Research Seminar by Prof David BASIN | Robbing the Bank with Tamarin

This talk will survey recent work on applying the Tamarin Tool, a Security Protocol Model-Checker, to EMV payment protocols.  Using Tamarin, we have uncovered numerous severe flaws that allow attackers to bypass the PIN on Visa cards, and more recently Mastercard credit cards.  In other words, the PIN on most of the world's credit cards is useless and a thief who gains access to your credit cards can make high-value purcases with them without further authentication.  To show that these flaws are exploitable, we have built attack tools that illustrate how you can literally rob the bank with a security protocol model-checker.  We also discuss improvements that avoid these problems.

Joint work with Jorge Toro Pozo and Ralf Sasse

About the Speaker

David Basin is a full professor of Computer Science at ETH Zurich and is visiting SCIS/SMU under the Lee Kong Chian Professorship during March - May 2022. He received his Ph.D. in Computer Science from Cornell University in 1989 and his Habilitation in Computer Science from the University of Saarbrucken in 1996. From 1997–2002 he held the chair of Software Engineering at the University of Freiburg in Germany.

His research areas are Information Security and Software Engineering. He is the founding director of the ZISC, the Zurich Information Security Center, which he led from 2003-2011. He served as Editor-in-Chief of the ACM Transactions on Privacy and Security (2015-2020) and of Springer-Verlag's book series on Information Security and Cryptography (2008-present). He has co-founded three security companies, is on the board of directors of Anapaya Systems AG as well as various management and scientific advisory boards, and he has consulted extensively for IT companies and government organizations. He is an IEEE Fellow and an ACM Fellow.