Slashdot Mirror
Chip-and-Pin Vulnerable To Subtle Trickery
An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."
When do you think the U.S. congress will sell back the legislation protecting credit card holders to a $50 liability on fraudulent purchases? I mean, bankruptcy "reform" got through. It is not like they like us anymore (or, at least, last session).
This is still safer than traditional credit cards!
LINUX ONLINE POKER: Linux Poker
Why not just add a $40+ fee over the normal $1-$5 fee they already charge at ATMs and call it a day.
Sure, this shows that you can fool a user tothink they're using a valid machine, but it does not get at the transaction.
Engineering is the art of compromise.
Someone with a close eye on their account will notice the missing money and pull up recent transactions online. Armed with reciepts and a printout of the impossible to make dual purchases with one card in two locations, the compromised machine can be shut down (de-authorised) and legal proceedings started. This attack has a name attached to the business using the terminal.
The attack is proof of concept, but it leaves too much of a trail.
The truth shall set you free!
This is due to be on 'Watchdog' (a popular consumers'-rights show) in about 45 minutes.
As I understand it, the point of this research is that the banks have been claiming that chip-and-pin terminals are completely tamper-proof. In fact, they may be tamper-proof from the banks' point of view (preventing fraudulent transactions by destroying encryption keys if the case is tampered with), they're not from the customers' point of view - a dodgy establishment or criminal employee could clone your card with a terminal that looks legit.
So, ripping out the innards and putting a machine playing Tetris inside looks silly, but demonstrates that the devices aren't inherently trustworthy. And this is the next step: showing that a card can be cloned and the details used to make a fraudulent transaction using modified hardware.
#define struct union
I personally wish that we did use the chip and pin cards in the US because it's better than signature. I usually sign for things with "PWNED" or I draw pictures of pacman or kung-fu stick figures and no one seems to notice. The security that comes with signatures is a joke.
Mod me up, mod me down, do your worst you modding clown.
The method, proposed in the article is meaningless. If the timing
check is really 1-bit, the fake card can respond by itself, without
relaying any data. Is it on purpose ?
Much safer way is to measure time while performing a handshake.
Yes, there ARE some technical problems, but it would be a real check.
For the truly security minded: a wallet, a handgun, and the bottom side of your mattress. No interest charges or minimum payments!
Center bodied, omni-minded.
Its a fairly complicated attack, easily traced and could only probably only be executed once or twice per location before PC Plod comes calling due to the high visibility of the villians in pulling it off. Looks like way to little return for the effort and risk involved.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Is there any relationship between Chip and Pin and Fish and Chips?
The Register's got this now:r ity_attack/
p -pin-relay-attacks/
http://www.theregister.co.uk/2007/02/06/card_secu
Original blog:
http://www.lightbluetouchpaper.org/2007/02/06/chi
So this along with the tetris hack basically says if you are a retailer and have access to a terminal or other means of getting hold of a persons credit or debit card then you can potentially do lots of dodgy stuff. Who knew!!!
When I saw that Officemax was stupidly storing atm pins, I gave up. Now, the only machine that sees my atm card is my bank's. And even there, I look at the machine to see that it hasn't been tampered with.
For everyone else, I've reverted to checks and cash.
Here's what I don't get: It seems to me that, at least in most of the places I've been in Europe, European businesses are unwilling to turn away purchases from American tourists. Therefore, everyplace that uses the chip and PIN system can also accept American-style swipe-the-card transactions. So if your goal was merely to steal or clone a credit card and buy yourself a nice plate of frogs' legs, wouldn't it be easier to just do it American-style?
Second, do consumers not have credit card loss protection in Europe, the way they do in the U.S.? In the U.S., you're only liable for something like $50 on a fraudulent charge, and rarely do you end up paying even that. I had someone charge something like $950 to one of my cards recently, I spotted it right away, and it took something like a three-minute phone call to have the charge halted. They sent me a form in the mail, which I signed and returned, and that was the last I ever heard about it.
