Slashdot Mirror
Chip & PIN terminal playing Tetris
Fearful Bank Customer writes "When British banks introduced the Chip-and-Pin smartcard-based debit and credit card system three years ago, they assured the public it was impervious to fraud. However, the EMV protocol it's based on requires customers to type their bank account pin number into store terminals in order to make any purchase. Security researchers at the University of Cambridge Computer Laboratory derided the system as insecure at the time, as it gave access to customer's bank account pin numbers to every store they bought from. Despite these objections, the system was deployed, so researchers Steven Murdoch and Saar Drimer recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that this can be reproduced only "in the laboratory" but seem to have missed the point: if customers have to type their bank account pin into every device they see, then the bad guys can capture both critical card information *and* the pin number for the bank account, leaving customers even more vulnerable than they were under the old system."
Those who would exchange security for convinience deserve Tetris!
I used to carry a bottle of whiskey for snake bite. And two snakes. -Nefarious Wheel
They got it to play tetris by replacing the majority of the electronics inside it. It's not exactly like they got the actual terminal to play tetris...it's more like "They put a tetris game console inside the empty terminal shell, and used the terminal's keypad and screen for control and display." It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"
For your security, this post has been encrypted with ROT-13, twice.
The potential security problem here is caused by the use of the same PIN for two purposes. You know how you should never use the same password for multiple security-critical systems? Well, that's exactly what some of the UK banks did.
See, EMV security is designed around the assumption that only the card and cardholder know the card PIN. The bank doesn't know it. The merchant terminals see it, but it has no value without the card. In particular, it should be of no use with the bank machine/ATM network.
How then, do you use a bank machine? Well, ideally, you insert your card, enter your PIN to unlock the card, and then the card performs a cryptographic authentication with the bank over the ATM network to identify and authenticate you so you can proceed to perform your transaction. But that requires the ATMs and network to be updated to support the chip card and to use the new authentication protocol.
The other method, of course, is just to use an account number and a PIN, just as you always have, but that PIN *must* be known by the bank's systems, which leads to the banks' dilemma when deploying the system. Their options were:
So, the banks mostly took option 3. I think some of them allow customers to request that their card and ATM PINs be "decoupled".
In theory, this means a malicious merchant can modify their PIN pad to capture the PINs and account numbers, and can then use the information to drain the accounts through the ATM network. In practice, this form of fraud hasn't happened, and it would be fairly easy to track unless the fraudster didn't steal very much -- a pattern of fraud on accounts whose cards have all been used at a particular merchant would be pretty easy to detect.
It could happen, of course, and probably will someday. If it becomes sufficiently serious, then maybe banks will have to abandon PIN synchronization. Hopefully, by then the rest of the world will have caught up and the ATM PIN can be discarded entirely.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
...will be a modification to Tetris to make that damn straight-line block appear more often.
"FDA staff reviewers expressed concern about the number of patients who were left out of the study because they died."
I think putting Tetris on the machine makes it pretty obvious that it has been tampered with.
There's something about being pedantic that makes any joke you construct seem arrogant and quite the opposite of funny. Perhaps when you're filling the pedant role in the future, you can just stick to the job instead of trying to amuse at the same time.
Slashdot - where whining about luck is the new way to make the world you want.
The real problem I see here is that new technology is presented as "unbreakable" then allows the business interests to ignore victims of fraud. In the U.S. we've already seen this happen with the special chipped keys for new vehicles. The auto makers insisted the technology was unbreakable, and the insurance companies responded in kind by denying theft claims from those victims unfortunate enough to have purchased a vehicle with one of these chipped keys.
I'm sure the banks are ready to further punish any victims of this broken "unbreakable" bank card system. I'm not British, so I don't know how applicable this is in the UK, but I imagine it is still a problem.
{ - Generic Guy - }
What annoyed me was the shift in liability. The old fashioned "swipe and sign" cards, if they were compromised and somebody nicked your cash then the banks could be held liable and some remittance sought. However - with the new system there is an automatic assumption that you have given your PIN away and hence its your fault and you can he held liable. So if somebody stands behind you, watches you type in your PIN and then follows you outside, mugs you and steals your card - then you can be held liable for not taking care of your PIN number. Also the system seems quite unreliable even now.
the card never leaves the direct control of the card holder
Try shopping in sainsburys, they swipe the card in their own machine then get you to enter the pin number in the chip and pin thingy.
thank God the internet isn't a human right.
