The attack was never successfully executed. To be successful it had to be done against a card that was reported lost and stolen. Nowhere in the report do they assert that they reported their cards they tested as lost or stolen! All they have done is prove a genuine card can be processed with odd and inconsistent CVR and TVR settings. Hardly compelling evidence.
The rest of the post goes on to use ad-hominem and straw man arguments against the research. Although frequently the discussions on full-disclosure or other mailing lists will drop to this level, it’s pretty rare to see this kind of childish argument on this particular blog.
Indeed, the paper does actually present some opinion and conjecture – but what’s the point in purely theoretical security research? It’s vital that someone takes the time to think about how theoretical attacks can be extended into the real world.
When it gets really interesting is when Ross Anderson himself performs a whois on the IP address – and it appears to be coming from APACS (which is now the UKPA) themselves. They are the body that should have really ensured that Chip and Pin wasn’t a gigantic fuck-up. It’s clear they failed, and failed badly.
Is someone who works for UKPA actually this stupid?
The best bit is that his post admits that there is absolutely no value in the PIN. The only protection is simply:
- Having a card in your possession
- Not having a card in your possession but reporting it stolen.
It might be some kind of set up… but if not, EPIC FAIL.
Seems like it is a wind-up, in as much as there is an open proxy running at UKPA.