The real problem is not for the consumer and it's not for the credit card company. The problem is for the merchant. Here's how it works, at least in the U.S.: Someone steals my credit card. The thief walks into a Best Buy and purchases a TV. They walk out with the TV. I see the fraudulent charge on my bill. I call up my credit card company. They reverse the charge. Maybe someone investigates to see if they can find the person who made the charge. Let's say they're successful in their investigation (which actually happens more often than you think, mostly because most criminals are either stupid or greedy, or both). Unfortunately, however, the thief has already sold the TV and spent the money on crystal meth. Best Buy now has two options: A.) they can try to sue the thief to cover the cost of the TV; or B.) they can eat the loss and move on. Now let's say it isn't Best Buy. Let's say it's a single mom and pop store that's lost a TV and they have the same options. Sound fair to you?
Breakfast served all day!
Anne Robbinson my arse!
Watchdog?
I am watching a dog.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated up.
I used to print "Check ID" on the signature space on the back of the card.
A clerk, had me sign the receipt, picked up the card - looked at the card & my signature, and then handed me back my card with a 'thank you'.
This is neat, but it's not exciting. I've written a smartcard proxy service that could also be used for evil. It works by capturing the client certificate request from a tls handshake, and sends the signed response to the server (some older web apps don't know how to use pkcs#11 libraries, which is what this is used for..it strips the client cert request out of the handshake so the client is none the wiser). I could rewrite my proxy to sign all kinds of data with the smartcard once the user gives the proxy his/her PIN...I could logon to banking sites and transfer money to me, buy stuff, essentially anything that the computer could do, and not inform the user.
I think Bruce Schneier's paper said it best. Sure the card is trustworthy, but when you're using any kind of smartcard, the card isn't the trust boundary. The card plus the computer (or pinpad in this case) that you're using it on is your trusted device conglomerate.
I think the real demonstration of this attack is that pinpads have vulnerabilities. Even that isn't earth-shattering. So does everything else where physical access is granted.
Which isn't to say that it isn't newsworthy (people should definitely be careful where they stick their card), but it does feed into idea #4 on the six dumbest ideas in computer security.
The Right Reverend K. Reid Wightman,
This attack is a form of a relay attack. These kind of attacks can be really, really hard to avoid. Basically you need both sides to be authenticated and communicate in a secure fashion. Both sides also need to be secured ("tamper resistant" or, if possible "tamper proof"). And to top it off you must be sure that anything you sign is really correct, and that the human input (if any) isn't listened upon. Of course, you must use something to confirm the transaction as well.
:)
Basically it comes down to the fact that this is almost impossible to accomplish. As shown, it's pretty easy to replace the terminal by a fake one. I can remember an attack where a complete ATM was even replaced by a fake one. It might be possible to see keypresses through emitted radio waves. There is some discussion about contactless credit cards that don't need PIN entry for small transactions; bad idea, it's possible to simply relay the signal from other terminals and have someone use many, many small transactions from someone elses card. If you cannot trust the screen, there is literally no way to see which transaction you are signing - this is for instance a problem with many banking sites, even if they do authenticate individual (agregated) transactions.
Of course there are levels of security. Chip security is better than magnetic stripe security because the contents of the chip (and especially the key) cannot be (easily) copied. You can use a secure channel - if anywhere possible with terminal authentication - to hide the PIN as well, and really sign the transaction. Also, there is no need to store the PIN or PIN hash at the bank (currently any bank-employee with access to the PIN hash database can calculate the PIN in mere nanoseconds). But, as shown, it does *not* prevent against fake terminals - there are terminals with secure memory that could do terminal authentication and are tamper proof, but these are rather expensive.
I'm sorry if this response become something of a mess. Please be so kind to blame it on the inherent difficulty of secure transactions
1a) Create a fake terminal that looks and operates like a genuine terminal. All the terminal does is record the 4 digit PIN.
or
1b) Place a camera such that it films the terminal as the card owner types in their 4 digit PIN.
2) Steal the card
3) Use the card + pin
In short, the terminal verifies itself to the credit card company, but not to me, the card owner. I don't trust 'em.
