Slashdot Mirror
Chip & PIN terminal playing Tetris
Fearful Bank Customer writes "When British banks introduced the Chip-and-Pin smartcard-based debit and credit card system three years ago, they assured the public it was impervious to fraud. However, the EMV protocol it's based on requires customers to type their bank account pin number into store terminals in order to make any purchase. Security researchers at the University of Cambridge Computer Laboratory derided the system as insecure at the time, as it gave access to customer's bank account pin numbers to every store they bought from. Despite these objections, the system was deployed, so researchers Steven Murdoch and Saar Drimer recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that this can be reproduced only "in the laboratory" but seem to have missed the point: if customers have to type their bank account pin into every device they see, then the bad guys can capture both critical card information *and* the pin number for the bank account, leaving customers even more vulnerable than they were under the old system."
Those who would exchange security for convinience deserve Tetris!
I used to carry a bottle of whiskey for snake bite. And two snakes. -Nefarious Wheel
Does it run Linux?
Indeed!
They got it to play tetris by replacing the majority of the electronics inside it. It's not exactly like they got the actual terminal to play tetris...it's more like "They put a tetris game console inside the empty terminal shell, and used the terminal's keypad and screen for control and display." It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"
For your security, this post has been encrypted with ROT-13, twice.
Most people only have 1 PIN, so their PIN Number would 1. I don't see the risk in that.
If you just meant "Personal Identification Number" and not "Personal Identification Number Number", then I would have expected better to a slashdot poster.
The potential security problem here is caused by the use of the same PIN for two purposes. You know how you should never use the same password for multiple security-critical systems? Well, that's exactly what some of the UK banks did.
See, EMV security is designed around the assumption that only the card and cardholder know the card PIN. The bank doesn't know it. The merchant terminals see it, but it has no value without the card. In particular, it should be of no use with the bank machine/ATM network.
How then, do you use a bank machine? Well, ideally, you insert your card, enter your PIN to unlock the card, and then the card performs a cryptographic authentication with the bank over the ATM network to identify and authenticate you so you can proceed to perform your transaction. But that requires the ATMs and network to be updated to support the chip card and to use the new authentication protocol.
The other method, of course, is just to use an account number and a PIN, just as you always have, but that PIN *must* be known by the bank's systems, which leads to the banks' dilemma when deploying the system. Their options were:
So, the banks mostly took option 3. I think some of them allow customers to request that their card and ATM PINs be "decoupled".
In theory, this means a malicious merchant can modify their PIN pad to capture the PINs and account numbers, and can then use the information to drain the accounts through the ATM network. In practice, this form of fraud hasn't happened, and it would be fairly easy to track unless the fraudster didn't steal very much -- a pattern of fraud on accounts whose cards have all been used at a particular merchant would be pretty easy to detect.
It could happen, of course, and probably will someday. If it becomes sufficiently serious, then maybe banks will have to abandon PIN synchronization. Hopefully, by then the rest of the world will have caught up and the ATM PIN can be discarded entirely.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
...will be a modification to Tetris to make that damn straight-line block appear more often.
"FDA staff reviewers expressed concern about the number of patients who were left out of the study because they died."
The Payment Card Industry (PCI) POS Pin Entry Device standards set by Visa/MC/JCB specifically require that a device used for credit card transactions NOT store the PIN and be resistant to tampering (such that a card holder would be able to see that something is wrong with the device if it had been tampered with). Merchants are required to use devices that have received PCI certification through a certified testing lab. It would be interesting if these devices have received that certification. Visa standards here - Visa Partner Network
j.
I think putting Tetris on the machine makes it pretty obvious that it has been tampered with.
Being an American living in Britian, Chip & PIN makes a lot of sense. Any sort of technology is available for fraud, but this is 100x better then the signature security as well as the PIN is not transmitted past the terminal because it is all handled through the card. Basically the CHIP on the card is asked if the entered PIN is valid and the chip is responsible for authorizing it, not some remote system that needs to be verified with.
While retailers could hack their terminal to swipe PINs, they would essentially need the physical card as well in order to use the collected PIN anywhere else and in most cases, the card never leaves the direct control of the card holder. Online retailers never ask for your PIN. They have to use the standard CCV2 code and authorizations with the bank to get their money.
So while someone could "sneak" my PIN it is totally useless without the physical card. I personally have reduced the amount of cash I carry with me, because everyone has Chip and PIN terminals and it is a lot easier to pay with that then worry about the cash. I really like it and think the States should adopt it.
D.O.U.O.S.V.A.V.V.M.
The real problem I see here is that new technology is presented as "unbreakable" then allows the business interests to ignore victims of fraud. In the U.S. we've already seen this happen with the special chipped keys for new vehicles. The auto makers insisted the technology was unbreakable, and the insurance companies responded in kind by denying theft claims from those victims unfortunate enough to have purchased a vehicle with one of these chipped keys.
