Chip-and-Pin Vulnerable To Subtle Trickery

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

attack easly detected

[Technician]

Someone with a close eye on their account will notice the missing money and pull up recent transactions online. Armed with reciepts and a printout of the impossible to make dual purchases with one card in two locations, the compromised machine can be shut down (de-authorised) and legal proceedings started. This attack has a name attached to the business using the terminal.

The attack is proof of concept, but it leaves too much of a trail.

'Watchdog' tonight

[shrykk]

This is due to be on 'Watchdog' (a popular consumers'-rights show) in about 45 minutes.

As I understand it, the point of this research is that the banks have been claiming that chip-and-pin terminals are completely tamper-proof. In fact, they may be tamper-proof from the banks' point of view (preventing fraudulent transactions by destroying encryption keys if the case is tampered with), they're not from the customers' point of view - a dodgy establishment or criminal employee could clone your card with a terminal that looks legit.

So, ripping out the innards and putting a machine playing Tetris inside looks silly, but demonstrates that the devices aren't inherently trustworthy. And this is the next step: showing that a card can be cloned and the details used to make a fraudulent transaction using modified hardware.

Re:'Watchdog' tonight

[ds_job]

The standard response from the Banks is:

"Our technology is infallible. You *must* have compromised your card / PIN. You will get no refund nor compensation."

What this does is point out that the first sentence is not correct and that the second does not automatically follow. I am not particularly protective of or abusive towards Chip-And-Pin but the "Nothing to do with me mate. You'll have to prove it." attitude of the banks is kind of annoying. I'm much more happy paying my taxes to find this kind of issue rather than modding the housing to play Tetris.

Ultimate Financial Security

[ToneHog]

For the truly security minded: a wallet, a handgun, and the bottom side of your mattress. No interest charges or minimum payments!

Re:Ultimate Financial Security

[sunwukong]

"Lady, me and this gun here say that I'm going to pay cash for this and there's nothing you can do about it!"

"I'm sorry, sir, but I can't hear what you're saying through the mattress you're wearing."

Or did I misinterpret what you're suggesting?

Re:The Tetris hack was a fake

[maubp]

It was not the real hardware hacked to play tetris. It was different hardware in the same box.

Sure, this shows that you can fool a user to think they're using a valid machine, but it does not get at the transaction.

Have you read the article? There is a fake transaction at the victim's location which appears to be paying £20 for dinner. There is a real (but fraudulent) transaction at the jewelers at the same time for $2000 of diamonds.

The victim's card goes in the "fake pin machine" which is linked via laptops to a "fake card" in a "real pin machine" at another shop (in this case, a jewelers).

The laptop link makes it look like the victim's card is physically at the jewelers store, and takes care of all the validation. The victim is told the dinner price, and enters their PIN into the "fake PIN machine", which says "thank you" and prints a fake receipt. Meanwhile, the PIN number is then passed to the criminal at the jeweler to key into the real PIN machine and buy the diamonds.

Tricky to pull off due to the timing - but a real treat all the same.

nothing new here

[mgb]

So this along with the tetris hack basically says if you are a retailer and have access to a terminal or other means of getting hold of a persons credit or debit card then you can potentially do lots of dodgy stuff. Who knew!!!

Re:The Tetris hack was a fake

[iangoldby]

I wonder if you have misunderstood what is going on here.

The there is no connection between the bank and the card-reader that has been tampered with. As far as the bank is able to see, there has been a legitimate transaction for £2000. As far as the victim sees, the transaction is for only £20 (until he receives his statement one month later).

The point is: the actual transaction is £2000. The trickery is making the victim believe he is authorising a transaction of only £20 by presenting him with a fake terminal.

I believe also that this hack does not allow the card to be copied. My guess is that there is a one-time transaction code that the researchers cannot (yet) reproduce - remember this is a man-in-the-middle attack. That's why the victim's apparent authorisation of the £20 has to coincide with the real authorisation of the £2000.

Classic Quote...

[ayjay29]

Anne Robbinson my arse!

Watchdog?

I am watching a dog.

I don't get it

[giminy]

This is neat, but it's not exciting. I've written a smartcard proxy service that could also be used for evil. It works by capturing the client certificate request from a tls handshake, and sends the signed response to the server (some older web apps don't know how to use pkcs#11 libraries, which is what this is used for..it strips the client cert request out of the handshake so the client is none the wiser). I could rewrite my proxy to sign all kinds of data with the smartcard once the user gives the proxy his/her PIN...I could logon to banking sites and transfer money to me, buy stuff, essentially anything that the computer could do, and not inform the user.

I think Bruce Schneier's paper said it best. Sure the card is trustworthy, but when you're using any kind of smartcard, the card isn't the trust boundary. The card plus the computer (or pinpad in this case) that you're using it on is your trusted device conglomerate.

I think the real demonstration of this attack is that pinpads have vulnerabilities. Even that isn't earth-shattering. So does everything else where physical access is granted.

Which isn't to say that it isn't newsworthy (people should definitely be careful where they stick their card), but it does feed into idea #4 on the six dumbest ideas in computer security.

Re:Single bit check is not enough

[sjmurdoch]

Each exchange is one challenge bit and one response bit, so the timing is accurate, but this is repeated many times to give a high assurance that the real card is present (128 in the prototype). See the draft paper for the details.

Re:Yes, BUT

[mrcaseyj]

AC wrote:

..if it came to it then at least an expert should be able to spot a forgery in the event of a dispute.

That won't do you any good because clerks can't distinguish from a legitimate signature and a forged one. Therefore if the owner of a card wants to cheat the bank, they can just sign their own signature with their left hand or something and then deny the charge. If the bank doesn't believe you when you say it was fraudulent then you'll be stuck with the charge (or the store will because they didn't check your ID). The fact that the signatures don't match does you no good.

Chip and pin is a massive improvement over the insane system we have in the US. It may have been sane back when computers were rare or expensive, but there's no excuse for it now. But chip and pin still has serious vulnerabilities, especially when used over the internet. Even with a card reader on your computer, the fact that operating systems like Windows and Linux will never be seriously secure, means that you can't trust what you see on the screen is what's going on over the wires. It's just a matter of time before the banks finally realize that the only solution is a device you carry with its own small display and keypad. Such a device would have a simple enough operating system and software that it might achieve a fairly strong level of security.

The other trend I see for the future is many more hackers learning to probe the dies of security chips. With the rapid increase in the number of devices relying on secret keys hidden in security chips, such as credit cards, motherboards, sattelite and cable tv, Blueray, and more, there will be greatly increasing demand for the ability to extract those keys. Electron microscopes or any other equipment to get into these chips can be bought, borrowed, or even built in one's garage. I'm sure that any chip can be defeated if the hacker has enough samples to work with. I don't know if the difficulty will make it impractical though.

Re:The Tetris hack was a fake

[Tony+Hoyle]

Of course if you do £20 - £2000 then you get noticed real quick.

Do it at a petrol station or somewhere where the price varies a lot, add £1 onto the transaction (screening out the 'obvious' figures to avoid people who put exactly £20 of petrol in for example noticing the error), and have the 'real' transaction come from the 'real' retailer and you'd get away with it for quite a while.

Petrol station employees are paid minimum wage and not security checked & have an incentive to get involved in this too.

Don't stay in one place for too long, move around, and with a bit of luck and a following wind you'd be quite rich at the end of it.