicationBerlin, Heidelberg
PublisherSpringer
Pages184-200
Number of pages17
ISBN (Electronic)978-3-642-03549-4
ISBN (Print)978-3-642-03548-7
DOIs
Publication statusPublished - 21 Jul 2009
Event13th International Conference on Financial Cryptography and Data Security 2009 - , Barbados
Duration: 23 Feb 200926 Feb 2009
Conference number: 13
https://ifca.ai/fc09/index.html

Publication series

NameLecture Notes in Computer Science
PublisherSpringer, Berlin, Heidelberg
Volume5628
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference13th International Conference on Financial Cryptography and Data Security 2009
Abbreviated titleFC 2009
Country/TerritoryBarbados
Period23/02/0926/02/09
Internet address

Fingerprint

Dive into the research topics of 'Optimised to Fail: Card Readers for Online Banking'. Together they form a unique fingerprint.

Cite this