Bank card attack: Only Martians are safe

With the right equipment, the victims' details could be gathered and sent over wireless networks to a co-conspirator nearby, who makes a transaction using those details while the victim is making a transaction of their own. "In [our example], the two shops were one door away from each other. That worked pretty well but you could do with GPRS or GSM and send to the other side of the world," Murdoch explained.

Can the attack be prevented?
Murdoch offers four suggestions to remedy this vulnerability: make the terminal tamper-resistant, physically examine the card to check for wires which can indicate this type of fraud is being carried out, ensure that the numbers embossed on the card match the receipt, or finally, impose timing constraints on the authentication as, for the attack to work, the fraudulent transaction must occur during the time in which the legitimate transaction is happening.

"That is, making sure that the real card responds [to the terminal] within a certain time period. This is good start because no information can travel faster than the speed of light. And if you can measure the distance between the real card and real terminal, if this is more than a few centimetres, then something is wrong," he said.

According to his and Drimer's research, the authentication process under the chip and PIN authentication protocol can take up to three seconds to complete.

"This is huge. [At the speed of light] you can go round earth three times and to the moon but you can't quite get to Mars, so Martian smartcards are safe," he said.

"It's not even possible with existing smartcard protocol to reduce the timing requirement to a sufficiently low level that this attack doesn't work," he said.

The problem can however be fixed by what the scientists call a "distance bounding protocol" which uses a smaller and faster "one bit challenge and a one bit response".

The proposed protocol works by the bank sending a single bit challenge to a legitimate card to unlock the encryption key which both parties have.

"The response that comes back can only be given by real card," explained Murdoch. "So even in a relay attack the right data will come back but it will be too slow."

• Related stories

• Alerts

Add your opinion

1. Martian banks Anonymous -- 11/01/08

   I didn't know there were banks on Mars, I bet they have better interest rates than us though.

   • Reply to comment
   • Reply to story
   • Report offensive content

   1. Martian banks & real estate Anonymous -- 13/01/08

      I don't think real estate is worth as much up there, so the interest rates don't matter as much :D

      • Reply to comment
      • Report offensive content

   2. TOTALLY Anonymous -- 15/01/08

      I totally agree with u man!! And no Im not a hippie! HMPH!!! LOL
      JK I am a hippie.... NO REALLY JK!!! IM NOT A HIPPIE PERIOD.... OR AM I? NO JK!!!!!!!!!!!!!!!

      • Reply to comment
      • Report offensive content

   3. HEY Bob Mc Bobinson -- 15/01/08

      ISNT TODAY THE 14th??? Cause... NEVER MIND!!!
      FART ON U!!!!!!!!!!!!!!!!!!!!!

      • Reply to comment
      • Report offensive content

   4. COOL Anonymous -- 15/01/08

      Awesome comment man! U rock!!! If u r a girl, too bad 4 u!!! :D

      • Reply to comment
      • Report offensive content

   5. Yo Jo Joey -- 15/01/08

      Hey Bob! Yo! This is Jo! I miss ya totally man

      • Reply to comment
      • Report offensive content

2. HEY JOE Bobby Mc Bobinson -- 15/01/08

   Hey Joe, are u ther man? :)

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials