Chip-and-Pin Vulnerable To Subtle Trickery

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

Re:The Tetris hack was a fake

[maubp]

It was not the real hardware hacked to play tetris. It was different hardware in the same box.

Sure, this shows that you can fool a user to think they're using a valid machine, but it does not get at the transaction.

Have you read the article? There is a fake transaction at the victim's location which appears to be paying £20 for dinner. There is a real (but fraudulent) transaction at the jewelers at the same time for $2000 of diamonds.

The victim's card goes in the "fake pin machine" which is linked via laptops to a "fake card" in a "real pin machine" at another shop (in this case, a jewelers).

The laptop link makes it look like the victim's card is physically at the jewelers store, and takes care of all the validation. The victim is told the dinner price, and enters their PIN into the "fake PIN machine", which says "thank you" and prints a fake receipt. Meanwhile, the PIN number is then passed to the criminal at the jeweler to key into the real PIN machine and buy the diamonds.

Tricky to pull off due to the timing - but a real treat all the same.

Re:Yes, BUT

This is still safer than traditional credit cards!

Not sure whether you're being sarcastic, but if not then safer for whom and in what way? Previously I had to sign for everything I bought on my card, and if it came to it then at least an expert should be able to spot a forgery in the event of a dispute. Now the only authorisation is typing in a 4 digit code in a crowded shop. Worse, a series of crowded shops time after time. If anyone managers to see my code then it just takes a pickpocket (or acquaintance) to get their hands on my card and they can enter into transactions indistinguishable from legitimate ones.

Re:Single bit check is not enough

[sjmurdoch]

Each exchange is one challenge bit and one response bit, so the timing is accurate, but this is repeated many times to give a high assurance that the real card is present (128 in the prototype). See the draft paper for the details.