http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/ Engadget Comments for Cambridge University finds credit card security flaw, uses the money for beer pong supplies (video) http://www.engadget.com/media/feedlogo.gif http://www.engadget.com en-us Copyright 2012 Weblogs, Inc. The contents of this feed are available for non-commercial use only. Blogsmith http://www.blogsmith.com/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
Kind of smitten.]]>Feb 15th 2010 1:23PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:23PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:28PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:42PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:52PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Smitten:

feeling or showing love and affection; "loving parents"; "loving glances"

marked by foolish or unreasoning fondness; "gaga over the rock group's new album"; "he was infatuated with her"



affected by something overwhelming; "conscience-smitten"; "awe-struck"

:)]]>Feb 15th 2010 3:26PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
"I am marked by unreasonable fondness because All things Considered..."

If you substitute the definition in place of the word "smitten" it makes perfect sense and says the same thing that I was saying. Perhaps I could have added, " I am marked by unreasonable fondness _for this news_" But it is sort of implied that you are talking about the .. news story .. when you reply to it.]]>Feb 15th 2010 4:23PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 5:15PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Smitten is usually used to express feelings of fondness for another person - i.e. the feeling you get when you think about someone who makes you happy.
"I am marked by unreasonable fondness because All things Considered"

You have excessive tenderness or affection for this news????

Sorry for correcting you - Im British and proper - what do you expect ;)

]]>Feb 15th 2010 5:37PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/+1 Sammy, he claims that the definition provided makes perfect sense and means what he meant.. he still doesn't get it...

Are you really "Very fond by this news"?! ]]>Feb 15th 2010 6:05PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:24PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
Had to search what it was in order to know what it is =/.. Having said that, drinking games differ in rules and title, and where i am we play a similar game but with a coin, bounce the coin into the cup (which isn't beer, its a mixed pint of what ever the players happen to be drinking)..]]>Feb 15th 2010 1:36PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Ah, at Uni we called that quarters.
http://en.wikipedia.org/wiki/Quarters]]>Feb 15th 2010 1:44PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
Still slightly different to the one we at my uni (UK).. Still an easy way to get your alcohol levels up before hitting the town :D]]>Feb 15th 2010 1:52PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:58PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/definitely no quads, hackey sack or beer pong. I don't think engadget would have confused cambridge university, ranked second in the entire world with anywhere else, but whatever. I don't get it engadget.]]>Feb 15th 2010 2:15PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 6:33PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:28PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:35PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
Quarters, Kings (and all sub games of Kings), Beer Pong, Flip Cup.

Full list is on Wikipedia:
http://en.wikipedia.org/wiki/Category:Drinking_games]]>Feb 15th 2010 1:52PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:39PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:47PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
you mean like someone who is listening to an iPod... or zune.. or has a psp.. or any other portable device that would force you to have some cables with you.]]>Feb 15th 2010 1:51PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:53PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/]]>Feb 15th 2010 2:36PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.dailymail.co.uk/news/article-520748/Criminals-easy-way-crack-chip-pin-security-bank-cards.html
http://www.telegraph.co.uk/news/2551522/Gangs-hiding-bank-card-readers-inside-shop-chip-and-pin-machines.html]]>Feb 15th 2010 1:51PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
I think both "methods" you have linked required an authenticate pin number.. With this new method it seems that you can input ANY pin and the transaction will continue.. Quite a big security flaw..]]>Feb 15th 2010 2:02PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
Ahh yes, you are correct. Would help if I were paying more attention. Still, Chip and PIN has been pushed as fraud-proff to the consumer, but reality is it just places liability on the account/card holder. I really don't look forward to when the US get this pushed out en mass.]]>Feb 15th 2010 3:00PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 1:51PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/definitely still no quads, hackey sack or beer pong here in 2010 either. I don't think engadget would have confused cambridge university, ranked second in the entire world with anywhere else, but whatever. I don't get it engadget.]]>Feb 15th 2010 2:15PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
More seriously : is'nt the same flaw that the one discovered by http://fr.wikipedia.org/wiki/Serge_Humpich ? Also called yescard (because the card answer yes to the terminal wathever pin code is entered).
http://fr.wikipedia.org/wiki/YesCard
]]>Feb 15th 2010 2:18PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
No, it's not the same as a yes card. The yes card attack only works for offline (ie, when the terminal trusts the card and doesn't communicate directly with the bank) authentication, not online (ie, when the terminal contacts the bank to validate the transaction) authentication. This attack works by letting the terminal believe that it's performing PIN authentictation, but telling the card that the terminal is requesting signature authentication. This results in the card generating a valid token, so it works even against online authentication.]]>Feb 15th 2010 2:37PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/wow ! So that's effectively a crazy amazing flaw ! Thanks for the details]]>Feb 15th 2010 4:24PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:20PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/explain this]]>Feb 15th 2010 2:36PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
A smart man-in-the-middle will send the PIN/password on to the real server and ck for an "ok" or "bad" signal coming back. This takes much more programming and knowledge of how the compromised system works.]]>Feb 15th 2010 2:47PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:49PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:52PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:54PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/3 in a row. k?]]>Feb 15th 2010 4:46PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
$_$
]]>Feb 15th 2010 2:36PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:40PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 2:42PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
You don't need a PIN to use the stolen card for online purchases.

The solution, your card is stolen, call in and have it cancelled.
]]>Feb 15th 2010 4:48PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/Feb 15th 2010 5:03PMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
Unfortunately, no, they couldn't. Chip cards in countries where EMV has been implemented must still retain magstrip and signature functionality because the international card schemes require them to do so for global interoperability reasons.

To those nay sayers about EMV and the percieved strengths of the US system. I would rather have a few outlying technical frauds like this take place than have tens of millions of dollars fraudulently withdrawn by criminals at ATMs, which is subsequently invested in organised crime, terrorism and people trafficking.

Anyone interested should look at the annual fraud publication from the UK Payments Association. It demonstrates that EMV has dramatically reduced fraud in the UK but, due to the retention of magstripe, has just shifted the spend of funds to other non-EMV countries. If the US and others deployed EMV, the magstripe could be removed from cards and counterfeit fraud will be greatly reduced.

The cambridge attack may be technically possible but the scale of loss will never reach the current levels where magstrips are skimmed at ATM, or compromised elsewhere, the data traded for a few cents, and then fraudsters thousands of miles away use the data to create a counterfeit and withdraw hard cash from an ATM.

But I may be wrong.

]]>Feb 16th 2010 2:42AMhttp://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/http://www.engadget.com/2010/02/15/cambridge-university-finds-credit-card-security-flaw-uses-the-m/
1. Need a stolen card
2. Need a middle device and cables to be used

So if card is discontinued, it will not be authorized by the payment system. Necessity to have additional gear is also limiting the actual field risk.

It my understanding fake ATMs collecting pins and card data are still much more effective and dangerous then this issue.

The music is dramatic, true. The issue is not too much. ]]>Feb 16th 2010 7:41AM