Content deleted Content added
No edit summary |
Added info on vulnerabilities |
||
Line 22:
The original CAP specification was designed to use normal EMV transactions, such that the CAP application could be deployed without updating the firmware of existing EMV cards. However, some banks found this approach difficult to manage in their existing back-end systems. They instead implemented a modified version of CAP, where the reader selects a dedicated CAP application on the card, separate from the original EMV application. This allows the CAP and EMV applications on the card to use independent secret keys, although the PIN and its retry counter are still shared, at the expense of having to replace all existing cards with CAP-enabled ones. Different banks implemented these modifications slightly differently (e.g., using different application identifiers), therefore CAP readers are currently not necessarily compatible across banks.
==Vulnerabilities==
Cambridge University researchers Saar Drimer, Steven Murdoch, Ross Anderson conducted research <ref>http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf</ref> into the implementation of CAP, outlining a number of vulnerabilities in the protocol and the UK variant of both readers and cards. Numerous weeknesses were found.
==Users==
| |||