I'm sure the banks are ready to further punish any victims of this broken "unbreakable" bank card system. I'm not British, so I don't know how applicable this is in the UK, but I imagine it is still a problem.
{ - Generic Guy - }
In Canada we've had a system called Interac for several years now. It works in a similar fasion. It's been enormously successful, and of course some people have taken advantage of it. Some use simple setups, like having a card reader to get the magnetic swipe info from the card, and simply watching the customer enter their PIN. Others have replaced the terminals with ones that record. Even more crafty people have put an insert on the card recepticle on an ATM, that looks like the stock one to the untrained eye. They leave it on for a few hours, then return and take it back with all the codes stored in it. Any system can be circumvented. To the best of my knowledge though, no one has broken the actual encryption on a system like interac, it's all methods of capturing the data in it's unencryped form (ie, a camera pointed at the pin pad).
What annoyed me was the shift in liability. The old fashioned "swipe and sign" cards, if they were compromised and somebody nicked your cash then the banks could be held liable and some remittance sought. However - with the new system there is an automatic assumption that you have given your PIN away and hence its your fault and you can he held liable. So if somebody stands behind you, watches you type in your PIN and then follows you outside, mugs you and steals your card - then you can be held liable for not taking care of your PIN number. Also the system seems quite unreliable even now.
I don't know about you guys, but I wouldn't mind having to play B-Mode Level 9 for a quick $40. More fun than the previous models with the "number game". Maybe a little siren could go off and you'd get a free lolly. And it better be cherry, too.
"No freeman shall ever be debarred the use of arms." -- Thomas Jefferson
First, we've been using chip-and-pin smartcard-based credit and debit cards for years in France, without significant problems. Of course, there's been a few researchers here and there claiming to have broken part of the cards security, sometimes rightly so. However, the system has remained quite sturdy considering the huge amount of transactions done every day.
I type my PIN almost every time I use my card, and I use my card a lot. Cheques are an almost exctinct species here. It's money or card, mostly. The only place where PIN is not requested is at the highway tollbooths. That would slow the traffic too much, the transaction amount is rather small, and they probably take note of the cars' immatriculations, so the risk is small and I don't mind using the magnetic stripe for that purpose. Apart from that, in the past few days, I've typed my PIN to: withdraw money from my bank, pay at the supermarket, pay for a few clothes, pay for the New Year's Eve food, pay for the Christmas gifts, pay for my monthly tram pass, pay at the gas station... That's just from the top of my head. And I've been doing it for more than ten years.
Frankly, I don't see the problem with requesting the PIN at retail outlets. The article sounds like FUD and fearmongering.
However, here's the part that weirds me out, maybe just an error in the writeup: what about this bank account pin number? Does this mean that in England they have some kind of all-powerful PIN that unlocks whole bank accounts? In France the PIN is specific to the card, the bank wouldn't know what to do with it.
Anyone tampering with one of these machines will be caught by one of Britain's numerous public security cameras, promptly arrested and beaten senseless before being throw into the drunk tank with an American dick named Sue. The banks are correct that tampering can only happen in an controlled environment.
http://www.etv.tudelft.nl/vereeniging/archief/lust rum/90/english.html was the Guiness book of records attempt by the faculty of Electrical Engineering at Delft University of Technology in the Netherlands.
:) Although walking through the corridors was a slight bit of a problem with all the cables lying there.
:)
I was there and it was absolutely hilarious
Great stuff for those interested in Tetris
Coz eternity my friend, is a long *ing time.
I'm 24, live in the UK, and I have no credit or debit cards. All I have is a savings account card for the classic 'hole in the wall' money system. Shell (the petrol station) removed their Chip and Pin facilities for 3 months because of security concerns. Think I'll stick with cash for my purchases in the future.
Yeah, that's what I use at the ATM machine when I want to drive my SUV vehicle to the store and buy some DIMM modules. I'm working on a device to detect the HIV virus, but a I need a good TLA acronym to call it.
Lemmings are silly; dinosaurs are extinct.
There have been cases in the US where thieves have gone as far as setting up real ATM's in places like shopping malls in order to con people out of their bank cards & PIN's. They just buy/steal a machine like you see in a convenience store, rig it so that it looks like it's working but displays an error message instead of dispensing cash, then wait for people to try to use it. It records the bank card info & PIN's that are entered, so when the crooks come and retrieve the machine they have a bunch of accounts & PIN's to go have fun with.
If thieves are smart & brazen enough to do this with full ATM machines then doing it with one of these small terminals is a virtual no-brainer for high-tech thieves. They just need to figure out how to locate them where people are likely to trust & use them.
"Steven Murdoch and myself took the chassis of a real terminal and replaced much of the internal electronics such that it allows us to control the screen, keypad and card-reader"
Umm , how exactly does that prove the actual terminal is vulnerable? Other than if you get hold of one and have some tools at hand and lots of time then yes you can open the lid and get to the electronics inside. But I think we all knew that already.
This is a non-event.
Personal Identification Number Number?
