Slashdot Mirror
Researchers Expose New Credit Card Fraud Risk
An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."
The reason the security is so poor is because the banks don't give a s**t. It's the _merchants_ that are liable for fraud, even though it's almost entirely the fault of the banks! They banks only have to make it just good enough that it's easier for the merchants to take credit cards than cash - even after the exorbitant ($0.25 + 2.5%) processing fees that they charge just to move the bits around.
The powers that be LOVE us using credit cards. They can track us, and they can dupe the feeble-minded among us into spending our way into a lifetime of indentured servitude.
The failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.
Proprietary software AND hardware companies basically cannot be trusted. I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. You can read about some of the read about some of the poor security I've discovered recently with web hosting providers. Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems. Ironically, this news program itself doesn't understand the value of open disclousure. I guess I can understand that as its human nature to want to hide things for fear of liability. But its not like they were doing something that's not so obvious that someone determined enough could figure out.
First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.
Damn you to hell!
Ask not what you can do for your country. Ask what your country did to you
The huge security hole in the credit card system is the users. I flipped out at one of our vendors when they STORED my credit card number in their database, and just went ahead an charged it next time I was in the store.
People will gladly give their credit card number over the phone to a shady pizza shop, just to get a 15 dollar pizza delivered to their door.
We could build the most secure credit card system in the world, but the problem is that it has to be simple enough for idiots to use.
NewslilySocial News. No lolcats allowed.
If Clippy had been allowed to hang around in Windows he would at least been kept off the streets.
In related news, the alternate Clippy, the advice dog, lost his job as a neuticles model and was sold to a company that tests military grade blood-clotting bandages. He's shot in the abdomen three days a week so trainees can learn how to apply the dressings. And all because you didn't want a friendly little animated help-mate watching after you.
You bastards.
Hmm, Macgyver must have tipped them off.
End transmission.
Absolute power corrupts absolutely. indymedia
What people are missing in this is that this pertains to certain card types mainly used in Europe. The type with RFID or embedded chips used for security. On standard US debit cards, there is no information sent to the card or from the card that ties to the PIN. The PIN is only seen by the pinpad component and immediately encrypted using a rotating DKPUT key algorithm before that, the card number and a sequence number are sent to be translated by a hardware security module. The pin pads themselves used by most US retailers are secure and do not pose a risk. If you tamper with most of those devices (example, the Welch Allyns used by best buy, lowe's and others) then the injected keys are erased and PIN translation fails. They normally don't remain out too long if they are tampered with since the stores will consider them broken and unusable when they don't work anymore. This is related to the system in place and used in the UK. The US system, while old, is only being updated currently to support the new double length key requirements and have not incorporated smart card support or RFID (except a few gas station chains). The most important thing in the US is to protect the card database since the data on the mag stripe can be used as a credit card. As for PIN security, don't tell others your pin, notice hidden cameras that look out of place and point at PIN pads and you should be safe. The way PIN numbers are stored at banks within a hardware security module is safe and those devices are very sensative to outside attack. They even employ motion sensors to prevent tampering in HSMs.
The PIN needs to be a moving target and much longer than 4 digits. Note that stateside that most automatic car washes are using at least 5 digit numbers to authenticate the sale as sold by the gas pump. (Example: SecurID or one-time pad.)
(offtopic)
My biggest pet peeve is why are account numbers (on checks) in the clear while the same is basically true of PIN numbers (without any added "salt")
For checks I would like to see the account number + check number translated a 16 to 20 digit hash of which only the bank knows how to decipher to the correct account and check number?
(/offtopic)
The Roman Rule: The one who says it cannot be done shall not interrupt the one who is doing it.
Wow. The interview at the end of that piece has me floored. Imagine if industry people and politicians in the US were subjected to this sort of probing interview and actually responded. The interviewer had the representative from the credit card companies on the ropes the entire interview. Props to the BBC for doing some serious journalism.