Anyone tampering with one of these machines will be caught by one of Britain's numerous public security cameras, promptly arrested and beaten senseless before being throw into the drunk tank with an American dick named Sue. The banks are correct that tampering can only happen in an controlled environment.
Yeah, that's what I use at the ATM machine when I want to drive my SUV vehicle to the store and buy some DIMM modules. I'm working on a device to detect the HIV virus, but a I need a good TLA acronym to call it.
Lemmings are silly; dinosaurs are extinct.
In the US we have debit cards that operate as both an ATM card, and equivalent to a credit card - only drawing the cash from the bank account instead of a line of credit.
So - the only time I have to enter my pin number is at the ATM. For all other purchases I use it like a credit card (and save the ATM surcharge as well).
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
That the whole point of this is to demonstrate that if you use the merchant's hardware to enter any personal data, it is *impossible* to be tamper-proof or tamper-evident for sure.
My vision has always been a smart device with a crypto engine, that provides it's own display and entry. It would plug into POS equipment, and tell the POS equipment at first, only enough to identify itself and tell the POS which financial institution to contact.
The financial institution would receive from the merchant the account holders ID number and some info about the transaction (i.e. the amount, maybe an interval if a service, maybe a tolerance if a repeating service charge). The financial institute would look up the customer's public encryption key, and use it to encrypt all that data together with a challenge string, and send that back to merchant.
Merchant relays the encrypted package to the customer smart device. The device then (maybe using a passphrase to decode private key like a pin, but not linked to anything outside the device) uses the private key to decode the data, and display to user what the financial institution thinks the merchant is asking for with a confirmation. If user confirms details, the decrypted challenge is sent to POS and the merchant relays it to Financial institute.
Financial institute upon receipt of a correctly decoded challenge, authorizes the transaction, and gives the merchant an affirmative response with an authorization code that is *only* valid for that specific transaction.
Here, the financial institute *only* has the customer private key, so ripping off that database won't give anyone access to the account. The merchant knows they are getting the money, but isn't left with anything they *could* use to get more money than the customer authorizes directly. The only place that has the private key is the customers smart card, which should *never* allow it to be transferred out (probably should be generated by the card and only the public part uploaded when issued). If using a passphrase for storage of the private key, it even has resistance to physical theft.
For bonus points (actually, I would pretty much demand it), have it somehow able to plug into usb ports for online transactions. Of course, online, the customer and financial institute can talk directly, simplifying some of it, but the model need not be changed much for online stuff). Again, the PC would never get the private key, so you would have to use the device.
I would *pay* an upfront charge to help cover the cost of the device in exchange for such security. If it's half-assed and uses merchant display/entry, or shares the private key *ever* theoretically, I wouldn't.
XML is like violence. If it doesn't solve the problem, use more.
Sorry for the pompous post heading, but the first part is true, I wrote a large part of Tesco's system including about half of the EMV processing component. It's a customised version of what was the world's first integrated EMV system (ie card reader + PC + store level auth servers + central connection to VISAnet, LINK etc).
Whether you should listen to me or not is another matter.
The chip controls the transaction. That's how it goes. The chip decides if it can trust the terminal or the bank based on cryptographic signing operations. The terminal is verified by a process in which it concatenates various pieces of data, performs a crypto op on them and presents the result to the card. The card compares this to its own result (depending on the card it either has one precalculated and uses the same one each time (low security) or does the same calculation itself on a set of data including some session data (better security)).
PIN is encrypted as soon as it is entered and should never leave the device it's entered on in plaintext form, it is presented to the card as a cryptogram for validation.
When a transactioon is presented to the bank for authorisation it is presented with yet another cryptogram so that the bank can validate the card. The response also comes in the form of a cryptogram so that the card can validate the bank.
However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof. Your PIN doesn't ever even get to the PC that's running the transaction.
