Via Light Blue Touchpaper -
We propose a defense against the relay attack in the form of “distance bounding“. This will allow the payment terminal to measure the distance between itself and the card and decide, based on its risk settings, whether to accept the transaction. We have built such a system using an FPGA and demonstrated that it can reliably operate in the face of a capable attacker and discern the addition of short transmission distances. With EMV being the target application, we have made the design such that the additional cost is mostly absorbed by the terminal rather than the smartcard and that the customer-merchant “experience” is unchanged. If the banking industry adopts this extension to EMV, the risk from relay attacks would be negligible. We describe the engineering details in a paper (”Keep your enemies close: Distance bounding against smartcard relay attacks“) that will be presented in August at the 16th USENIX Security Symposium. Along with a description of the relay attack, we also discuss the security-economics aspects of customers bringing their own trusted device into the transaction, as well as the ineffectiveness of procedural and other technical solutions that were previously proposed.
No comments:
Post a Comment