210 research outputs found
Attacks on the HF Physical Layer of Contactless and RFID Systems
International audienceno abstrac
A Practical Attack on the MIFARE Classic
The MIFARE Classic is the most widely used contactless smart card in the
market. Its design and implementation details are kept secret by its
manufacturer. This paper studies the architecture of the card and the
communication protocol between card and reader. Then it gives a practical,
low-cost, attack that recovers secret information from the memory of the card.
Due to a weakness in the pseudo-random generator, we are able to recover the
keystream generated by the CRYPTO1 stream cipher. We exploit the malleability
of the stream cipher to read all memory blocks of the first sector of the card.
Moreover, we are able to read any sector of the memory of the card, provided
that we know one memory block within this sector. Finally, and perhaps more
damaging, the same holds for modifying memory blocks
Does the online card payment system unwittingly facilitate fraud?
PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of
Card Not Present (CNP) financial transactions. These are the transactions which include payments
performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on
hundreds of websites and on multiple CNP payment protocols justifies that the current security
architecture of CNP payment system is not adequate enough to protect itself from fraud.
Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of
the security features put in place to protect the CNP payment system from fraud. With insecure modes
of accepting payments, the online payment system paves the way for cybercriminals to abuse even the
latest designed payment protocols like 3D Secure 2.0.
We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment
protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The
analysis methodology comprises of UML diagrams and reference tables which describe the CNP
payment protocol sequences, software tools which implements the protocol and practical
demonstrations of the research results. Detailed referencing of the online payment specifications
provides a documented link between the exploitable vulnerabilities observed in real implementations
and the source of the vulnerability in the payment specifications.
We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world
with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards,
with our work appearing in the media, radio and T
Security and Privacy in RFID Applications
Concerns about privacy and security may limit the deployment of RFID technology and its benefits, therefore it is important they are identified and adequately addressed. System developers and other market actors are aware of the threats and are developing a number of counter measures. RFID systems can never be absolutely secure but effort needs to be made to ensure a proper balance between the risks and the costs of counter measures. The approach taken to privacy and security should depend on the application area and the context of a specific application. In this chapter, we selected and discussed four application areas, but there are many others where privacy and security issues are relevant.JRC.J.4-Information Societ
- …