While it's true they don't have to do business with you, most stores will accept a $50 rather than lose out on a $55 purchase. Ditto a $100 and lose out on a $101 purchase.
It boils down to risk:
Most people passing funny money will want to get change rather than goods they can only resell at diminished value.
Also, many merchants use basic anti-counterfeit measures when accepting $20s and higher. Granted these measures have a high miss rate but they do catch amateurs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If you want news from today, you have to come back tomorrow.
How far you've fallen...
Every time I see these stories, it reminds me of how they'd say not to do drugs in school, then show us exactly how not to do them...
And here's a link of exactly what you should NEVER do because it is illegal!
(posts to internet site frequented by absolutely everyone)
stuff |
>> "As described in some detail in our paper, the basic attack tool is a paper clip. In order to record and analyze transactions a couple hundred pounds' worth of equipment is required, in addition to some digital design experience."
OK, a paper clip. PLUS A BUNCH OF OTHER STUFF.
Well, shoot, I could probably build an atomic weapon with a paper clip. PLUS A BUNCH OF OTHER STUFF.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
It looks like you are trying to crack an account. Would you like help?
Quick, everyone start carrying wads of cash instead of using credit cards!
It doesn't really matter what technology you use for monetary transactions, there are bad people who will work harder to steal it than to earn their own money. Just minimalise your risk and stop worrying about it.
Mainstream media is the worst terrorist.
No sig for you. YOU GET NO SIG!
Credit cards are so incredibly insecure that the only reason people use them is that the banks so far have been willing to cover the costs of fraud (in most cases and as long as the card holder hasn't contributed to it through negligence).
This is just one more flaw.
These posts express my own personal views, not those of my employer
This is, after all, Web 2.0. With The Onion and video links posted on slashdot, with embedded flash ads,, and no website slashdotted for years, times have unfortunately changed since real techheads hung out here. But fear not, because we can go to the sauce and have a conversation with the professor and his team that did this research.
Does anybody else find it condescending to have little animated characters pop-up on your screen and try to help you. Some of us actually know how to use a computer, and find it insulting that you'd try to make the system more friendly with stupid animated characters.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I no longer use credit cards for small transactions. Usually, my small transactions are at places where the employees are paid poorly and the manager is somewhere else at the moment and doesn't care anyway. This includes restaurants where the waitor takes your card out of your sight. I don't want my cards stolen just because I didn't tip enough or Romero can't make rent.
Larger transactions are usually a little more safer. The merchants are usually more careful who they hire or care more about employees stealing cards. Additionally, if the the services or goods are no good then you can have the credit card issuer help you out.
Two of my friends have had card numbers stolen. both of them suspect a resaurant or bar. In both cases, the items purchased were Wal Mart money orders (and $500 worth of fireworks in one case). Forcing Walmart not to enable buying of money orders with cards would be a great help. The US Post office already has this policy.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I've been wanting something much more sophisticated than a 'shared secret' that you have to give to anyone to give money. If I let random restaurant a charge me 2 bucks for a drink, I have to give them potentially full access to my accounts.
Where's my private/public cryptography? I want to carry around my own damned device with keypad and display. The display would show me *exactly* what my financial institution will think I'm authorizing, and the keypad would be used to enter the passphrase to decrypt my private key, which is never ever ever transferred outside of the devices local filesystem. It's generated by the device and the public portion uploaded in a secure manner to my financial institution. The secure manner is a complicated issue, but there are degrees of inconvenience that can be induced to do it right, and allow me to opt to allow nothing more convenient than that.
