Anyway, in 2018 Mastercard and Visa mandated that all issuers in Europe (and a few other places) where the chip transition happened long ago must reject all Magstripe Technical Fallback transactions. Terminals in Europe will often no longer try it too.
Conversation
This is basically the card payments equivalent of "Disabling support for SSL 3.0 support" :-)
1
6
(EMV chip & contactless payments prevent card cloning by protecting every transaction with a cryptogram, which by and large means a MAC over a bunch of the data.
Alas it's an 8-byte triple DES MAC, but well...)
1
4
this was all fine and dandy until you had to drop that 3des bomb :(
1
2
Look, 3DES still provides 112 bits of security!
Although 2-key (112-bit key) mode only provides 80-bit security and is the mode in common use
3
2
3
In all honesty if your card has an available balance high enough to make breaking 2-key triple DES worthwhile, perhaps consider opening a savings account?
2
2
11
i love this definition of an acceptable level of hash resistance
2
7
Since I dug this thread up for something else, it occurred to me:
This is a gross estimate of the needed security level. Most banks have per-hour/day/week/month transaction amount limits, so the value of a card break is capped by those & however long it takes someone to notice
1
5
(these are of course to provide liability backstops for anything that other defenses/faud rules fail to notice)
2
2
Financial services are why Android's StrongBox standard for secure element keystores includes 3DES despite being released in 2018:
developer.android.com/training/artic
It's a bare minimum subset of the usual hardware keystore algorithms, and unfortunately 3DES is essential due to banks...
1
2
Find it amusing that banking services don't consider the traditional TrustZone-based keystores on mobile devices secure enough but are going to be using 3DES far into the future with the replacement. It's a bit sad that hardware implementations of a new API need to include it.