Chip Authentication Program

CAP is a form of two-factor authentication as both a smartcard and a valid PIN must be present for a transaction to succeed.

Banks hope that the system will reduce the risk of unsuspecting customers entering their details into fraudulent websites after reading so-called phishing emails.

7716) which splits the ARQC data into separate TLV values that need to be reassembled sequentially to match that of the type 1 format.

More concerningly however, if a respond request is issued by a bank, using the sign mode with the same number and an amount of ¤0.00 will again generate a valid result which creates a possibility for a fraudster to instruct a customer to do a "test" challenge response for an amount of ¤0.00 which is in fact going to be used by the fraudster to verify a respond command in order for them to add themselves as a payee on the victim's account; these attacks were possible to carry out against banks that used strong authentication devices that were not canceling activities until an amount of at least 0.01 was entered.

[4] The likelihood of these kinds of attacks was addressed in 2009 when new generations of devices were rolled out, implementing secure domain separation functionality that is compliant with the MasterCard Application note dated October 2010.

So just like at an ATM or POS terminal, entering an incorrect PIN three times in a row into a CAP reader will block the card.

Radboud University researchers found a vulnerability in the Dutch ABN AMRO e.dentifier2, allowing an attacker to command a USB connected reader to sign malicious transactions without user approval.

It is used for two main purposes: The device is equipped with an optional USB port, those two operations can be used without connecting the cable on a computer.

Since the wide acceptation of smartphones, the banks offer an alternative using a local application on the phone, using a QR-Code to scan, or using the popular Itsme [fr] app.

The device is also compatible with the Belgian eID card to access government services like tax declaration, medical insurance information, unemployement, etc.

A Gemalto EZIO CAP device with Barclays PINsentry styling
A Nordea E-code reader
A Belfius card reader
A Nationwide CAP Device with a 20p coin to scale
A Natwest CAP Device with a 10p coin to scale