Looking through the article, it looks like the terminal requests the transaction as chip and PIN, the MITM hardware changes the transaction flag to chip and signature, and the smart card responds with an OK. Unfortunately, it's the same OK as if the smart card had in fact received a transaction type of chip and PIN with the attached PIN being the correct one. The flaw is in having the smart card response being the same for both kinds of transactions. If instead, there was a signature method OK, and a different PIN # OK, then the terminal would catch the difference. This way, the terminal sends back to the bank: "I requested a chip and PIN transaction, and the smart card said that the PIN was good", when in fact all the smart card saw was the terminal say that the user requested a chip and signature transaction. The bank would have no way to realize that what the smart card saw wasn't what the terminal (and probably the bank) requested.
can we require the ISPs protect everyone from making stupid purchases online? Or hey how about requiring the ISPs to increase the average intelligence online? After all, all we have to do is demand it, right? They have to figure out how to comply./sarcasm
Right. But with XP at least, you could buy a retail edition that you actually could move from one computer to another. I haven't looked into the licensing for Win 7, nor for that matter, where you'd buy Win XP anymore.
Myself as well. I can't justify my hard-earned money going to support the ever increasingly draconian DRM schemes of the newer games. And, I'd discovered (and rediscovered) some old friends. RIP Good Old Games. I hope they come back in some form that doesn't screw that up too much.
Slashdot Mirror
It's one of those new Star Trek swimming pools. If you ever need to fix it, switching the polarity is risky, but it just might work!
Is that anything like "don't cross the streams", except when they had to?
Looking through the article, it looks like the terminal requests the transaction as chip and PIN, the MITM hardware changes the transaction flag to chip and signature, and the smart card responds with an OK. Unfortunately, it's the same OK as if the smart card had in fact received a transaction type of chip and PIN with the attached PIN being the correct one. The flaw is in having the smart card response being the same for both kinds of transactions. If instead, there was a signature method OK, and a different PIN # OK, then the terminal would catch the difference. This way, the terminal sends back to the bank: "I requested a chip and PIN transaction, and the smart card said that the PIN was good", when in fact all the smart card saw was the terminal say that the user requested a chip and signature transaction. The bank would have no way to realize that what the smart card saw wasn't what the terminal (and probably the bank) requested.
can we require the ISPs protect everyone from making stupid purchases online? Or hey how about requiring the ISPs to increase the average intelligence online? After all, all we have to do is demand it, right? They have to figure out how to comply. /sarcasm
Right. But with XP at least, you could buy a retail edition that you actually could move from one computer to another. I haven't looked into the licensing for Win 7, nor for that matter, where you'd buy Win XP anymore.
Myself as well. I can't justify my hard-earned money going to support the ever increasingly draconian DRM schemes of the newer games. And, I'd discovered (and rediscovered) some old friends. RIP Good Old Games. I hope they come back in some form that doesn't screw that up too much.