Hacker News new | past | comments | ask | show | jobs | submit login

What makes it impossible to emulate?



IIRC Chip and Pin uses a challenge-response type set up with public key crypto to authenticate your card with your bank. You cannot clone that, as processing is done on the card - not the reader, and the card never reveals it's secrets.


https://squareup.com/townsquare/why-are-chip-cards-more-secu...

"To rip it off, someone would have to get into the physical chip circuit and manipulate things to get your bank information. Not only is this level of data surgery really difficult, but it also requires a set of high-tech equipment that can cost north of $1 million."


That's presumably " … cost north of $1million in 2016, rumoured to have been done in 2017 by Bunny with $10 worth of decapping acid and a borrowed STEM revealing implementation details and flaws, then with a demonstrated contactless remote exploit working on a RaspberryPi with a $12 USB TV tuner and a hand-wound antenna at CCC or DefCon in 2018"...


So, not $10 if you needed a borrowed, expensive piece of equipment. It is not possible for most of us to jaunt out and borrow a fancy microscope. That only underscores the "expensive equipment required argument". The contactless payment hack is much more practical, though. (Oh you also need far beyond average hardware hacking knowledge and skill, which itself is generally more difficult to acquire and learn ).


They go for about $10k-$30k on EBay. But people have also DIY'd their own: http://makezine.com/2011/03/24/diy-scanning-electron-microsc...


Or free - if you're in the right place at the right time (and have the right reputation and friends...):

https://tinkerings.org/2015/11/15/in-which-i-acquire-a-scann...


Sure - but people _are_ doing this at home with stuff they buy off eBay right now: http://zacsblog.aperturelabs.com/2013/02/decapping-integrate...

And as for "far beyond average hardware hacking skill", I suspect if you got Bunny Huang, Michael Ossmann, and Travis Goodspeed together and curious - this might well be broken in a single weekend! ;-)


Your link just describes decapping and reading the state of mask programmable PROM. Reverse engineering a secure IC and coming up with an exploit is several orders (like 10) of magnitude more involved.


So if the first takes a day, the latter - 10 million days?


But seriously, difficulty also implies required skill and equipment.


Great point. So for Plastc to work, all you'd have to do is mail in your card so they can treat it with acid and run it through a scanning transmission electron microscope, destroying it in the process.

I have no idea why they went under.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: