Vulnerability Note VU#214555
Multiple vulnerabilities exist within credit card chips thereby allowing malicious user to bypass authentication mechanism
French smart card reader terminals can be fooled into accepting imposter smart cards for payment.
French smart cards are credit cards with an embedded chip containing certain cardholder, account, and authentication information. These cards are read by automated terminals across France for sale of a variety of products and services.
Prior to November 1999, authentication was performed on the terminals by reading a 320-bit RSA-encrypted authentication value from card, decrypting the value, and comparing it to the unencrypted account information stored on the card. The encryption method used a 321-bit RSA key which was cracked in or before 1998 and published on the Internet on February 9, 2000. With knowledge of the key now public, criminals have begun to forge their own credit cards with valid authentication values on bogus accounts. Because the terminals check only the information stored on the card without verifying the account validity with the credit card issuer, the terminals are fooled into accepting the card and dispensing product or providing services.
Attackers can forge smart cards that will be accepted as payment at over two million estimated automated card reader terminals in France.
Merchants should upgrade their smart card reader terminals to require the new authentication scheme introduced in November 1999. Cardholders of cards issued before November 1999 should obtain new cards.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Groupement des Cartes Bancaires||Affected||22 Apr 2002||07 Jun 2002|
CVSS Metrics (Learn More)
Thanks to Laurent Pele for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: Unknown
- Date Public: 09 Feb 2000
- Date First Published: 18 Sep 2002
- Date Last Updated: 18 Sep 2002
- Severity Metric: 0.18
- Document Revision: 7
If you have feedback, comments, or additional information about this vulnerability, please send us email.