Google Architecture 3748
Anne & Lynn Wheeler
a little drift back to ibm:
Safeway and its technology partner IBM were involved in the first ‘Chip and Pin’ trials held in the UK in 1997. Recently, Safeway engaged IBM again to provide the Electronic Payment System (EPS) infrastructure in support of the company’s push forward with the introduction of ‘Chip and Pin.’
... snip ...
the 2002 article mentioning "yes card" vulnerability describes exploit involving chip&pin deployments in 2001 and earlier.
the most recent article yesterday describes the current chip&pin deployment apparently with the same vulnerability as described in the 2002 article mentioning "yes card" exploits.
for the "yes card" exploits in the 90s and thru (at least) 2002, technology that had been around for some time involving compromised and-or counterfeit terminals (that had been havesting magstripe and pins used for creating counterfeit debit cards) ... was adapted to harvesting chip&pin "SDA" data.
Eugene Miya wrote On 06-05-06 12:19,: Perhaps it shows how much more farsighted movie studios are than computer companies. From early times, it seems, the studios twigged to the...
The harvested "SDA" data was then loaded into a counterfeit chip. The terminal chip&pin standard called for authenticating the card and then asking the card 1) if the entered PIN was correct ("YES"), 2) if the transaction was to be offline ("YES"), and 3) if the transaction was within the account Credit Debt limit ("YES"). The harvested "SDA" data was sufficient for a counterfeit card to fool a terminal ... and then the counterfeit card was programmed to always answer "YES" to all the terminal's questions (resulting in giving the counterfeit card the "yes card" name). It was not actually necessary to harvest the valid PIN since the counterfeit "yes card" would always claim an entered PIN was valid.
Part of the issue with the "yes card" vulnerability was that it was an attack on the terminal (not the card). Regardless of how valid chip&pin cards had been programmed ... once an attacker had havested "SDA" data ... it was able to create counterfeit "yes cards" (and attack chip&pin terminals).
somewhat related posting Security Flaw