Post on 05-Jan-2016
Review of:
All You Can Eat or Breaking a Real-World Contactless Payment
System
Timo Kasper, Michael Silbermann, and Christof Paar
Financial Cryptography and Data Security, Lecture Notes in Computer Science, Volume 6052. IFCA/Springer-Verlag Berlin
Heidelberg, 2010, p. 343
22nd August 2012 Jacob Dodunski
Quick Summary
The paper investigates:
– ID-cards with wireless capability that store personal information, credit and security keys
– How easy it is to access and manipulate that information
“Our subsequent analysis of the ID-Card payment system reveals obvious vulnerabilities that pose a great threat to its overall
security”.
Appreciation
Rather than just trying to break or hack the system by themselves the authors researched into the past attacks
on the MIFARE classic ID cards.
Their approach was well thought out and implemented throughly rather than a quick messy hack job.
The authors used the knowledge gained to benefit their system.
Appreciation Continued
Example:
Past attack: A nonce number is used in the authentication process which is generated by the card. The time between the power up of the card and the issuing of the authentication command from the reader showed a relationship with the nonce number generated.
What this means: The same nonce number could be generated with some some probability by controlling the timing.
What was done: The authors implemented a precise timing feature to their card reader so that they could fully control the communication between the reader and the card.
Critical
The writers of the paper offered NO advice to counter or fix the problem.
“Using basic cryptographic knowledge, countermeasures could be implemented to obtain a higher security level”
The authors published a paper (publicly) explaining how to cheat the system.
Question
If you discover a security exploit in a established public system, do you contact the company and keep it
quiet or publish your findings to the public?