April 2011

Sony Breaks Chip & PIN

Sony Breaks Chip & PIN

Sony has shut down its PlayStation network after admitting an intrusion that risks the data of 77 million users including names, addresses, birthdates, passwords and credit card numbers, in fact just about everything a hacker might need to financially rob you. What is the point of Chip & PIN if you can get and misuse this sort of information on-line?

NFC World Congress 2011

Surely, we are reaching some threshold on internet payments where consumers are going to revolt. It is totally unacceptable that the personal data and credit card details of 77 million people can be exposed.

Historically, this is not the biggest exposure that goes to Heartland Payment Systems who gave up over 130 million debit and credit card numbers in 2008/2009.

In theory, you might argue that it shouldn't matter if somebody knows your credit card number, what really matters are that they shouldn't be able to use it. In other words, you shouldn't be able to make a payment by just providing somebody's credit card number. And that's the simplicity of the argument the consumer must be involved in every transaction but with varying degrees of assurance and in the extreme case by the use of a Chip and PIN.

As a consumer I don't believe it is acceptable that I have to trust every merchant to handle my credit card information securely, and clearly they don't as the case in point with Sony. I would go even further and suggest that it is not economically viable to build a fool proof secure system to manage sensitive data through an intermediary, the only way is end point security and then of course you do have to trust that. However depending on the organisation involved, typically the bank that manages your account then the odds are more in your favour.

So if we have to have intermediaries such as merchants then it's back to some form of authentication just like Chip and PIN and it shouldn't be possible to go around it which is why the title of this article suggests that Chip & PIN has been broken by Sony's lax security attitude.

The question then becomes how do we pay on the internet? Clearly, user name (or email address) and password don't hold up as a forward thinking strategy (PayPal are you listening). So dynamic passwords or One Time Passwords (OTPs) are a step forward but they can be painful to manage. Devices such as the RSA SecureID token seem great but then in March this year RSA was obliged to report that their system had been breached and that sensitive data may have been discovered.

The banks have been promoting the Chip Authentication program (CAP) that uses authentication/signature widgets (i.e. calculator size devices) that can authenticate a transaction using your EMV payment card. The Security team at Cambridge University have pointed out some vulnerabilities that are possible with the implementation of such an approach but their main point is that consumers find this widget inconvenient to use (for which I agree) and that they would prefer some reader attached to the PC. And then the researchers point out you have reached hackers paradise, the land where everything can be modified without you knowing until it is too late.

Others dismiss this PC approach as suicide and explain that what you really need to use is your phone, some suitable software application, now I don't know what newspaper they are reading but they seem totally unaware that the modern smart phone is no more secure than a PC. In fact, I would go further, I think that the current state of Mobile Phone operating systems is probably less secure than the PC.

The reality is that at the end of the day you need some trusted hardware object that contains a secret that can be proven without revealing the secret, a bit of clever cryptography can do this. What you can then do is to be assured at least that this object was involved in the transaction. So in short, you need a secure element in the phone, NFC I hear you say, well unfortunately most phones seem to be relying on the SIM for the secure chip. However help is at hand, secure MicroSD cards are now becoming available (info@microexpert.com) which can indeed provide a shared security object but I suspect we are going to hear more horror stories before it starts to catch on.

Dr. David Everett, Smartcard & Identity News


19/05/2019 Headlines

Belfast Council Launches its Own Digital Currency

The authority has worked alongside Israeli tech firm Colu to create Belfast Coin, a virtual currency that will launch across the Northern Irish capital later th.....Read More

Android Pioneer HTC Stages Retreat from China

HTC is pulling its smartphones from two of China's largest online marketplaces, raising concerns about the brand's future.

The firm was the first to sell.....Read More

eBay Could Start Accepting "Virtual Currencies," Leaked Pics Suggest

If true, the eBay integration could open the floodgates for mainstream adoption of digital currencies. eBay currently has more than 180 million registered users.....Read More

Bank of England Calls for 'Super Shield' Against Cyber Attacks

Britain may need to copy the United States in building a "super shield" against catastrophic cyber attacks or major IT glitches that could cripple the finance i.....Read More

Lawsuit Accusing Apple of Unfairly Dominating Mobile App Sales Will Proceed

The U.S. Supreme Court, in a narrow 5-4 decision written by Justice Brett Kavanaugh, ruled that a consumer lawsuit challenging Apple Inc.'s dominance of mobile .....Read More

Cryptocurrency Exchange Cryptopia Halts Trading and Announces it is in the Process of Liquidation

Cryptopia, a cryptocurrency exchange headquartered in New Zealand, has halted trading and announced that it is now in liquidation.

In January, the exchan.....Read More

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication