SoylentNews

Arthur T Knackerbracket has found the following story:

Elements of the payment card industry have introduced a new contactless payment card security feature, designed to defend against relay attacks.

Relay attacks were first demonstrated nine years ago by a team of computer scientists Saar Drimer and Steven Murdoch.

The pair also suggested how the security flaw can be mitigated using a technique called distance bounding). Mastercard has taken up this defence, meaning its cards (at least) are protected.

“Finally the banks are now implementing this defence, though only for contactless cards (as they are more vulnerable than the contact Chip and PIN cards that were available in 2007), and so far only for MasterCard cards,” Murdoch told El Reg.

Murdoch says that although the relay attack is real it’s unclear whether or not fraud based on the security weakness has actually taken place.

“I’m not aware of any confirmed cases, other than academic experiments. However, unless this were a widespread fraud, I don’t think I would have heard about it even if it had happened,” Murdoch explained.

“There have been bank customers who have come to me or colleagues to say that they have been refused a refund for a Chip and PIN transaction that they said did not take place. In some of these cases it might have been a relay attack, but in almost every case it is never established what happened.”

“The banks have taken the position that a relay attack is unlikely and since the decision of whether a bank refunds the customer is based on the most likely explanation, the bank always presents another scenario as being the most likely (normally customer negligence),” he added.

Original Submission