I go to a damn store or online retailer.. When ready to purchase, it somehow gets the data to my device (maybe encrypt with my public key, maybe direct connect to my device, maybe through the financial institution, whatever, the security risk in this transaction being the nature of what I'm buying, not in any way risking the actual money being transfered). I enter my passphrase (which could be as simplistic as a 4-digit pin, but at my discretion, not theirs) to signify accepting the terms my display gives me (i.e. authorized wal-mart to take 5 dollars from my account this one time, or authorize phone company to withdraw no more than 25 dollars on a monthly basis, the transaction may have tolerances and periodic, but always show me the tolerances and period and *who* I'm really authorizing to get the mony). With my private key decrypted, use it to sign the payload, then my financial institution *must* receive that cryptographically signed authorization to transfer payment. The retailer *never* has anything more than data to confirm that one transaction (or reuse for repeat data if I declare that trust, within definable thresholds). To commit 'identity theft' (horrible phrase), they would either need to compromise the financial institutions database with *write* access to replace my public key with their own (by the way, invalidating my real key so I should notice it) or steal my device physically, which I should know. The device should overwrite memory contents where the key was with random bytes every time it completes an authorization, and therefore physical theft or tampering should lead to a dead end without my passphrase.
XML is like violence. If it doesn't solve the problem, use more.
US Cards do not have the pin stored on the card. That's like keeping your password in your top desk drawer. This attack will not affect US Cardholders. Could you accomplish the same thing? Yes, but much more difficultly. And that's what security really is about, making a target so difficult thieves go elsewhere.
Routing number keeps the same public self (we need to send the check to the correct bank for processing.)
Account number xxxxxxxx Check number yyyyy becomes zzzzzzzzzzzzzzzz.
Issuing bank has key to turn zzzzzzzzzzzzzzzz back into original component numbers and verify that z... was not some made-up number in attempt to create a "bad check" of which there is no real account number attached to. Also xxxxxxxx, once extracted is verified to the name printed on the check. After about five or more bad values of z... in a day, a human is brought into the equation to look for the underlying cause.
If check is good, then issuing bank electronically clears the bank draft with bank (or presents cash to individual) that presented the check. This allows for a pre-verification of check prior to verifying the signature (which most banks no longer do anyways.)
I won't go into recurring drafts (automatic payments) as that makes things a bit more complicated.
The Roman Rule: The one who says it cannot be done shall not interrupt the one who is doing it.
Check numbers are incrimental and of limited permutation, again making the hash easy to brute force. If the hash changes with each check, it also becomes harder for retailers to identify bad checks based on account number. You're going to end up turning away legitimate customers money, and gain no security. By the time the check hits the bank, the fraud has been done. Also, "once extracted is verified to the name printed on the check"? Depending on your bank, this is already done. I signed a check with my right hand instead of left once(couldn't hold the pen because I messed my hand up), and I got a call a few days later about it. I'm with WaMu.
www.isoHunt.com
As the woman in the interview said, this isn't a probable method of widespread attack. It requires lengthy access to a chip and pin terminal to drill a hole in it and run a wire through. This wire would have to lead to a box or wireless transmitter. Takes a while to do, isn't easy to remove quickly and requires permanent evidence.
On the otherhand, you can attach a skimmer to a reader to copy the magnetic strip and set up a camera to capture the pin in 5 minutes and remove it in 20 seconds. Far easier method of attack.
Both of these methods are actually only possible because of insecure ATMs which don't read chips. At the moment there are so many countries that use outdated ATMs that it's not worth banks banning card use in countries where this type of fraud is possible.
That is pretty much automatic, like a rotating RFID token That has your pin encoded on it, this is really the only type of RFID I would accept. My current RSA credit card toekn has a LCD screen with numbers on it and it lasted me years, a credit card with a simular feature with no screen the batteries would last for years and years and with no physical contact replacements would be needed far and few.
Tsukasa: All I really want, is to be left alone...
Keep away from banks that have paper clips! Actually, be careful about banks with staples, too!
Oh, and one other thing to look for. Look for the authors of this paper in a maximum security prison, after complaints by the banking industry. We've seen this before with ATMs in france.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Conversation between Merchant and his bank:
(note: this entire conversation may be electronic as most "cash registers" have the ability to read the MICR numbers across the bottom of the check.)
Merchant to bank: I have a customer that has presented me a check with the following routing number and account number blob for this amount.
Merchants bank: let me check with issuing bank.
Merchants bank to issuing bank: I have a check with the routing number, account number blob for this amount.
Issuing bank to Merchant bank: [Good to go] [NSF] [call the cops]
Merchant bank to merchant: [endorse check and put into register] [casually advise customer he may want to talk to his bank] [hold check for USSS and FBI for further analysis]
Merchant to customer [have a nice day] [I'll accept your check but your bank would like you to call them] [have a nice day (customer leaves, merchant burns surveillance videos to DVD--including close-up of customers license plate, crime scene rules in play.) | if mob operation, customer has "physical therapy" done to kneecaps with baseball bat.]
Advantages: Account number not compromised by one missing check, Use same MICR numbers with minimal programming.
Disadvantages: Account number not in clear, recurring automatic payments.
The Roman Rule: The one who says it cannot be done shall not interrupt the one who is doing it.
so it's vulnerable?
no, it's not vulnerable. it's not 100% safe
so it's vulnerable?
OK: this would make the cards somewhat bulky and since people tend to have several cards their pockets would bulge. So why not allow people to buy their own small keypads (which they trust to not have been tampered with) that they can plug their cards into and plug the whole lot into the retailer's machine.
Yeah, the summary is pretty misleading, since you need a paper clip, and field programmable gate array with RS232 interface or microcontroller. Yes, these are easy to obtain items, but the summary sounds like you can just use the paper clip. (And, I suppose feel the bits as electric shocks on your tongue or something.)
My Freakin Blog
Seriously though, identity theft is one of the big scary monsters that is used to scare the public on a daily basis. If an offering that experts agreed was highly resistant to identity theft, some consumers may jump at it after all the fear mongering.
XML is like violence. If it doesn't solve the problem, use more.
How do I know someone hasn't disassembled the device, and put in some bug. Best case on the part of the device, extra pads under the buttons to register the presses, or a camera positioned just right.
That's why I say my device must have a private keypad/display, so I don't have to trust the POS equipment at all. Besides, doesn't cover credit card numbers, which remains the significant share of online purchases.
XML is like violence. If it doesn't solve the problem, use more.
I'm having to trust the physical security of whatever device I'm interacting with, bringing my own keyboard and display gives me insurance on their mechanisms.
And so the chip cards have processing elements on card that have data input and output, and never make available their contents to any device they interact with? Or is there assumption that the ATM/POS equipment is all trustworthy and secure and will discard the data and never be possibly compromised by a malicious retailer?
XML is like violence. If it doesn't solve the problem, use more.
Bruce Schneier has written frequently on this topic, the problem is, the person in a position to do something about it (the bank) has no financial loss from fraud.
If you made the banks, who have the capacity for change, liable, you'd see change.
The plural form of "anecdote" is "anecdotes", not "evidence".
Check the video. 12:03-12:07. The researcher mentions something about "Scientologists".
It's all Xenu's fault! I KNEW IT!!
[End Of Line]
I just have the urge to put my new chip Visa card into a Diebold... but I am afraid it will crash the Interwebs.
Banks seem to think a system is secure enough as long as the number of cases where customers are exploited, are few enough. This way the bank can repay the customers with little arguing, and prevent these stories from reaching the media. In Norway there is a story that has been running in the media where a Professor at the University of Bergen and a group of students have shown that the system used by Norwegian banks to offer Banking services on the internet have flaws that can be exploited. The banks take the same route and try to claim that the system is secure and have their PR people find technical terms like calling it a theoretical attack. (Actually the attack is far from theoretical). The interesting part is how the banks just keep trying to convince the media and people in general instead of sitting down with the researchers at the University and try to find a solution. After the first case in the media, the banks worked to fix the security holes, but the researchers didn't even need a day to find a way around the new protections. Since this system is considered for a national authentication standard the appropriate minister in the Norwegian government is involved, and is siding with the professor and not the banks.
Giving your credit card to a clerk that earns a minimum wage is most likely more risky.
When banks deploy inadequate security, they should be liable for the distress and costs they cause their customers.
