Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chip-and-Pin Vulnerable To Subtle Trickery

Posted by Zonk on from the i-feel-quite-safe dept.

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

4 of 64 comments (clear)

  1. 'Watchdog' tonight by shrykk · · Score: 4, Insightful

    This is due to be on 'Watchdog' (a popular consumers'-rights show) in about 45 minutes.

    As I understand it, the point of this research is that the banks have been claiming that chip-and-pin terminals are completely tamper-proof. In fact, they may be tamper-proof from the banks' point of view (preventing fraudulent transactions by destroying encryption keys if the case is tampered with), they're not from the customers' point of view - a dodgy establishment or criminal employee could clone your card with a terminal that looks legit.

    So, ripping out the innards and putting a machine playing Tetris inside looks silly, but demonstrates that the devices aren't inherently trustworthy. And this is the next step: showing that a card can be cloned and the details used to make a fraudulent transaction using modified hardware.

    --
    #define struct union /* Reduce memory usage */
    1. Re:'Watchdog' tonight by ds_job · · Score: 2, Insightful
      The standard response from the Banks is:

      "Our technology is infallible. You *must* have compromised your card / PIN. You will get no refund nor compensation."
      What this does is point out that the first sentence is not correct and that the second does not automatically follow. I am not particularly protective of or abusive towards Chip-And-Pin but the "Nothing to do with me mate. You'll have to prove it." attitude of the banks is kind of annoying. I'm much more happy paying my taxes to find this kind of issue rather than modding the housing to play Tetris.
  2. Re:Yes, BUT by mrcaseyj · · Score: 2, Insightful
    AC wrote:

    ..if it came to it then at least an expert should be able to spot a forgery in the event of a dispute.
    That won't do you any good because clerks can't distinguish from a legitimate signature and a forged one. Therefore if the owner of a card wants to cheat the bank, they can just sign their own signature with their left hand or something and then deny the charge. If the bank doesn't believe you when you say it was fraudulent then you'll be stuck with the charge (or the store will because they didn't check your ID). The fact that the signatures don't match does you no good.

    Chip and pin is a massive improvement over the insane system we have in the US. It may have been sane back when computers were rare or expensive, but there's no excuse for it now. But chip and pin still has serious vulnerabilities, especially when used over the internet. Even with a card reader on your computer, the fact that operating systems like Windows and Linux will never be seriously secure, means that you can't trust what you see on the screen is what's going on over the wires. It's just a matter of time before the banks finally realize that the only solution is a device you carry with its own small display and keypad. Such a device would have a simple enough operating system and software that it might achieve a fairly strong level of security.

    The other trend I see for the future is many more hackers learning to probe the dies of security chips. With the rapid increase in the number of devices relying on secret keys hidden in security chips, such as credit cards, motherboards, sattelite and cable tv, Blueray, and more, there will be greatly increasing demand for the ability to extract those keys. Electron microscopes or any other equipment to get into these chips can be bought, borrowed, or even built in one's garage. I'm sure that any chip can be defeated if the hacker has enough samples to work with. I don't know if the difficulty will make it impractical though.

  3. Re:The Tetris hack was a fake by Tony+Hoyle · · Score: 2, Insightful

    Of course if you do £20 - £2000 then you get noticed real quick.

    Do it at a petrol station or somewhere where the price varies a lot, add £1 onto the transaction (screening out the 'obvious' figures to avoid people who put exactly £20 of petrol in for example noticing the error), and have the 'real' transaction come from the 'real' retailer and you'd get away with it for quite a while.

    Petrol station employees are paid minimum wage and not security checked & have an incentive to get involved in this too.

    Don't stay in one place for too long, move around, and with a bit of luck and a following wind you'd be quite rich at the end of it.