[Dave Birch] Just a note to assure everyone that the sky isn’t falling in, despite the rash of press reports about contactless payment card security over the last few days. A number of articles have pointed to Adam Laurie’s recent demonstration that American Express “ExpressPay” chips work exactly as per their specification and in line with the relevant international standards:

As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer’s wallet, Laurie both read and displayed its contents on the presentation screen–the person’s name, account number, and expiration clearly visible. As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer’s card. Laurie said that American Express told him: “We are comfortable with the security of our product.” Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing. However, Laurie noted that the captured account number could still be used for online transactions.

[From The hands-free way to steal a credit card | Defense in Depth – computer security, hacking, crime, viruses – CNET News.com]

Adam is a great guy and he does excellent work, but on this one he’s wrong. You cannot use the alias PAN (ie, the PAN given up via the contactless interface, not the one printed on the card) in anything except a contactless transaction and you cannot use it to make a bent contactless card because you need the Amex security keys in order to generate the right digital signature. If you attempt to use the alias PAN in an online transaction, the Amex host will decline it.

I hate to add my usual rant about the reporting of contactless security issues, but it does annoy me that some of the media reports have a tone to them that sort of asks how come Amex (and by extension, their consultants!) are so dumb that they design and build a new payment scheme that can be trivially defeated? The assumption that card issuers know nothing about security is, frankly, slightly offensive.

Anyway, must run. Just off to get a cup of tea, put my feet up, and watch BBC Newsnight:

Whatever you buy in the shops, you probably pay with a chip and pin card, tonight Newsnight has exclusive evidence that they are vulnerable to fraudsters. The implications could be huge for millions of shoppers. We’ll be asking what are the banks going to do about it?

[From BBC NEWS | Talk about Newsnight | Tuesday, 26 February, 2008]

Sounds good.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]


  1. > The assumption that card issuers know nothing about security is, frankly, slightly offensive.
    I think it is clear that they know something about security.
    What is offensive is that the put themselves out as _the experts_, they have total control over the arrangement, and then try and shift the risks onto the user.
    In this control-not-risk approach they are showing themselves to not be bankers, and leaving themselves wide open to attacks (by journalists and security researchers). Unfortunately, once they take the track of shifting the risk to the user for their systems, the bar of professionalism is lowered for all.
    It’s worth pointing out that as a generalism, European institutions are much better at security.

  2. Thanks for the link Stephen. At the risk of retreading old ground (!), I wonder about the use of the words “tamper resistant”. Is it really the case that terminals are supposed to be tamper-resistant or do they only have to be tamper-evident to obtain certification?
    Also can’t resist asking Ian, why do you think European institutions are better? Sounds like a good idea for a blog post — if you do it we’ll link to it!

  3. The terminology in this area is a bit of a mess. The actual requirement is that a terminal should deactivate itself if tampered (tamper-resistant or tamper-responsive), or such tampering should be obvious to a customer (tamper-evident).

  4. I believe the requirements came from ISO9564. Here it is required that a PED is tamper evident if the key management system allows backward protection (i.e. unique key per transaction techniques) but tamper responsiveness otherwise. In practice PEDs are built with some form of tamper responsiveness (varying degrees of sophistication). I don’t think an economic PED can be tamper resistant.

  5. CobaltCredit.com offers credit cards for all credit types, as well as several other financial services, such as payday loans, credit repair, debt consolidation and more.

Leave a Reply to Dave BirchCancel reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights