Il 25/09/2012 07:58, Andreas Jellinghaus ha scritto: >> EMV for sure: there's an unauthenticated bit that tells the card to >> authenticate the transaction without asking for the PIN... > Thats ok, it is a valid feature. If people buy something for less than a > dollar, and the transaction is authenticated with the > signature of a rsa key in the smart card, and we haven't reached the > consecutive lower boundary amount yet, then simply > approving the transaction is perfectly fine - getting a PIN or doing an > online transaction isn't worth doing for such a small > amount of money. IIUC that bit is not authenticated, so a MITM attack can force both the reader and the card think the other party doesn't support PIN auth, making the card sign the transaction anyway, regardless the amount involved. So IMVHO it's quite serious...
> Most vending machines still use modems and dial up for every transaction > and hang up again later. The stupid thing is that it seems they do the same for cellular-based readers too... What a waste! > Thats why card transactions are so slow. Once the standard is to have a > permanent internet connection, that won't change anything: many banks still use *mainframes* ! Some still backup to (and transfer data with) tape *wheels* ! (when we dismissed our IBM 9000, I think one of the tape units got sold to the bank...). As long as "it works", they don't change it. BYtE, Diego. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
