Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:214555
HistorySep 18, 2002 - 12:00 a.m.

Multiple vulnerabilities exist within credit card chips thereby allowing malicious user to bypass authentication mechanism

2002-09-1800:00:00
www.kb.cert.org
10
JSON

Overview

French smart card reader terminals can be fooled into accepting imposter smart cards for payment.

Description

French smart cards are credit cards with an embedded chip containing certain cardholder, account, and authentication information. These cards are read by automated terminals across France for sale of a variety of products and services.

Prior to November 1999, authentication was performed on the terminals by reading a 320-bit RSA-encrypted authentication value from card, decrypting the value, and comparing it to the unencrypted account information stored on the card. The encryption method used a 321-bit RSA key which was cracked in or before 1998 and published on the Internet on February 9, 2000. With knowledge of the key now public, criminals have begun to forge their own credit cards with valid authentication values on bogus accounts. Because the terminals check only the information stored on the card without verifying the account validity with the credit card issuer, the terminals are fooled into accepting the card and dispensing product or providing services.

Starting in November 1999, new smart cards contained a second authentication value of 768 bits. However, with 37 million of the old cards already in service, most terminals were either not upgraded to use the new authentication scheme or were upgraded with backward compatibility enabled for the older cards.

Impact

Attackers can forge smart cards that will be accepted as payment at over two million estimated automated card reader terminals in France.

Solution

Merchants should upgrade their smart card reader terminals to require the new authentication scheme introduced in November 1999. Cardholders of cards issued before November 1999 should obtain new cards.

Vendor Information

214555

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Groupement des Cartes Bancaires Affected

Notified: April 22, 2002 Updated: June 07, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23214555 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Laurent Pele for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.18 Date Public:
JSON