Who would spend $40 to crack open your credit card (is it even 1024?) when you get 100 validated cards for $99 on the black market?
-
-
-
Main concern was fraud liability, also checking took like 2 minutes and I was curious ;)
-
3-DES keys used to generate ARQC are still safe, RSA is used for the offline authentication between the terminal and the card
-
Yes, I was curious about offline auth as we have played with it already:https://github.com/abarisani/abarisani.github.io/tree/master/research/emv …
-
Oh, CVM downgrade, was fun being on the vendor side. The issuers who misconfigured their DDOLs for sure knew they had it coming, no surprise
-
Actually in the end it is a problem regardless of issuer configuration given that the EMV POSes honors spoofed DDOLs allowing transaction.
-
So it is fundamentally an EMV protocol flaw which can only be prevented by breaking the standard to a certain extent.
End of conversation
New conversation -
-
-
Because their keys are generated inside a payment HSM made by Thales/SafeNet/Atalla/... , check the PCI HSM list: https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices …
-
Are all of those guaranteed not to use Infineon parts in any form for key generation?
-
Let’s wait for vendors’ statements, but I fail to come up with even a remotely sane reason for that. Totally different supply chains
End of conversation
New conversation -
-
-
I've been waiting for phishing that asks for CC#, PIN, etc. to verify.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
hm I wonder if I should check it. But don't have any reader at hand right now
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.