Like a password, you should change your PIN regularly. If it's copied from a terminal then you're only vulnerable for a short time.
I got bit by a scheme. They drained my account and then the bank didn't want to hear it. They're still chasing me for $1,300.
Here in the U.S. we simply use either card alone, or card and PIN. About 8 months ago some enterprising fraudsters managed to replace the credit card terminals in Stop & Shop supermarkets. And of course one that I frequented got hit.
The banks need to be taken to task for this. So too do agencies like APACS and their U.S. counterparts. I know that Stop & Shop replaced all their credit card terminals with what they say are more secure but I know they're hackable.
The solution is to use something other than PIN, like a thumbprint. And encrypt the data stream between the card reader and the processor. But even at that, you still have the card data being transmitted in the clear from the read head on through.
Articles and content in this section of the website are really amazing. From http://www.rosesandgifts.com/
Chip and PIN has nothing to do with security.
A PIN (a 4-digit number with a search space of 10 000) is much, much less secure than a signature (complex hand gesture with near-infinite search space). It takes even an experienced person at least an hour to learn to forge a signature convincingly. (The hard part is not giving yourself away with body language: you have to make the whole act of signing your name look like a casual, throwaway act, something you do all the time, not like you're auditioning before a panel of silent, stone-faced judges for a leading part in a West End production.) A PIN can be obtained under threat of violence in seconds. An accomplice can then verify the PIN in a nearby store, and use what was until very recently the victim's own phone to report the success or otherwise to the robber.
The only reason why the number of fraudulent transactions is less on chip-and-PIN systems, is because every transaction is assumed legitimate by default -- unlike signature-backed systems, where a human being intervenes to judge the legitimacy of every transaction.
Chip-and-PIN has a couple of purposes. Most obviously, to transfer liability from banks and merchants to cardholders -- but that's just a fringe benefit. The real, long-term purpose is to acclimatise people to the concept of inserting a card into a reader and keying in a number. Soon, you won't have a separate bank card for each account; they'll all be accessible via your Biometric National Identity card, which will also open the doors to your workplace -- and eventually, your home.
Je fume. Tu fumes. Nous fûmes!
So, ok... you could use this to compromise a real machine, collecting the numbers but still allowing the transactions to go through, but it's not like you were safe yesterday and suddenly vulnerable today.
Criminals have already been setting up fake card readers on ATMs and Pay At The Pump machines here in Canada. Your card physically goes through their reader before it gets to the real reader on the machine, then a hidden camera records you punching in your pin. Later the criminals retrieve the data from the magnetic stripes and retrieve the video, and combining the two they empty your bank account at various ATMs.
Criminals have also setup completely fake ATMs (effectively trojan horses) which just record your card's magnetic stripe and the PIN you type in, and then pretend to phone home to the bank for the transaction, when really they just blindly dump out some seed cash that the criminals have stocked the machine with in order to make the transaction seem legit (they will make it back theoretically in the funds they drain from you afterwards). Or hell, if they are feeling particularly greedy, they can just blink up "transaction failed, network down" or something and not even give you the seed money.
The point is, this doesn't change a lot. Theoretically any machine might be a fake, or might be compromised. There's nothing stopping someone from taking the guts out of one of the machines in the article and replacing those guts with their own custom hardware that just pretends to fail the transaction while it records your stripe and PIN. Granted, it's easier to get away with putting a compromised machine into a legitimate business without the collusion of the proprietor if the machine actually carries out the transactions, otherwise the mook at the till is going to report to management that the machine is broken and the company will send a repairman with a new machine to replace your compromised one. But in a small mom and pop business where the proprietors are colluding with (or themselves are) criminals, the scam is easily run, and since there is no real transaction going to the banks (remember the transaction "failed" as far as the customer knows), there isn't even any data to mine to determine that all these people shopped at Shady Underworld Convenience.
