Chip Authentication Program: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 18:18, 26 April 2023 edit Moriwen (talk \| contribs) Extended confirmed users, New page reviewers 31,123 edits m Tag correct text as {{proper name}} for automated spell checkers (including Wikipedia:Typo Team/moss) ← Previous edit		Latest revision as of 10:49, 31 May 2025 edit undo Cl3phact0 (talk \| contribs) Extended confirmed users, New page reviewers 27,653 edits →United Kingdom: +photo
(9 intermediate revisions by 7 users not shown)
Line 1: {{Short description\|Aspect of banking security}} [[image:Barclays pinsentry.jpg\|thumb\|right\|250px\|A Gemalto EZIO CAP device with Barclays PINsentry styling]] The '''Chip Authentication Program''' '''(CAP)''' is a [[MasterCard]] initiative and technical specification for using [[EMV]] banking [[smartcards]] for [[authentication\|authenticating]] users and transactions in online and telephone banking. It was also adopted by [[Visa (company)\|Visa]] as '''Dynamic Passcode Authentication''' (DPA).<ref>[http://www.visaeurope.com/aboutvisa/products/dynamicpasscode.jsp Dynamic passcode authentication] {{webarchive\|url=https://web.archive.org/web/20081119231409/http://www.visaeurope.com/aboutvisa/products/dynamicpasscode.jsp \|date=2008-11-19 }}, VISA Europe</ref> The CAP specification defines a handheld device (''CAP reader'') with a smartcard slot, a numeric keypad, and a display capable of displaying at least 12 characters (e.g., a [[starburst display]]). Banking customers who have been issued a CAP reader by their bank can insert their [[Chip and PIN]] ([[EMV]]) card into the CAP reader in order to participate in one of several supported [[authentication protocol]]s. CAP is a form of [[two-factor authentication]] as both a smartcard and a valid PIN must be present for a transaction to succeed. Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading so-called [[phishing]] emails.<ref>{{Cite web\|last=Leyden\|first=John\|title=Barclays deploys PINsentry to fight fraud\|url=https://www.theregister.com/2007/04/18/pinsentry/\|access-date=2021-04-30\|website=www.theregister.com\|language=en}}</ref> ==Operating principle== Line 10 ⟶ 11: The above noted transaction types are implemented using one of two modes. One of these modes has two forms in which it can operate, creating three distinct modes, though they are not named this way in the specification. ;Mode1: This is the mode for normal monetary transactions such as an online purchase through a merchant. A transaction value and currency are included in the computation of the cryptogram. If the card does not require it or the terminal does not support it, then both amount and currency are set to zero. ;Mode2: This mode may be useful for authenticating a user in which no transaction is taking place, such as logging into an Internet banking system. No transaction value, currency, or other data are included, making these responses very easy to precompute or reuse.{{paragraph break}}{{glossary}}{{term\|With transaction data signing (TDS)}}{{defn\|This mode may be used for more complicated transactions, such as a funds transfer between accounts. Multiple data fields pertaining to the transaction are concatenated and then hashed with a Mode2 cryptogram as the key for the hashing algorithm. The resultant hash is used in place of the cryptogram calculated in a non-TDS Mode2 operation.<ref>[http://www.unixgarden.com/index.php/misc/banques-en-ligne-a-la-decouverte-demv-cap Banques en ligne : à la découverte d’EMV-CAP] {{webarchive\|url=https://web.archive.org/web/20121127172622/http://www.unixgarden.com/index.php/misc/banques-en-ligne-a-la-decouverte-demv-cap \|date=2012-11-27 }}, UnixGarden</ref>}}{{glossary end}} Mode1 sounds very much like a specific use of Mode2 with TDS, but there is a critical difference. In Mode1 operation, the transaction data (amount and currency type) are used in the cryptogram calculation in addition to all the values used in Mode2 without TDS, whereas Mode2 includes its transaction data in a successive step rather than including it in the cryptogram calculation step. If it were not for this difference, then all operations could be generalized as a single operation with varying optional transaction data. Line 37 ⟶ 38: The original CAP specification was designed to use normal EMV transactions, such that the CAP application could be deployed without updating the firmware of existing EMV cards if necessary. The preferred implementation uses a separate application for CAP transactions. The two applications may share certain data, such as PIN, while other data is not shared in instances where it is only applicable to one application (i.e., terminal risk management data for EMV) or advantages to have separate (i.e., transaction counter, so that EMV and CAP transactions increment separate counters which can be verified more accurately). The reader also carries implementation specific data, some of which may be overridden by values in the card. Therefore, CAP readers are generally not compatible with cards from differing issuing banks. However, ~~card~~most ~~readers~~UK ~~issued~~banks bythat ~~most,~~issue ~~possibly~~card ~~all, UK banks~~readers conform to a CAP subset defined by [[APACS]], meaning that, in most cases, cards issued by a UK bank can be used in a card reader issued by a different bank.{{cn\|date=March 2024}} ==Vulnerabilities== Line 44 ⟶ 45: ==Users== ===Belgium=== [[Image:lecteur-de-carte-belfius.png\|right\|thumb\|A [[Belfius]] card reader]] Most majors banks of Belgium (including [[Belfius]], [[BNP Paribas Fortis]], [[ING Group\|ING]], [[KBC Bank]]) provide such a card reader. It is used for two main purposes: * Authenticating to the bank eBanking website. In order to access private information like balance checking. * Signing a transaction. For example in eCommerce (3DS) to buy goods or service on an online merchant, or to perform a [[bank transfer]]. The merchant would ask for the bank card information, then redirect the user to the bank website where a webpage is displayed with instructions to follow to verify the transaction. Then the bank redirects the user to the merchant page with a success or a failure. The device is equipped with an optional USB port, those two operations can be used without connecting the cable on a computer. It was the most used method to pay online, offering a verification method similar to PIN in POS. Since the wide acceptation of smartphones, the banks offer an alternative using a local application on the phone, using a QR-Code to scan, or using the popular {{Interlanguage link\|Itsme\|fr\|Itsme}} app. The device is also compatible with the [[Belgian identity card\|Belgian eID card]] to access government services like tax declaration, medical insurance information, unemployement, etc. Those services are also generally available using Itsme. ===Sweden=== Line 51 ⟶ 65: [[Image:nationwide-CAP-reader.jpg\|right\|thumb\|A Nationwide CAP Device with a 20p coin to scale]] [[Image:Natwest--CAP-reader.jpg\|right\|thumb\|A Natwest CAP Device with a 10p coin to scale]] [[File:Barclays Pinsentry 5920.jpg\|right\|thumb\|Barclays Pinsentry 5920]] The [[UK Payments Administration]] defined a CAP subset for use by UK banks. It is currently used by: *[[Barclays Bank]]