Domain: chipandspin.co.uk
Stories and comments across the archive that link to chipandspin.co.uk.
Comments · 7
-
The answer is a RESOUNDING **NO**!
I'd honestly have thought they'd have given up on this stupidity already, having known that the damn stuff flatly doesn't work.
Some of the CLEAR problems with Chip and PIN
This shit was brought up to have real and serious issues and shown to be a farce back in 2006(!)- which means they should be goddamn ashamed of themselves to FORCE this because now they're going to blindly follow what the EMV system tells them and YOU are going to be the one to eat the fraud not the bank. I'm limiting how much I spend on my card from here on out- because they're going forward with this joke. Just because you use crypto and "smart card" tech does NOT magicially make it secure, sound, or even sane.
-
The answer is a RESOUNDING **NO**!
I'd honestly have thought they'd have given up on this stupidity already, having known that the damn stuff flatly doesn't work.
Some of the CLEAR problems with Chip and PIN
This shit was brought up to have real and serious issues and shown to be a farce back in 2006(!)- which means they should be goddamn ashamed of themselves to FORCE this because now they're going to blindly follow what the EMV system tells them and YOU are going to be the one to eat the fraud not the bank. I'm limiting how much I spend on my card from here on out- because they're going forward with this joke. Just because you use crypto and "smart card" tech does NOT magicially make it secure, sound, or even sane.
-
Ahh...Chip and SPIN...
Chip and Pin isn't any better than what's currently there...
Chip and Spin
Safety in numbers? Not likely.It's not a solution and screws YOU the consumer on many fronts.
-
Re:Fencing
It's coming to North America, but slowly. Mainly because it will be expensive, and only serves to protect the consumer.
Contrast that with the UK banks that have implemented the "chip and pin", where the courts ruled that due to the PIN, they aren't responsible for theft. The banks practically orgasamed all over themselves to get it going.
It still doesn't offer complete protection. You can take the UK card to Germany, where merchants have not implemented the PIN. Or you can still shop inside the UK; just damage the chip. The card will fallback into "swipe and sign" mode that is used for cards without a PIN (such as those visiting from America).
Or, even with the chip and pin, all one needs to do is some shoulder surfing. Everyone covers their PIN at an ATM. In other situations, people aren't used to doing that (restaurant, etc). Once you've identified a PIN, pick the person's pocket.
Or buy things online.
Or steal a lot of cards, and attempt to brute-force the PIN.
Or there's an interesting relay attack:
Consider the following scenario: You go for lunch in a small restaurant in London, and pay using your chipcard at the end of the meal. What you don't know is that the waiter at the restaurant is corrupt. You ask for the bill, and the waiter goes off to fetch a handheld Chip and PIN machine that he brings over to you. Meanwhile, on the other side of town, his accomplice is loitering in a jeweller's store. The waiter sends an SMS message to his accomplice, who goes up to make a purchase. Just as you insert your card into the waiter's terminal, the accomplice puts a fake card into the jeweller's terminal. The waiter's sabotaged reader simply forwards all the traffic from your card wirelessly to the card in the reader at the jewellers, and pretends to ask you to pay for lunch. You enter the PIN, thinking you're paying for lunch, but in fact you're buying the crooks a diamond!
- "Chip and Spin", http://www.chipandspin.co.uk/
-
Re:I had no idea
EMV is a good step in the right direction, but still has its flaws. The biggest flaw is, of course, systems that don't use the chip. "The door is locked but I was never given a key". "Oh, come on in".
The second is just a subset of the first: More chip-n-pin systems, if they detect a damaged chip, will default to the standard swipe method. This is because a small number of chips will be damaged-- magnets, static shock, wear and tear, etc. If they don't flip to the swipe method, the customer is SOL at the POS. So if you want to use a stolen chip'n'pin card, just damage the chip.
The third is a bit more esoteric but doable. If you control a POS handset, you can reroute its functionality to a wireless card, which goes to a computer, which goes to an accomplice at a merchant's POS with a fake card that is actually reciving the communications from your fake POS. If you time it right, this is what happens:
- Alice puts her EMV card into your fake terminal to pay for, say, lunch
- Bob puts his fake card into the terminal at Worst Buy, ready to pay for a plasma TV
- Worst Buy sends a "please authenticate and authorize" request to the fake card
- The fake card relays that information to your fake terminal at the restaurant
- Alice gets a message saying "Enter your pin and authorize your $5.99 salad
- Alice authenticates, and her chip signs the transaction
- Your fake terminal sends the signed and sealed transaction back to Bob's fake card
- Bob's plasma TV purchase is now authorized. And it was all done with a secure chip
Now, the REAL threat is actually liability. In the UK, a PIN is considered to be enough of a security device that if it is compromised, it is because the PIN holder didn't do due diligence. Thus, the card holder is responsible for the loss, not the card issuer. Banks have gotten off the hook, even in the face of massive fraud, because of the PIN. Now UK credit card companies can do the same-- even if was because someone stole a card, took it to Germany where the chip system isn't in place, and bought 50,000 EU of bratwurst.
Fortunately for those in North America, credit card transactions are always the responsibility of the card issuer (or merchant), and not the consumer. The terms of service have been updated to reinforce that. But, IMHO, that is "for now", and we'll see what happens once everyone is irrevocably switched over to the chip and pin cards
Reference, and a really good read: Chip and Spin. Includes a great whitepaper on how the whole EMV authentication system works.
-
Re:Any advancement?
Chip and Pin as you're flogging is NOT secure as you're claiming...
http://www.chipandspin.co.uk/ points out that one CAN be defeated, and disturbingly EASILY. Heck, the supposedly even more secure Passport RFID was breached recently and in a way that at least the bulk of the RFID readers for it can't detect the tampering.
-
Chip and Pin security discussion
Ross Anderson and colleagues present a great deal of information on what chip and pin does and doesn't do at http://www.chipandspin.co.uk/