Secure cloud computing how-to documents
Ernie Hayden explains where providers should go to obtain the guidance necessary to manage security in a cloud computing project.
By Ernie Hayden
Yaab
Time to remind customers of Sarbanes-Oxley rules, internal controls
Sarbanes-Oxley (SOX) compliance requirements are still in effect, but some customers may need a gentle reminder about what to do. Learn how solution providers can help customers ease the SOX compliance process.
Securing unified communication services an opportunity for partners
David Jacobs explains how channel partners can help their customers build a comprehensive defense as they integrate email, IM, telephony, conferencing and other communications.
By David Jacobs
Yaab
A cloud computing data security checklist for the channel
Beth Cohen, president of of Luth Computer Specialists, Inc., reviews a list of business, financial, legal and technical guidelines that solution providers can use to help customers secure their cloud computing implementations.
By Beth Cohen
Yaab
Chip and PIN is Broken
The EMV protocol is used worldwide for credit and debit card payments and is commonly known as “Chip and PIN” in the UK. Our analysis of EMV has discovered flaws which allow criminals to use stolen cards without knowing the correct PIN. Where these flaws are exploited – in the “wedge” attack – the receipt and bank records would show that the PIN was correctly verified, so the victim of this fraud may have their request for a refund denied. We have confirmed that this attack works in the UK, including for online transactions (where the terminal contacts the bank for authorization before completing the purchase). It does not apply to UK ATM transactions, which use a different method for PIN verification.
In a normal transaction the customer enters their PIN into the payment terminal, and the terminal sends the PIN to the card to check if it is correct. The card then sends the result to the terminal so that the transaction continues if the PIN was correct (see top part of above figure). The attack uses an electronic device as a “man-in-the-middle” in order to prevent the PIN verification message from getting to the card, and to always respond that the PIN is correct. Thus, the terminal thinks that the PIN was entered correctly, and the card assumes that a signature was used to authenticate the transaction (see bottom part of above figure).
Credit of:
Computer Laboratory Security Group
Dr Steven J. Murdoch
University of Cambridge
Computer Laboratory
15 JJ Thomson Avenue
Cambridge CB3 0FD
United Kingdom
