Mercurial Mercurial > hg > sen-material / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho01.tex
changeset 450 f3d5e57ca00a
parent 446 64c20ed7941a
child 453 5921eebd9add
equal deleted inserted replaced
449:7ecbf5339d0f 450:f3d5e57ca00a 
   116 Chip-and-PIN, as the name suggests, relies on data being
 
   116 Chip-and-PIN, as the name suggests, relies on data being
 
   117 stored on a chip on the card and a PIN number for
 
   117 stored on a chip on the card and a PIN number for
 
   118 authorisation. Even though the banks involved trumpeted their
 
   118 authorisation. Even though the banks involved trumpeted their
 
   119 system as being absolutely secure and indeed fraud rates
 
   119 system as being absolutely secure and indeed fraud rates
 
   120 initially went down, security researchers were not convinced
 
   120 initially went down, security researchers were not convinced
 
   121 (especially not the group around Ross Anderson). To begin with,
 
   121 (especially not the group around Ross
 
   122 the Chip-and-PIN system introduced a ``new player'' into the
 
   122 Anderson).\footnote{Actually, historical data about fraud
 
       
   123 showed that first fraud rates went up (while early problems to
 
       
   124 do with the introduction of Chip-and-PIN we exploited), then
 
       
   125 down, but recently up again (because criminals getting more
 
       
   126 familiar with the technology and how it can be exloited).} To begin with, the
 
       
   127 Chip-and-PIN system introduced a ``new player'' into the
 
   123 system that needed to be trusted: the PIN terminals and their
 
   128 system that needed to be trusted: the PIN terminals and their
 
   124 manufacturers. It was claimed that these terminals were
 
   129 manufacturers. It was claimed that these terminals were
 
   125 tamper-resistant, but needless to say this was a weak link in
 
   130 tamper-resistant, but needless to say this was a weak link in
 
   126 the system, which criminals successfully attacked. Some
 
   131 the system, which criminals successfully attacked. Some
 
   127 terminals were even so skilfully manipulated that they
 
   132 terminals were even so skilfully manipulated that they
 
   204 
   209 
   205 \noindent They claim that they are able to clone Chip-and-PINs
 
   210 \noindent They claim that they are able to clone Chip-and-PINs
 
   206 cards such that they get all data that was on the Magstripe,
 
   211 cards such that they get all data that was on the Magstripe,
 
   207 except for three digits (the CVV number). Remember,
 
   212 except for three digits (the CVV number). Remember,
 
   208 Chip-and-PIN cards were introduced exactly for preventing
 
   213 Chip-and-PIN cards were introduced exactly for preventing
 
   209 this.
 
   214 this. Ross Anderson also talked about his research at the
 
   210 
   215 BlackHat Conference in 2014:
 
       
   216 
       
   217 \begin{center}
 
       
   218 \url{https://www.youtube.com/watch?v=ET0MFkRorbo}
 
       
   219 \end{center}
 
   211 
   220 
   212 \subsection*{Of Cookies and Salts}
 
   221 \subsection*{Of Cookies and Salts}
 
   213 
   222 
   214 Let us look at another example which will help with understanding how
 
   223 Let us look at another example which will help with understanding how
 
   215 passwords should be verified and stored.  Imagine you need to develop
 
   224 passwords should be verified and stored.  Imagine you need to develop
sen-material