Worth Reading: Optimised to fail - Card Readers for online banking
by Dj Walker-Morgan
Prompted by the UK banks distribution to their customers of hand-held 'card readers' (actually key generators) for one-time-key authentication of credit card online purchases, three security researchers have published a paper on vulnerabilities in CAP, the underlying protocol used by these devices. Saar Drimer, Steven J. Murdoch, and Ross Anderson recently published their findings in Optimised to Fail: Card Readers for Online Banking. The team reverse engineered the CAP (Chip Authentication Program) protocol and found it was susceptible to replay and man-in-the-middle attacks.The paper was presented at Financial Cryptography 09.
Steven J. Murdoch, pointed out in his blog, that while the principle of CAP (two factor authentication) is sound, in the UK the implementation is flawed and "puts customers at risk of fraud, or worse". Apparently the problem is that the many UK banks have over optimised their implementation for ease-of-use, compromising security. He points out that when Chip & PIN was introduced in the UK, the burden of liability shifted from the banks to the customer and that the introduction of the hand-held 'card readers' could see a similar shift for online banking.
See also: