Review of:

All You Can Eat or Breaking a Real-World Contactless Payment

System

Timo Kasper, Michael Silbermann, and Christof Paar

Financial Cryptography and Data Security, Lecture Notes in Computer Science, Volume 6052. IFCA/Springer-Verlag Berlin

Heidelberg, 2010, p. 343

22nd August 2012 Jacob Dodunski

Quick Summary

The paper investigates:

– ID-cards with wireless capability that store personal information, credit and security keys

– How easy it is to access and manipulate that information

“Our subsequent analysis of the ID-Card payment system reveals obvious vulnerabilities that pose a great threat to its overall

security”.

Appreciation

Rather than just trying to break or hack the system by themselves the authors researched into the past attacks

on the MIFARE classic ID cards.

Their approach was well thought out and implemented throughly rather than a quick messy hack job.

The authors used the knowledge gained to benefit their system.

Appreciation Continued

Example:

Past attack: A nonce number is used in the authentication process which is generated by the card. The time between the power up of the card and the issuing of the authentication command from the reader showed a relationship with the nonce number generated.

What this means: The same nonce number could be generated with some some probability by controlling the timing.

What was done: The authors implemented a precise timing feature to their card reader so that they could fully control the communication between the reader and the card.

Critical

The writers of the paper offered NO advice to counter or fix the problem.

“Using basic cryptographic knowledge, countermeasures could be implemented to obtain a higher security level”

The authors published a paper (publicly) explaining how to cheat the system.

Question

If you discover a security exploit in a established public system, do you contact the company and keep it

quiet or publish your findings to the public?