Why not PINN number, or PINNN Number?
I'm sure they enter their "PIN Number" into the "ATM Machine".
-- Give me ambiguity or give me something else!
In the US we have debit cards that operate as both an ATM card, and equivalent to a credit card - only drawing the cash from the bank account instead of a line of credit.
So - the only time I have to enter my pin number is at the ATM. For all other purchases I use it like a credit card (and save the ATM surcharge as well).
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
That the whole point of this is to demonstrate that if you use the merchant's hardware to enter any personal data, it is *impossible* to be tamper-proof or tamper-evident for sure.
My vision has always been a smart device with a crypto engine, that provides it's own display and entry. It would plug into POS equipment, and tell the POS equipment at first, only enough to identify itself and tell the POS which financial institution to contact.
The financial institution would receive from the merchant the account holders ID number and some info about the transaction (i.e. the amount, maybe an interval if a service, maybe a tolerance if a repeating service charge). The financial institute would look up the customer's public encryption key, and use it to encrypt all that data together with a challenge string, and send that back to merchant.
Merchant relays the encrypted package to the customer smart device. The device then (maybe using a passphrase to decode private key like a pin, but not linked to anything outside the device) uses the private key to decode the data, and display to user what the financial institution thinks the merchant is asking for with a confirmation. If user confirms details, the decrypted challenge is sent to POS and the merchant relays it to Financial institute.
Financial institute upon receipt of a correctly decoded challenge, authorizes the transaction, and gives the merchant an affirmative response with an authorization code that is *only* valid for that specific transaction.
Here, the financial institute *only* has the customer private key, so ripping off that database won't give anyone access to the account. The merchant knows they are getting the money, but isn't left with anything they *could* use to get more money than the customer authorizes directly. The only place that has the private key is the customers smart card, which should *never* allow it to be transferred out (probably should be generated by the card and only the public part uploaded when issued). If using a passphrase for storage of the private key, it even has resistance to physical theft.
For bonus points (actually, I would pretty much demand it), have it somehow able to plug into usb ports for online transactions. Of course, online, the customer and financial institute can talk directly, simplifying some of it, but the model need not be changed much for online stuff). Again, the PC would never get the private key, so you would have to use the device.
I would *pay* an upfront charge to help cover the cost of the device in exchange for such security. If it's half-assed and uses merchant display/entry, or shares the private key *ever* theoretically, I wouldn't.
XML is like violence. If it doesn't solve the problem, use more.
Sorry for the pompous post heading, but the first part is true, I wrote a large part of Tesco's system including about half of the EMV processing component. It's a customised version of what was the world's first integrated EMV system (ie card reader + PC + store level auth servers + central connection to VISAnet, LINK etc).
Whether you should listen to me or not is another matter.
The chip controls the transaction. That's how it goes. The chip decides if it can trust the terminal or the bank based on cryptographic signing operations. The terminal is verified by a process in which it concatenates various pieces of data, performs a crypto op on them and presents the result to the card. The card compares this to its own result (depending on the card it either has one precalculated and uses the same one each time (low security) or does the same calculation itself on a set of data including some session data (better security)).
PIN is encrypted as soon as it is entered and should never leave the device it's entered on in plaintext form, it is presented to the card as a cryptogram for validation.
When a transactioon is presented to the bank for authorisation it is presented with yet another cryptogram so that the bank can validate the card. The response also comes in the form of a cryptogram so that the card can validate the bank.
However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof. Your PIN doesn't ever even get to the PC that's running the transaction.
If you want to know more then the actual standards are available at EMVco, but they're the nearest thing to legalese I've ever encountered as a software Dev. I'm out of the payments game now, but my knowledge should still be pretty relevant, I hope.
is that the banks have asserted that if there is a problem then it isn't THEIR fault, since the chip and pin system is hack-proof.
Either the customer or the metchant gets it in the shorts. NOT the bank. Which is why it was implemented, really.
Now that the system has been shown to be hackable, this line is no longer good enough and the banks must (but probably won't) take responsibility.
I'm sure Fish & Cushion would have something to say about this.
In Portugal we had an attempt on a similar technology back in the middle 90's, called PMB ("Porta Moedas Multibanco", which translates roughly into "ATM Wallet").
It was basically a smart-card you could load with a certain amount on any ATM and make payments anywhere a terminal existed (many vending machines, for instance, accepted PMB) without inserting any code whatsoever. So it basically replaced your wallet, if someone stole it the money still loaded in the card would be lost.
This wasn't much of a problem, since in Portugal we have a single entity managing all debit cards, so you get money at any ATM or pay at any debit terminal regardless of your bank, so the PMB cards were only used for micro-payments and never carried much money anyway.
The system wasn't very successful, though. Not enough information given to the public in a time where the concept of electronic money wasn't all that widespread...
Meh... If replacing the electronics inside a device counts as a demonstration that
the device is "unsafe", then can never be a "safe" device.