...The issue is that banks have used the argument that chip and pin is 100% secure to transfer liability for fraud away from themselves and onto the cardholder.
It is more secure than a signature that is never checked, sure, but 100% secure? No way.
This effort is designed to prove that it can theoretically be defeated without posession of the physical card, but you can easily imagine the decidely low-tech method of someone looking over your shoulder as you make a transaction and then pick-pocketing your card.
Gee, there are much simpler attacks. In several cases, crooks setted up fake "standalone" ATMs that simply captured the card and the PIN code. Since to the user it appears that the card was swallowed by a legitimate ATM, the user is not going to report at stolen right away. The effect can be reinforced by a properly dressed (read: a suit) impostor telling the customer that there is a problem with the ATM and that they will get their card back in the mail.
Then crooks simply have to collect a bunch of valid cards with matching PINs. In many countries, the customer is responsible for purchase made with the right PIN if the card is not reported as stolen in 24 or 48H, so it may cause significant losses.
Nobox: Only simple products.
do consumers not have credit card loss protection in Europe, the way they do in the U.S.? In the U.S., you're only liable for something like $50 on a fraudulent charge
Yes, we do. The whole point of Chip+PIN is to transfer the liability for fraud to the cardholder, as any transaction made using the PIN "must" have been made by that cardholder. So no fraud protection, no reversing the charge.
Should put the keypad and display on the card itself, it'd look like one of those 'credit card' calculators.
Worst BBC News Stories
The first time that I came across (all night petrol store) this I refused on the grounds that my bank had told me to not use terminals that had been tampered with. The till attendant could not offer an explanation other that this was how they now did it. I asked him to explain how this was still secure to be met with a blank stare. I paid in cash and left.
They still do this in their stores. It is quite simple: I no longer shop in Tesco since I do not believe that my pin would be guaranteed secure if I did.
What sort of problems could there be:
The wire from chip & pin terminal goes via the till - this is dangerous, see below.
Once my PIN is out ... it must be because I told it to someone -- that is what the banks will say -- so I am liable for bills against the card.
OK: to be really useful they would need to steal my card, that probably isn't too difficult - thousands of people are mugged/burgled every day.
I don't trust tills -- I have worked with them, they are general purpose PCs (probably running MS Windows) and can be remotely programmed over a network -- I used to work in an environment where program updates were sent out to tills -- so why not hack one to sniff card data. A techie with money problems could skim the PIN numbers and no one would likely notice, correlate with the addresses in the loyalty card database and tell his burgular friends which houses to visit.
Or maybe a ''maintainance'' man arrives, supposedly from head office, and fiddles with the till for a bit ... the average low paid all night joe would just allow this to happen.
''maintanance'' man returns a day later and unloads the data extracted -- no one at head office is any the wiser.
It gives me the shivers.
Just don't shop at Tesco - if enough people don't - they will get the message.
We've had chip and pin here in Denmark for a number of years now. Before that we had magnetic cards and pins, with a photo on the back of the card and a signature. The photo was paramount, because if the pin wasn't used in transactions with only a signature, the photo would ensure that the person using the card was the owner - simple enough and pretty effective. Then they went and removed the photo... They also added a chip and hailed it's superior security, but didn't remove the magnetic stripe, and still allowed for signature-only transactions... One can only wonder... Maybe the banks WANT people to loose money to criminals, so they have to lend money at insane interests? Just put the damn photo back on, so anyone can see when a criminal tries to use my card! And I'm still amazed that you use signature only transactions in USA to this date. We've only used that here in Denmark as a backup when there was no electricity, and we're phasing it out now. Hilarious that you also print the actual signature directly ON the card, for anyone to copy - HAH, that's like writing your PIN on your card (which, sadly, some people also do...).
Some shops had their terminals replaced with modified units that captured the required card info and pin numbers which was then used by the bad guys at some later point. Aided and abetted I might add by an upgrade to the terminals wherein the new terminals look like the old ones and the old ones were discarded in a rather sloppy manner.
threadeds blog