---

@yfan wrote:

Your conjecture about firmware upgrades and dismissing a published study as a rehash, insistance something is not a clone when researchers in plain English called it cloning, and claim to technological know-how superiority does little more than prove a complex on your part. I will take the researchers' word over some person on the Internet claiming to know better anyday. And their word is:

 

---

 

“Some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce,” “This exposes them to a ‘pre-play’ attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically.”

---

 

 

That's case closed, as far as I'm concerned.

---

Or you could actually read what you quoted. They said NOTHING that disagrees with me. They said it looks like a clone to the issuing bank, that is true. The bank cannot tell that the genuine card was not used. It is not a functional clone, as I said, that can be used over and over anywhere. They also note, as I did that it is *impossible* to clone a card. They agreed with me in that quote!

---

@longtimelurker wrote:

And your tone certainly fails FRS guidelines.  I have noticed that you tend to complain about others  (recently "Don't patronize me" for example) while indulging in very similar behavior yourself:  "Ah. Then all these security researchers who say the Pre-play (not replay, btw) attack can be used to functionally (though not physically) clone a card must be out of their wits."  seems text-book patronization to me.

---

Well, if you believe that presenting an expert, scientific research to counter someone's self-proclaimed technical expertise is patronizing, then we have different definitions of the word. If I were talking to someone like they were stupid, I wouldn't bother to find a study that proves what I am trying to say. What WAS patronizing, however, was the person I was responding to simply dismissing what I said before that with a "No, I know better" type response.

By the way, if you believe I am violating FRS guidelines, please feel free to report it to a moderator. I am not saying it to slight you. I truly don't think what I did violated FRS, and if it did, I would like to hear it from the arbiters so that I can better adjust my tone.

---

@nyancat wrote:

Or you could actually read what you quoted. They said NOTHING that disagrees with me. They said it looks like a clone to the issuing bank, that is true. The bank cannot tell that the genuine card was not used. It is not a functional clone, as I said, that can be used over and over anywhere. They also note, as I did that it is *impossible* to clone a card. They agreed with me in that quote!

---

If the issuing bank cannot tell that the genuine card wasn't used when the fake one is, then for all functional purposes, the fake one is a clone. You seem to be saying only a physical clone counts, which I disagree with, and the researchers seem to as well by saying it's indistiguishable from a clone as far as the bank is concerned.

---

@yfan wrote:

---

@longtimelurker wrote:

And your tone certainly fails FRS guidelines.  I have noticed that you tend to complain about others  (recently "Don't patronize me" for example) while indulging in very similar behavior yourself:  "Ah. Then all these security researchers who say the Pre-play (not replay, btw) attack can be used to functionally (though not physically) clone a card must be out of their wits."  seems text-book patronization to me.

---

Well, if you believe that presenting an expert, scientific research to counter someone's self-proclaimed technical expertise is patronizing, then we have different definitions of the word. If I were talking to someone like they were stupid, I wouldn't bother to find a study that proves what I am trying to say. What WAS patronizing, however, was the person I was responding to simply dismissing what I said before that with a "No, I know better" type response.

 

By the way, if you believe I am violating FRS guidelines, please feel free to report it to a moderator. I am not saying it to slight you. I truly don't think what I did violated FRS, and if it did, I would like to hear it from the arbiters so that I can better adjust my tone.

---

OK.  I don't need a moderator to determine (for myself) that "and claim to technological know-how superiority does little more than prove a complex on your part." 

doesn't seem FSR.  But feel free to ask if your need to appeal to authority is strong enough

---

@longtimelurker wrote:

OK.  I don't need a moderator to determine (for myself) that "and claim to technological know-how superiority does little more than prove a complex on your part." 

doesn't seem FSR.  But feel free to ask if your need to appeal to authority is strong enough

---

It does to me. It also seems an appropriate response considering the context. But it'd be ridiculous for me to seek out a moderatot since I'm not the one that has a problem with what I said. Hey but I appreciate the peptalk about appeal to authority.

The topic of EMV chips is an important one, as we are in the process of a transition in the US.   It is important that we all make sure this topic remains open for comments.   However, if we cannot all follow the guidelines of Friendly, Supportive, and Respectful discussion, this thread will be locked.   Please be respectful to your community...pause, read, and reread your responses before submitting.    We welcome differences of opinion, but they must be expressed in a way that promotes discussion and learning.  

Thank you for your understanding,

SunriseEarth

Moderator

---

@SunriseEarth wrote:

The topic of EMV chips is an important one, as we are in the process of a transition in the US.   It is important that we all make sure this topic remains open for comments.   However, if we cannot all follow the guidelines of Friendly, Supportive, and Respectful discussion, this thread will be locked.   Please be respectful to your community...pause, read, and reread your responses before submitting.    We welcome differences of opinion, but they must be expressed in a way that promotes discussion and learning.  

 

Thank you for your understanding,

 

SunriseEarth

Moderator

---

Thank you.

Now, to let the people decide. Here's the difference between a traditional clone and the Cambridge attack on EMV. Who feels they are "functionally" identical, as the Cambridge researchers said in some headlines?

Traditional clone (e.g. in magstripe times): Is in a card format, if done well can look like a genuine bankcard with that number, can be used freely anywhere that accepts magnetic stripe transactions on that payment network until the card gets blocked by the issuer, can be used at will (no special procedures needed). Commonly occurs in the wild.

The Cambridge "clone": Is a smartcard interface hard-wired to a laptop - with a cable dangling from it, can only be used at a vulnerable terminal (week random number generation), must be planned in advance exactly WHICH terminals it will be used at and WHEN it will be used (what transaction number on the terminal, and the attacker must get it exact), dies after these "pre-played" transactions are complete - or when they fail. This all requires such a degree of scouting in advance that even the most oblivious merchant would be very suspicious of what was happening, thus is has NEVER been confirmed to have happened - even once - in the wild. There have been isolated reports of ATM withdrawals that many believe are due to this attack, as to the bank they looked as if they were made by the original card (or an exact clone, which everyone acknowledges is impossible). ATM manufactuers all issued updated firmware years ago to prevent this attack, and any terminal updated even semi-recently uses far more random random numbers - only a terminal that hasn't been updated in 4+ years would be vulnerable.

Is the Cambridge clone truly "functionally" identical to what we traditionally mean when we refer to a cloned card? To me, there is a lot of functionality missing from a clunky clone that requires pre-scouting the merchant it will be used at, relying on the merchant having very old firmware (to be fair, some might still, but it's unlikely, so your choice of merchants is pretty limited), and finally making the transaction with a setup tethered to a laptop. That isn't very "functional" in my world. To be used at anything other than a completely customer-activated system (e.g. an ATM) you'd honestly need the merchant to be in on the fraud. What do others on here think, though?