Its like taking a Volvo, swapping the accelerator with the brake, and then declaring
that Volvo's are inherently unsafe.
I still haven't seen evidence of the tamperer's acquiring possesion of credit
card info -- which is really the issue at hand.
------ The best brain training is now totally free : )
While your idea seems very well thought out, it still wouldn't gaurantee it couldn't be a dummy terminal that's designed to collect swipe data and pin codes.
My thoughts are that after you swipe your card, the terminal should give YOU a PIN number that should match a PIN that the bank sends you with your card. At this point, once you verify that it is indeed legit, you provide your counterpart PIN.
And since it doesn't have to be entered, it could be a word, or with LCDs, even an image.
Hell, for that matter, even an image of YOU would work (in fact, this would also have a good usage to prevent fraud in cases of CREDIT transaction (as opposed to the debit transactions that we're talking about)
This isn't that impressive of a hack. Basically they made their own machine and put it in a Magic 6000 box. They don't even show PIN or CC# capture in the video. Even if they did show that, they aren't able to dupe a chip and PIN card. The worst they might be able to do it create a magstripe card, which isn't nearly as useful.
Basically all this shows is that you can rip the guts out of a Magic 6000 without making significant changes to the top surface of the machine.
Lasers Controlled Games!
If we accept the response by the manufactures at face value what they say is that while the doctored machine can intercept some information it still cannot be used to counterfeit a chip-and-pin card or forge a chip-and-pin transaction. Thus they are still correct in saying it's impossible to beat--for now at least.
Any system can trick users by social engineering. But techincally this chip-and-pin system is still secure in the face of that. Their weak point is that because the overseas transactions are robustly secure and can be forged from the information gather by this attack. Thus the banking systemis not perfectly secure but the problem is not the chip-an-pin itself.
Some drink at the fountain of knowledge. Others just gargle.
1: they cannot authorise the transaction using this method so the customer wouldn't be able to pay for what they intended to buy. The second a chip and pin card reader is opened and modification is attempted, it bricks itself. This would mean it's impossible to modify the internals and still enable the reader to contact a bank. Shops would notice pretty fast if lots of people were stealing goods and getting someone to swipe the card in two different readers (one fake, one real) would quickly get you reported.
2: it is impossible to clone a chip using a reader. The chip only accepts certain encrypted commands and responds differently each time to these commands in a way only the bank is able to decrypt. It's not possible to dump these chips and it would be easier to steal the card then to recreate the chip physically. And no they are not RFID, they require physical contact (as a scare story last year mistakenly made out)
3: Magnetic stripe info and pin is not enough to use a card. These cards cannot be read without the chip (I assume if you try, the card gets swallowed). There was an incident last year when cloned chip and pin cards which didn't have the chip would be read in some ATMs in India causing accounts to get emptied but this was down to sloppy authorisation techniques by the banks in question (it should've been obvious the holders weren't in India, withdrawing 500quid from outdated, insecure ATMs).
This isn't the same thing as Interac. From what I gather, this is to replace credit card transactions. In other words, instead of reading the card and getting the client to sign a slip of paper, the merchant reads the card and gets the client to type in a personal identification number. This is clearly more secure, because the PIN/chip relationship is verified electronically every time a transaction occurs, whereas signatures need to be verified by people who can be lazy or distracted. Someone needs to steal both your card and your PIN in order to access your account. With regular credit cards, all someone needs is your credit card number.
Also, with Interac, both the card number and the pin are transmitted to the bank for verification. From what I understand, with the chip and pin system, the verification occurs within the keypad, and a one time transaction code is sent to the bank. The keypad is supposed to be tamper evident.
Oh, and by the way, debit card systems like Interac have been in use all around the world for years now. Canada may be a world leader in consumer usage, but it is far from rare in other countries.
When our name is on the back of your car, we're behind you all the way!
we used to dust the keypad with talcum powder, but I suppose you use something a little less conspicuous now ......
I visited UK this past Summer and had two different incidences where the (admittedly) very young waitresses didn't know how to handle my old fashioned American credit card. They kept sticking it into the chip and pin terminal and telling me it wouldn't work.
Amazing it's only three years old and already so integrated into society there.
Can someone with a chip and pin card from UK use it like a regular credit card in the US (where there are no chip and pin terminals)? Seems a bit ridiculous to me to be migrating to schemes where the former ubiquitous use of credit cards worldwide is changing to be incompatible, at least as far as usage goes.
I assume you were doing your best to avoid saying it outright?
we men have been using this tactic to get laid since beginning of time. We trick women into thinking we're sweet, sensitive, smart guys all the time. women = card holders, men = fake machines, PIN = u figure it out ;)
However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof.
This seive is watertight... except for the holes that is...
Thanks for that explanation. However, doesn't this presuppose that you are slotting your card into a bona fide machine? Couldn't someone do what the team in TFA have done and replace the innards of a chip and pin machine with new electronics? Then this machine could fake the entire process of entering your pin, the whole "Checking card, not not remove", "Please remove card" thing, spit out a receipt from the cash register and away you go, innocently believing that you have just completed a purchase when in fact you have handed over your card details to the crooked retailer.
