Guest lecture: Robbing the Bank with a Model Checker with David Basin, ETH Zurich
Date and time: 17 December 2021, 14:00 – 15:00 CET
Speaker: David Basin, ETH Zurich
Title: Robbing the Bank with a Model Checker
Where: Digital Futures hub, Osquars Backe 5, floor 2 at KTH main campus
Directions: https://www.digitalfutures.kth.se/contact/how-to-get-here/
Maximum 30 participants are onsite at Digital Futures hub. First-come, first-served basis.
For onsite participation – please register here: https://www.kth.se/form/619e33e9d15d5f00133be4e5
If you are unable to participate on-site you are welcome to join us via Zoom:
Zoom: https://kth-se.zoom.us/j/69560887455
Meeting ID: 695 6088 7455
Password: 755440
This event is jointly organized by KTH Digitalization platform and Digital Futures
Watch the recorded presentation:
Abstract: As a case study on the use of formal methods for security we show how to use Tamarin, a security protocol model checker, to find serious exploitable vulnerabilities in the EMV payment protocols. EMV is the international protocol standard for smartcard payment that is used in over 9 billion payment cards worldwide. Despite the standard’s advertised security, various issues have been previously uncovered, deriving from logical flaws that are hard to spot in EMV’s lengthy and complex specification, running over 2,000 pages.
We have formalized a comprehensive model of EMV in Tamarin. We use our model to automatically discover new flaws that lead to critical attacks on EMV. In particular, an attacker can use a victim’s EMV card (e.g., Mastercard or Visa Card) for high-valued purchases without the victims PIN. Said more simply, the PIN on your EMV card is useless! We describe these attacks, their repair, and more generally why using formal methods is essential for critical protocols like payment protocols.
Bio: David Basin is a full professor of Computer Science at ETH Zurich. He received his Ph.D. in Computer Science from Cornell University in 1989 and his Habilitation in Computer Science from the University of Saarbrucken in 1996. From 1997–2002 he held the chair of Software Engineering at the University of Freiburg in Germany. His research areas are Information Security and Software Engineering. He is the founding director of the ZISC, the Zurich Information Security Center, which he led from 2003-2011. He served as Editor-in-Chief of the ACM Transactions on Privacy and Security (2015-2020) and of Springer-Verlag’s book series on Information Security and Cryptography (2008-present). He has co-founded three security companies, is on the board of directors of Anapaya Systems AG as well as various management and scientific advisory boards. He is an IEEE Fellow and an ACM Fellow.