1 / 5

All You Can Eat or Breaking a Real-World Contactless Payment System

All You Can Eat or Breaking a Real-World Contactless Payment System. Kaspar T. , Silbermann m. , paar c. (2010) Financial Cryptography and Data Security, Volume 6052, pp 343-350. Summary. In brief: A new method for breaking the MIFARE system is developed.

lisaz
Download Presentation

All You Can Eat or Breaking a Real-World Contactless Payment System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. All You Can Eat or Breaking a Real-World Contactless Payment System Kaspar T. , Silbermann m. , paar c. (2010) Financial Cryptography and Data Security, Volume 6052, pp 343-350

  2. Summary In brief: A new method for breaking the MIFARE system is developed. Surveys known attacks against contactless payment systems. Develops an attack which gains read and write access to any MIFARE card. Lists a variety of ways to exploit the MIFARE card vulnerability.

  3. Appreciative comments • Provides a valuable warning to those who are involved with this system. • For potential customers of MIFARE and their consultants: • If we become a customer, will it meet our security needs? • Do we need to upgrade the existing system? • For designers of contactless payments systems: • How can we overcome the flaws present in MIFARE? • If our system was to be compromised, will the MIFARE attacks be relevant? • For the public at large: • A greater awareness of the potential breakability of widespread systems.

  4. Critical Comments Lack of important explanatory details harms impact: Researchers tested exploits with only small transactions, do not state whether larger transactions possible. Researchers claim all cards use the same secret key. Their evidence is that the twelve cards they tested had the same key. Researchers claim cloned cards will not be detected as fraudulent. However, they only appear to have tested this on a small time scale, and don’t discuss how the system detects fraud. Unlikely exploits are given the same amount of attention as the highly damaging exploits.

  5. Question List the stakeholders concerned with a publication breaking an existing security system. What consequences do they face in the presence or absence of such publications? Other questions that occurred to me while reading: For the above question, how do the consequences vary in the short term, long term, based on the quality of research or frequency of research. Security through obscurity - a valuable element in a solution or a crutch? What proportion of adversaries are in a position suitable for taking advantage of contactless payment cracks? What proportion will do so? How useful is this information in decision making?

More Related