My understanding is that this is the purpose of TFA: to point out that chip and pin depends on the user's trust that the machine in front of them is a genuine, verified chip and pin machine, when in fact the user has no way of checking this for sure, and that the validation for chip and pin (i.e. entering your PIN) is highly vulnerable to compromise by such means.
Well, unless you know something I don't, I partly disagree with one point on your #1: bricking. I thought you would be interested to see a related example of chip hacking, which can be applied to smart-cards using a PIC chip:
0
:)
http://www.bunniestudios.com/wordpress/?page_id=4
Clearly those cards use different technology but -- caveat emptor! A PIC wasn't meant to be hacked either - with microscopic physical protection in place. The example was in DIP form but there is virtually nothing different from the guts of a DIP chip and QFN.
Also, given enough time, boredom or economic motivation anything is possible. I have seen hackers decrypt things that shouldn't be possible to decrypt...and I have seen them do this for me for $50.
Not that I have a better suggestion, but, I don't believe in being too assured- paranoia is a healthy component of my life.
I'm French and we have been using a Card/PIN system for years. It mostly goes well. The only problem I'm aware of is someone coming up with a fake card allowing the transaction everytime it is used (a so-called YES-Card). I don't think I've ever seen any PIN fraud around. I'm not very well versed into Credit Card security, but here's what I remember from some discussion with a friend of mine who works in that area: - Your bank does not know your PIN. It is printed and mailed to yo separately from the card. Noone is suppoised to have access to both at the same time, except yourself when you receive both of them. - The PIN does not actually leave the terminal. The terminal performs some crypto on it, and the card authenticates the terminal. - A terminal is supposed to be tamper-proof, meaning opening it in any way should destroy it. - Your PIN is useless without the card. it is not used for any other purpose than using your card. - Your card is mostly useless without the PIN. No store will be able to use a card without PIN (apart from toll booths, where they use the mag stripe for speed reasons, but the amounts are generally quite low). This obviously has changed in recent years, due to purchasing over the Internet, where you basically send your credit card number. I personally hate this and try to not use my card like that, even though my bank provides insurance over fraudulent transactions on the Internet. So, from what I have seen in France, the dangers are: - Giving away your card number AND visual cryptogram (possible use over the Internet) - Letting someone learn or see your PIN, and then getting your card stolen I hate using my card in any other country or on the Internet because it feels like I'm giving away the keys to my bank account everytime I pay something. In France we basically use only card or cash nowadays, and mostly card because any store will take any kind of card (I hated it in the UK because half the store would not take an "electron card", and I had to go get cash at the nearest ATM and carrying it with me back to the store) Now, correct me if I'm wrong but it seems that the PIN this article is talking about is some kind of "master password" that has some use without the card. If that is the case, then this seems quite stupid to me.
That's not a nick, that's my NAME.
If that's the case, then isn't the PIN alone rather useless to a crooked merchant? From what I understand, the chip on the card is supposed to be difficult or impossible to duplicate (especially in a tiny form factor card reader device). So even if you have the PIN, it's of no use to you unless you either mug the person for their card or hope they've used it elsewhere.
I read the internet for the articles.
There's only one minor flaw to all of this.
e termined-they-are system in theory, nobody in the whole of history has built one in practise.
While it is possible to build a 100% guaranteed nobody-will-ever-beat-this-and-I-don't-care-how-d
Or at least, not without some undesirable side effects. For instance, I can make my car 100% guaranteed impossible for a potential thief, no matter how determined, to drive away, but it's a mite inconvenient for me because I'd have to have it crushed.
What instead you have to do is make the system secure enough. In this case, "secure enough" is achieved as soon as it's cheaper to eat the cost of any fraud than it is to design & implement systems to make the fraud harder.
All it needs to do is to clone the magnetic strip (easy). You've kindly given it the pin.
Go to your local ATM and draw out $$$. Most ATMs still use the mag. strip and haven't been upgraded to chip/pin yet.
btw. up until *very* recently (last month or so) you could walk into tescos and buy groceries with a clone magnetic strip without even access to the pin - their software wasn't geared up to read it so it just assumed the card was legit... and since this was the 'self checkout' nobody even looked at it. You can still do that with NPC car parks (albeit for only about £3-£5 a throw, and you don't gain anything but free parking).
I'm not as familiar with the hardware requirements of EMV certification but yes, it rather does assume hardware integrity and retailer integrity.
Chip and PIN is designed to card cloning and to some degree theft. Now card cloning was rife with magnetic strip cards because they were extremely easy to clone. A shop assistant or a waiter could easily pass your card through an extra reader and take the details, pass them on to someone else and then the card could be used all over town. This is eliminated as cards are impossible* to clone.
