This doesn't work in the US because we don't have smart cards.
Edit: My point stands that this particular attack does not exist in the US and people don't need to worry about it. Existing precautions against magstripe card skimming are adequate.
What? It's even easier in the US. Credit card data is just text. Hook up a magstripe reader to a PIC and go to town (literally hah). People have been doing it for years especially at gas stations and seedy bars where it's too dark to notice/patrons are too drunk to care.
I believe that the current attack in the US combines the aforementioned technology with a small camera mounted on the top of the ATM to capture a user's pin number.
From my understanding of smart cards, I don't see how this is possible.
Communication between the card and the reader is typically done using encryption with a Diffie-Hellman key exchange with a man-in-the-middle resistant protocol. You would need to attack whatever encryption algorithm is being used, which is non-trivial even with physical access. You would need to either perform differential power analysis attack or a timing attack or attack a weakness in the algorithm.
Seeing as how one of the primary purposes of smart cards was to eliminate skimming and similar attacks, I can't fathom why any reader would ever be created that didn't support session encryption. Why use a chip if it's basically the same as a magnetic stripe? I'll plead ignorance on the workings of the European debit system as I'm Canadian and we're just getting smart cards now.
Does anyone have a better source than the linked article?
EDIT: Nevermind, apparently the security was broken a while ago:
[+] [-] wmf|15 years ago|reply
Edit: My point stands that this particular attack does not exist in the US and people don't need to worry about it. Existing precautions against magstripe card skimming are adequate.
[+] [-] iheartmemcache|15 years ago|reply
http://www.identitytheft.com/article/identity_theft_gas_stat...
[+] [-] axod|15 years ago|reply
[+] [-] Derferman|15 years ago|reply
[+] [-] JoelB|15 years ago|reply
Communication between the card and the reader is typically done using encryption with a Diffie-Hellman key exchange with a man-in-the-middle resistant protocol. You would need to attack whatever encryption algorithm is being used, which is non-trivial even with physical access. You would need to either perform differential power analysis attack or a timing attack or attack a weakness in the algorithm.
Seeing as how one of the primary purposes of smart cards was to eliminate skimming and similar attacks, I can't fathom why any reader would ever be created that didn't support session encryption. Why use a chip if it's basically the same as a magnetic stripe? I'll plead ignorance on the workings of the European debit system as I'm Canadian and we're just getting smart cards now.
Does anyone have a better source than the linked article?
EDIT: Nevermind, apparently the security was broken a while ago:
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakl...
[+] [-] adorton|15 years ago|reply
[+] [-] wmf|15 years ago|reply