With every transaction you make, you are taking some form of risk. It might be a low risk, or even a calculated one, but it's still a risk. You have no way of knowing what is going on in that machine when you swipe your card and enter your PIN. Period. All you can do if you are going to use debit/credit is try to use machines that are less likely to be fake compromised, and you should still audit your transactions often so that if you do become a victim of theft/fraud, you can catch it as soon as possible.
Thanks for the correction, that makes a lot more sense.
XML is like violence. If it doesn't solve the problem, use more.
It just isn't done routinely. In some wars, it was done with wartime scrip and even certain wartime bank notes that were "legal tender" only in certain parts of the world.
Having said that, demonetizing all currencies with designs that haven't been used in 20 years, with a guaranteed face-value buyback from a Federal Reserve Bank by any US Citizen willing to declare that he's either had the currency a long time or declare where he got it would put a dent in the problem you mention.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
and since people tend to have several cards
With the system you describe there's no need for several cards - just install the certs for the new bank/store/insurance-co/etc on your card.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
DON'T USE PINS. EVER.
I have never agreed with the Debit system, or any other system that uses pin code information. It is, pardon my language, bullshit.
The Debit card system, in the US at least, was the worst. The banks were initially not liable for anything, and whole accounts could be drained. The charges were insane too. No offense, but anybody who pays a 50c-1.50$ charge on their Debit Card to by a farking hamburger is mentally challenged, and their thought processes must be very similar to the people spending their paychecks on worthless bling bling.
My primary reason for disagreeing with the system, is that the banks are trying to weasel out of any responsibility.
I don't know about many other banks, but Wells Fargo had put in pin pads into their branches for customers to identify themselves. Huh? This is the certainly the most retarded idea which is in line with the "screw the customer" paradigm that is rampant today. I have watched customer after customer after customer walk up to the teller and identify themselves to a teller, and the teller does not even look them in the face . Any criminal could get my bank card, which doubles as an ATM/Debit card, and use the SAME FUCKING PIN CODE . Once again, pardon my language please. Since the code is exactly the same, they just walk up to the teller and they could perform practically any type of transaction without any additional identity checks. This is not an exaggeration either, I have watched hundreds of dollars getting withdrawn, and cashiers checks being handed out, based only on that pin code.
You want to know the big kicker here? I REFUSE to identify myself in such a manner. WHEN I do actually refuse:
1) The tellers invariably get "disoriented". They just look at me blankly like I yelled, "Tapioca Pudding IN my ShOES!! BWAHAH".
2) Some tellers get put off.
3) They all proceed to give the deep identity cavity search. I have to take out my drivers license, my bank card (obviously), sometimes another credit card, and then answer several questions about the account, which always includes at least 2 questions about recent deposits.
I am not complaining about that, I just don't like making them do it. I actually say Thank You to any sales clerk that asks for my identification. Now this leads me to make an interesting observation. The bank equates a bank card and pin code to be as secure as step #3. Clearly it is not.
I believe this all comes to down the banks trying to push as much liability, responsibility, accountability, etc. away from them and on to the consumer as they can. Pin Codes, remove the responsibility of the banks and the merchants to, at bare minimum, pay attention to the customer . They don't have to ask for ID for one thing. As assumption is made, that as long as the Pin Code checks out, that proper identity has been established.
That is why I always sign the back of my credit cards with "ASK FOR ID". I never use debit cards, and I NEVER enter a pin code anywhere but at a branch ATM. My Pin Code is also not 4 numbers. If you ask them at Wells Fargo, they will allow you to set a longer Pin Code. I complained bitterly about the Debit System being attached to the same system as my Bank card, and that Pin Codes were not secure. After a lot of frustration, and being clear that I was not going to shut up and leave, the branch manager informed me about the longer pin codes. So definitely ask your bank or credit card company if you can set pin codes longer then 4 digits.
In the end never accept that the banks are interested in security. I don't believe that they are. They are interested in making the transactions as easy as possible for themselves and the merchants with as much ability to blame the customer as possible.
The other benefit of never using Pin Codes, is that it presents a very c