If you want to know more then the actual standards are available at EMVco, but they're the nearest thing to legalese I've ever encountered as a software Dev. I'm out of the payments game now, but my knowledge should still be pretty relevant, I hope.
I used to work at a private financial institution that was a member of the Interac network. The security on modern ATMs in Canada is very good. Interac certification requirements are equal to or better than VISA/Plus requirements, which require:
The link between ATM and gateway, and gateway and Interac is probably the most secure aspect of the transaction. Most fraud I heard of was isolated cases of stolen cards (probably read the PIN over their shoulder and stole the card without cardholder's immediate knowledge), or of cameras recording PIN numbers (you need an insert on the card reader too). The only real problem now is that some older gateways still process non-compliant terminals which use weaker encryption (64-bit DES) or use PIN pads that aren't certified. Fines must be paid to keep these terminals operational, and I believe that there is a drop-dead date where nothing will keep the non-compliant terminals operating.
In practice, this means that an individual needs to pay attention to what ATMs they use. If it looks old and unreliable, there's a good chance it is. If it looks shiny and new, it's pretty likely that it meets current security standards, though it's possible to upgrade the case on some older models without upgrading the security.
mandelbr0t"Please describe the scientific nature of the 'whammy'" - Agent Scully
In Portugal we had an attempt on a similar technology back in the middle 90's, called PMB ("Porta Moedas Multibanco", which translates roughly into "ATM Wallet").
It was basically a smart-card you could load with a certain amount on any ATM and make payments anywhere a terminal existed (many vending machines, for instance, accepted PMB) without inserting any code whatsoever. So it basically replaced your wallet, if someone stole it the money still loaded in the card would be lost.
This wasn't much of a problem, since in Portugal we have a single entity managing all debit cards, so you get money at any ATM or pay at any debit terminal regardless of your bank, so the PMB cards were only used for micro-payments and never carried much money anyway.
The system wasn't very successful, though. Not enough information given to the public in a time where the concept of electronic money wasn't all that widespread...
Its not actually that easy.
e t/3399175.stm
Yes, you can get the PIN that method, but unless you can actaully handshake with the EMV chip you have absolutly zero chance of getting the bank details. In the UK certainly the chip readers do now actually have the option to confiscate the card so a fake mini-EPOS terminal is not going to work.
Your idea about using a real EMV EPOS terminal is a non starter as most of them are not allowed to do offline transactions - so you'd need an account and access codes to be able to use them. Good luck, let me know how that works out.
The only method that can still be used is a skimmmer (sits in front of the slot on an ATM and reads the card and photos the pin entry) but the average user is thankfully getting smart enough to detect that the shiny plastic thing clipped to the front of the cash point is probably not to be trusted.
skimmer: http://news.bbc.co.uk/1/hi/england/hampshire/dors
So that really only leaves mugging somebody or creating a fake ATM (which has been done many times) - both of which probably would work, but are futunately quite rare these days.
While your idea seems very well thought out, it still wouldn't gaurantee it couldn't be a dummy terminal that's designed to collect swipe data and pin codes.
My thoughts are that after you swipe your card, the terminal should give YOU a PIN number that should match a PIN that the bank sends you with your card. At this point, once you verify that it is indeed legit, you provide your counterpart PIN.
And since it doesn't have to be entered, it could be a word, or with LCDs, even an image.
Hell, for that matter, even an image of YOU would work (in fact, this would also have a good usage to prevent fraud in cases of CREDIT transaction (as opposed to the debit transactions that we're talking about)
If that's the case, then isn't the PIN alone rather useless to a crooked merchant? From what I understand, the chip on the card is supposed to be difficult or impossible to duplicate (especially in a tiny form factor card reader device). So even if you have the PIN, it's of no use to you unless you either mug the person for their card or hope they've used it elsewhere.
I read the internet for the articles.
...will be a modification to Tetris to make that damn straight-line block appear more often.Tetris brand games since Tetris Worlds , including Tetris DS, already have this modification: the I tetromino is guaranteed to appear once in every group of 7 tetrominoes. Thus, if you have one group with the I at the start and one with the I at the end, the longest drought you can get is 12. The more even distribution makes it possible to keep your stack low arbitrarily long.