--- a/handouts/ho01.tex Thu Sep 25 00:28:53 2014 +0100
+++ b/handouts/ho01.tex Thu Sep 25 05:48:08 2014 +0100
@@ -89,81 +89,86 @@
The questions is whether the Chip-and-PIN system with credit
cards is more secure than the older method of signing receipts
-at the till. On first glance, Chip-and PIN seems obviously
-more secure and this was also the central plank in the
+at the till. On first glance Chip-and-PIN seems obviously more
+secure and improved security was also the central plank in the
``marketing speak'' of the banks behind Chip-and-PIN. The
earlier system was based on a magnetic stripe or a mechanical
imprint on the card and required customers to sign receipts at
the till whenever they bought something. This signature
-authorises the transactions. Although in use for a long time,
+authorised the transactions. Although in use for a long time,
this system had some crucial security flaws, including making
-clones of credit cards and forging signatures. Chip-and-PIN,
-as the name suggests, relies on data being stored on
-a chip on the card and a PIN number for authorisation.
-
+clones of credit cards and forging signatures.
-Although the banks involved trumpeted their system as being
-secure and indeed fraud rates initially went down, security
-researchers were not convinced (especially the group around
-Ross Anderson). To begin with, the Chip-and-PIN system
-introduced a ``new player'' that needed to be trusted: the PIN
-terminals and their manufacturers. Of course it was claimed
-that these terminals are tamper-resistant, but needless to say
-this was a weak link in the system, which criminals
-successfully attacked. Some terminals were even so skilfully
-manipulated that they transmitted PIN numbers via a built-in
-mobile phone connection. To mitigate this security flaw, you
-need to vet quite closely the supply chain of such
-terminals---something that also needs to be done in other
-industries.
+Chip-and-PIN, as the name suggests, relies on data being
+stored on a chip on the card and a PIN number for
+authorisation. Even though the banks involved trumpeted their
+system as being absolutely secure and indeed fraud rates
+initially went down, security researchers were not convinced
+(especially the group around Ross Anderson). To begin with,
+the Chip-and-PIN system introduced a ``new player'' that
+needed to be trusted: the PIN terminals and their
+manufacturers. It was claimed that these terminals are
+tamper-resistant, but needless to say this was a weak link in
+the system, which criminals successfully attacked. Some
+terminals were even so skilfully manipulated that they
+transmitted skimmed PIN numbers via built-in mobile phone
+connections. To mitigate this flaw in the security of
+Chip-and-PIN, you need to vet quite closely the supply chain
+of such terminals.
-Later on, Ross Anderson and his group managed to launch
+Later on Ross Anderson and his group managed to launch a
man-in-the-middle attacks against Chip-and-PIN. Essentially
they made the terminal think the correct PIN was entered and
-the card think that a signature was used. This flaw was
-mitigated by requiring that a link between the card and the
-bank is established at every time the card is used. Even
-later this group found another problem with Chip-and-PIN and
-ATMs which do not generate random enough numbers (nonces)
-on which the security of the underlying protocols relies.
+the card think that a signature was used. This was a more
+serious security problem. The flaw was mitigated by requiring
+that a link between the card and the bank is established at
+every time the card is used. Even later this group found
+another problem with Chip-and-PIN and ATMs which do not
+generate random enough numbers (nonces) on which the security
+of the underlying protocols relies.
The problem with all this is that the banks who introduced
-Chip-and-PIN managed to shift the liability for any fraud and
-the burden of proof onto the customer with the new system. In
-the old system, the banks had to prove that the customer used
-the card, which they often did not bother about. In effect if
-fraud occurred the customers were either refunded fully or
-lost only a small amount of money. This
+Chip-and-PIN managed with the new system to shift the
+liability for any fraud and the burden of proof onto the
+customer. In the old system, the banks had to prove that the
+customer used the card, which they often did not bother with.
+In effect, if fraud occurred the customers were either refunded
+fully or lost only a small amount of money. This
taking-responsibility-of-potential-fraud was part of the
``business plan'' of the banks and did not reduce their
-profits too much. Since they successfully claimed that their
-Chip-and-PIN system is secure, banks were able to point the
-finger at the customer when fraud occurred: it must have been
-the fault of the customer, who must have been negligent
-loosing the PIN. The customer had almost no means to defend
-themselves in such situations. That is why the work of
-\emph{ethical} hackers like Ross Anderson's group was so
-important, because they and others established that the bank's
-claim, their system is secure and it must have been the
-customer's fault, was bogus. In 2009 for example the law
-changed the burden of proof back to the banks whether
-it was really the customer who used a card or not.
+profits too much.
+
+Since banks managed to successfully claim that their
+Chip-and-PIN system is secure, they were under the new system
+able to point the finger at the customer when fraud occurred:
+they must have been negligent loosing their PIN. The customer
+had almost no means to defend themselves in such situations.
+That is why the work of \emph{ethical} hackers like Ross
+Anderson's group was so important, because they and others
+established that the bank's claim that their system is secure
+and it must have been the customer's fault, was bogus. In 2009
+for example the law changed and the burden of proof went back
+to the banks. They need to prove whether it was really the
+customer who used a card or not.
-It is a classic example where a security design principle was
-violated: The one who is in the position to improve security,
-also needs to bear the financial losses if things go wrong.
-Otherwise, you end up with an insecure system. In case of the
-Chip-and-PIN system, no good security engineer would actually
-think that it is secure: the specification of the EMV protocol
-(underlying Chip-and-PIN) is some 700 pages long, but still
-leaves out many things (like how to implement a good random
-number generator). Moreover, banks can add their own
-sub-protocols to it. With all the experience we already have,
-it is as clear as day that criminals were able to poke holes
-into it. With how the system was set up, the banks had no
-incentive to come up with a system that is really secure.
-Getting the incentives right in favour of security is often a
-tricky business.
+This is a classic example where a security design principle
+was violated: Namely, the one who is in the position to
+improve security, also needs to bear the financial losses if
+things go wrong. Otherwise, you end up with an insecure
+system. In case of the Chip-and-PIN system, no good security
+engineer would claim that it is secure beyond reproach: the
+specification of the EMV protocol (underlying Chip-and-PIN) is
+some 700 pages long, but still leaves out many things (like
+how to implement a good random number generator). No human
+being is able to scrutinise such a specification and ensure it
+contains no flaws. Moreover, banks can add their own
+sub-protocols to EMV. With all the experience we already have,
+it is as clear as day that criminals were eventually able to
+poke holes into it and measures need to be taken to address
+them. However, with how the system was set up, the banks had
+no real incentive to come up with a system that is really
+secure. Getting the incentives right in favour of security is
+often a tricky business.
\subsection*{Of Cookies and Salts}