EVEN if the crooked retailer gets your PIN, he can't use it effectively as he can't make a copy of your card without access to the keys in the card that are never revealed. He can't run more transactions on your card through his system either because the transaction amount/number/date is part of the data encrypted by the card and sent to the bank.
He couldn't use it for more than a couple of purchases in other Chip and PIN enabled premises even if he copied the magstripe info onto a blank card with no/broken chip as the transactions would be flagged as suspect.
He couldn't use it in an ATM as they are chip enabled more often than not (in Chip'n'PIN) countries. I know this as I was involved in the design and implementation of an ATM auth system too a couple of years ago.
What he could do is make a copy and use it abroad in a non Chip'n'PIN country or he could use it for internet purchases.
The key here, as I said above but I wish to reiterate, is that even if the merchant is crooked, he doesn't get the ability to make new cards and his avenues for fraud are severly limited.
Shall I let you all in on a secret though?
Chip and PIN is less about security for us (though it does help) than it is about security for the banks. Because fraud is now limited to merchants that either haven't upgraded to Chip and PIN or accept non Chip and PIN transactions, they are liable for any fraud through their systemes.
That's the crux of it. Compromised terminal? Not the bank's fault. Accept a cloned card? Not the bank's fault. They'll still have to refund you immediately but they then get to penalise the merchant immediately where before they would have to prove the merchant's negligence in order to fine them.
*very hard anyway, as we all know, nothing's impossible in terms of security
As the card has to produce a cryptogram using a bank signed key.
Was it your idea to allow swiping of the card without a requirement to enter the pin? I'd guess it was upper management, since you sound relatively clued up..
and I know for a fact that there are security vulnerabilities. For a start, there is no encryption of the PIN between card and pinpad. If you can devise a shim or that slots in to the card reader (or similar MITM attack) you'd get the plaintext PIN. A lot of stores still swipe the magstripe, so even if you can't copy the smartcard you could still do magstripe+pin ATM withdrawals. The other issue is that there are various encryption keys that can be used to upload new software to the PED flash without tampering the secure hardware - there's an RS232 port accessible from a port on the back of the PED These keys have leaked to people actually doing legitimate software development; they're useful as they allow you to load code on to real pinpads for testing... it's only a matter of time before one leaks out to the fraudsters.
Besides, the Trintech PayWare chip and pin system has already been abused to grab PINs at Shell petrol stations, and that was running Linux on VISA certified secure hardware. I don't see why people are still surprised that this is possible.
It's a handover thing, until all cards are EMV and all merchants are EMV enabled then cards require a magnetic stripe so that the customer can still use them everywhere. This is a bit of a security hole.
I don't know which country you're in but the legacy magnetic stripe behaviour differs by country. In the UK we never had a system of Stripe + PIN, it was Stripe + Signature, whereas I noticed in the US that PIN was prevalent.
Hopefully I've answered that here
Basically even a dodgy merchant can't clone your card.
I live in the UK. Even though I enter my PIN at loads of terminals every day, I'd argue that we're better off with Chip + Pin. There are a number of great posts about the technical details of why Chip + Pin is more secure, but it's easy to see the advantages with an example from just a few weeks ago...
My sister (in the US) had her purse stolen recently and the thieves racked up a few thousand dollars of purchases in under an hour (she reported the loss just 40 minutes after she left her bag behind). Without Chip + Pin, they just stole the card and made a poor attempt at her signature. And really, they didn't even need the card, they could have gathered loads of card swipes with a hacked terminal/ATM and duped them. If her card had Chip + Pin, the theives needed to get her PIN *and* the original card.
Currently, you cannot dupe the Chip part of the card and every transaction over a certain value must go via Chip + Pin. The hacked terminals in this article would be capable of stealing a PIN, but they can't take the card or dupe it... so theives are left without anything unless they want to resort to violence.
In the end, my sister suffered through a huge hassle and a week without any money but got all her money back. If she had Chip + Pin, she'd have likely only lost a few quid.
Though try buying anything major with it and you ought to get refused or phonecalls from your bank.
They likely haven't got around to replacing a large part of the ATM estate, banks are good like that. Everyone has to jump to theiur tune but they don't always follow it themselves.
"For a start, there is no encryption of the PIN between card and pinpad"
Yes there is! You present the card with an encrypted PIN block in ISO (8583? it's been a while) format. The Shiv would get you that but nothing else of any use.
ATMs *should* be getting upgraded to chip and pin by the banks. Whether they are or not is anyone's guess.
And yes, a lot of terminals do have RS232, if the keys leak then that's a security vulnerability.
I said in a another post - this is more about shifting liability from the bank to the merchant in cases of fraud than it is about protecting you or I, we just get a little more security out of it as a byproduct.
I was in Madrid for the IWP and while we were out in an international group looking for somewhere nice to eat I asked our native resident "if there were any good English restaurants in town?". Much to the guffawing of the others and myself.
Though that did get me thinking about what would that even be serving if such a thing existed.
As Naomi Campbell said "I love England, especially the food. There's nothing I like more than a lovely bowl of pasta."
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I have never seen this, but a question I'm left with is if a phishing site is well crafted, what would prevent them from taking the info you entered, re-entering the data into BOA's site, getting the 'goofy picture' image, and displaying it on their page?
XML is like violence. If it doesn't solve the problem, use more.
You're right, depending upon the supported verification methods in the card then plaintext PIN presentation was an option. As I say, depends on the card.
The bank sends a cryptogram which the card decodes and verifies. This is the two way auth. Actually it's three way because the terminal is cryptographically verified too. There's just no tamper resistance built into the spec.
I know a 4 digit number isn't the height of security, but what would you suggest that cardholders do to identify themselves?
Remember that old people and idiots have to use the system.
Also it is futureproofed to allow for Fingerprint/Iris recognition or other methods in coming years.
I never worked for Tesco's, just the people who sold them their system. That sounds like lunacy to me, especially seeing as one of the major points about chip/PIN was more secure unattended payments!
I never quite got why they like the swipe and park thing so much, I know at attended tills it was so there was no change in arm action for the till staff, they just take any old card, chip or otherwise, swipe it down the reader and leave it sat in the bottom.
I try to avoid using it by sticking my card directly into the pinpad at supermarkets rather than handing it over to be swiped AND stuck in the reader. I think it's to do with data mining, ie so they ca track purchases even if you don't have a clubcard. I instinctively bristle against that.
Not that they couldn't do it with the Chip data, but nobody seems to have told them that!
I bothers me that at an arbitrary point of sale the cashier can swipe your card's magnetic stripe (as they do at supermarkets here [uk]) and get you to put in your pin. I'm sure it would be quite easy to put a low-tech false keypad over the top of the real keypad and capture your PIN.
... bastards.
The because the stupid chip-and-pin cards use the same pin for getting cash at the ATM (which still use magstripes) they could go and empty your bank account with the cloned card.
Oh, and because the system is "secure" the bank denies all liability
Cash.
You are being MICROattacked, from various angles, in a SOFT manner.
The real problem here is the lack of Authentication. EMV does not enforce the use of Chip Card authentication schemes like DDA, SDA or CDA. With this hack, the compromised machine is fooling the card and the user into thinking it is legitimate transaction terminal. If authentication schemes were used, the card would never give up it's account data to the terminal. The user could still be fooled into giving up their PIN, but the attacker would not have the corresponding card data (Unless, of course, the machine convinced the user to swip the card through a magstripe reader ... then all bets are off).
You sly dog: you got me monologuing! - Syndrome
Problem is, people just attach a reader to the top, that looks like part of the machine, a little camera in that (ironically in the guard that's meant to block the view) and they have everything they need. I've seen it done on ATMS, why not on these?
-- Lattyware (www.lattyware.co.uk)
But that hole is impossible to get around, which is why we have fraud protection and the banks have come up with this whole chip and PIN malarkey to shift the liability for it onto the merchant.
Also, as pointed out previously, even if you get the PIN, you can't clone the card.
It happened due to a bank mandate. Anyone that tells you it's illegal to use a non chip card is stupid/misinformed.
Get banks to actually do this.... and give a share of each one sold to an account holder to my bank account.
XML is like violence. If it doesn't solve the problem, use more.
I'm not familiar with any legislation on this matter, I wasn't aware it existed, the scheme is a bank mandate. I also find it odd that they would give you a non chip card if you requested. Even odder that someone would request it, this story highlights a security hole but there still aren't half as many as there are with non-chip cards.
All EMV cards are issued with a magnetic stripe on them for now.
Hopefully the USA is going to pick up EMV sometime though - Much of the rest of the world (Europe and far east) have adopted the scheme.
> Any sort of technology is available for fraud, but this is 100x better
> then the signature security as well as the PIN is not transmitted past
> the terminal because it is all handled through the card. Basically the
> CHIP on the card is asked if the entered PIN is valid and the chip is
> responsible for authorizing it, not some remote system that needs to be
> verified with.
When a shop asks you to use chip in pin, you insert your card into a black box with numbers on it. You have no idea what this black box does. When you insert your card and type in your pin, it might only verify your transaction. Another thing it could do is scan and save the magnetic strip on your card and record your pin number. You would be none the wiser. Somebody could then create a copy of your card (minus chip) and then use it to withdraw cash from a cashpoint (possibly in another country).
How do you know if the machine handed to you won't do this? You can't; it's a fatally flawed system. It's similar to if a potential hacker asked you to use their keyboard to log into an account; there might be a hardware or a software keylogger running and you couldn't tell.
At least with a signature there is some way to prove that it wasn't you withdrawing the money and you don't go handing out your pin number to everyone. Your above description would sound good if the card actually contained the keypad, but the is provided by untrusted third parties.
But either slashdot ate it or I posted too many too quickly and didn't notice the error.
Suffice it to say it comes down to my own irrationality.
One thing that doesn't guard against is the merchant lying to the customer (i.e. the device says 'we are charging you $1.50', while the merchant actually asks for $2.50 from the bank (enough to be unfair, probably not enough for a person to remember it being wrong). The chances any company would risk such a stunt are slim, but if the banks wanted to go a lot further toward not having many fraud claims to manually deal with, the more convoluted scheme could work...
True though, that the described approach would make PINs useless one moment to the next, and take care of the bulk of the problem.. (merchants keeping your account info, and someone else, an employee of the merchant, or the merchant themselves abusing that saved knowledge at a later date... I suspect the amount of fraud done at the time of a legitimate purchase (overcharging) is admittedly very low, and even in such cases not done to the point of critically endangering your account balance.
XML is like violence. If it doesn't solve the problem, use more.
Aside from problems mentioned above concerning the fact that this 'hack' involves mostly hardware removal and replacement (come on, you don't know that there isn't just some monkey handing you bills when you put your card in an ATM, do you???</sarcasm>), do no other /. readers check Hack A Day's RSS feed?
/.? Mod me for flaimbait, but I saw this last week and didn't consider my bank account in jeopardy, not even when the repo depo was hauling large, colored L-shapes and squares out of my living room...
...demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that tnhis can be reproduced only "in the laboratory"...
The relevance of this article to security is kind of vague, and its at least 5 days old - whats going on
Tamper-evident??? I'm sure that students with a spare weekend might include kids who can open plastic casings and then repaint and re-model them so that exterior evidence of tamper is minimal or nil, and then what happens when you replace the hardware? Surely you wouldn't write software for it that says "Hey! Some kids with a spare weekend have opened this terminal, replaced the hardware and are draining your bank account right now!"
This is FUD, aside from the point about having to use your PIN at a public terminal. And if a shopkeeper doesn't want you to know that he's tampered with the hardware, he doesn't have to. A security camera at the right angle and focus could capture PIN pad sequences, and if you know your regulars like most convenience store workers (which is where I use PIN pads the most, and yes places like WAL-MART have many more customers but fraud from 10 people is plenty, no need to wring out 1000s of WALLY WORLD idots with PIN pad scams, especially when you're already screwing them and your employees), then you can know whose PIN you have so one day they come in and "Oh, sorry, our card scaner is broken - I'll have to input the # by hand" and there you go - have good memory for 16 digits?
...you can just be asked for a signature instead. This happens to me often enough as it is, although more often abroad on the continent (where it only seems to work around 50% of the time.)
Which is why that will be phased out over time.
A merchant accepting swipe cards assumes the liability for it. Which means that after they get hit a couple of times they'll stop accepting fallback.
Banks will (slowly) phase out ATMs using magnetic data, hopefully.
But yes, your summation is correct, the real security hole is the fallback mechanism.
As I say, the major push behind this was to seal a gap in the banks' liability for fraud anyway, despite what the public message might be.
I do think that's pretty far fetched and by that point we're talking about a serious criminal organisation and not "casual" fraud. The bar is sufficiently raised in my opinion, for now.
What make you think its even remotely possible to build such a machine (in any shape or form) with a budget of $1.2M?
Also which location get one transaction every 2 minutes ? Even a busy supermarket cashier doesnt get a transaction every 2 minutes. Assuming you were trying to plant your device into a busy place like a supermarket, your device would need to look similar in size to the other readers. This add to the difficulty. You will also need to have a sytem to collect your chips, and track which chip was for which pin, without any of the customers or any of your coworkers or supervisor notcing.
You might try to get everybody (or at least the important people) in your store to be part of the scam, but this is going to reduce your profits, and increase your risks.
Also, you need to create the fake cards and use them quickly before they get deactivated by the owner noticing all calling is bank. I would say you have less than 12 hours. Since you still need somebody at the register processing cards, you need another team to create the fake cards and use them.
Even if you were able to do all that, think about the trail you are leaving behind, and how hard it is going to avoid the FBI when they come after you.
It should be easy for them to see that, for all the de-chipped cards, the last transaction was made at your location. Also it will be difficult to hide your tracks if you do 1200 transactions a day with your "fake" cards.
The best way not to leave a trail is probably to get cash at ATMs, but pretty much all ATM have cameras so you or your team better be cleaver about it...
In brief: there is no way you could setup a profitable operation and get away with it. (And i didnt even scratch the surface of the logistic involved).
There are much more efficient ways to make money (legally and illegaly).
He really sucked at tetris. :)
Your sig(k) has been stolen. There is a puff of smoke!
...will be a modification to Tetris to make that damn straight-line block appear more often.Tetris brand games since Tetris Worlds , including Tetris DS, already have this modification: the I tetromino is guaranteed to appear once in every group of 7 tetrominoes. Thus, if you have one group with the I at the start and one with the I at the end, the longest drought you can get is 12. The more even distribution makes it possible to keep your stack low arbitrarily long.
Why they are playing tetris and not PacMan?
Eclipse PDE and Me