Ross Anderson and his team describes vulnerabilities in APACS-CAP implementation at Financial Cryptography ’09

Ross Andersson and his team (Drimer et al.[1]), will present next wednesday (wednesday 25) at Financial Cryptography 2009 , their paper Optimised to Fail:Card Readers for Online Banking, where they put some critic towards APACS-UK CAP implementation (MasterCard Chip Authentication Program). They reverse engineer, and details some vulnerabilities, where the the implementation fail to establish a proper user awareness and consent when approving to transactions. When they speak about “fixing the vulnerabilities”, they mention German ZKA’s HHD 1.3, as a solution that mitigates most of these attacks, quoting from the paper, “…incorporates defences against a number of the attacks we discuss in the paper.
HHD 1.3 is a TAN-generator that adds context to the transaction, enable the user to provide his informed consent to a transaction. By having this controlled by the challenge, enable generation of Dynamic Signatures,  when needed, based on the risk in the transactions. The paper can be found here. The HHD 1.3 concept originates from Todos, but we call the technology Dynamic Signatures.

[1] – Drimer Saar, Steven J. Murdoch, and Ross Anderson, Optimised to Fail: Card Readers for Online Banking, Financial Cryptography and Data Security ’09,

Here is the presentation they did.


~ by petergullberg on February 23, 2009.

2 Responses to “Ross Anderson and his team describes vulnerabilities in APACS-CAP implementation at Financial Cryptography ’09”

  1. Interesting. So, what are your own personal comments on the subject (and paper)?

  2. Well, there is no real panic, but it should be considered carefully!
    It has been foreseen for quite some time (=read years), and that’s the reason we developed Dynamic Signatures (which is implemented in Germany as HHD 1.3), and is also implemented in our products we provided to the market. Quoting Drimer et al. “The German CAP variant, TAN generator (HHD 1.3) [14], incorporates defences against a number of the attacks we discuss in the paper.” It protects against Trojans, Man-in-The-Middle and Man-in-The-Browser.
    Several banks have been hit by different Trojans, and several of our customers have successfully mitigated this, and are now protected against these attacks.
    The important experience independent if a bank chooses to change security solution is to develop a customer education program, where they informed their customers, how to be safe on the internet. A few banks also offers free anti-virus program.
    This report has already generates a lot of public news-coverage, even though there is nothing revolutionary. It might even come some more noise coming from the Ross’ team.. 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: