Researchers Expose New Credit Card Fraud Risk

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

Get rid of the damn things!

[seanadams.com]

The reason the security is so poor is because the banks don't give a s**t. It's the _merchants_ that are liable for fraud, even though it's almost entirely the fault of the banks! They banks only have to make it just good enough that it's easier for the merchants to take credit cards than cash - even after the exorbitant ($0.25 + 2.5%) processing fees that they charge just to move the bits around.

The powers that be LOVE us using credit cards. They can track us, and they can dupe the feeble-minded among us into spending our way into a lifetime of indentured servitude.

The failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

Re:Get rid of the damn things!

[suso]

I believe this is called Security Theatre.

Re:Get rid of the damn things!

[the+brown+guy]

I tried paying for my university tuition with cash (I have a cash based job) and the woman there said that I can only pay online with a credit card. After explaining that I am too young to have a credit card, and that I only had cash she relented. Even then, she said that they couldn't give me any change, so I had to go and get exact change. Its bullshit, not everybody can have a credit card, plus I like the anonymity that paying via cash provides.

Re:Get rid of the damn things!

[Kalriath]

Really? Over here our terminals require triple-DES encryption between the PIN-pad and the terminal and then the connection from the terminal to the payment processor is encrypted again. Anything else will not be certified for connection to the EFTPOS network.

Wow you guys really do have it bad.

Re:Tough Interview

[mapsjanhere]

The big advantage of a publicly funded TV program - the producers are less likely to cave in to advertiser's interests.

Where's the crypto?

[Junta]

I've been wanting something much more sophisticated than a 'shared secret' that you have to give to anyone to give money. If I let random restaurant a charge me 2 bucks for a drink, I have to give them potentially full access to my accounts.

Where's my private/public cryptography? I want to carry around my own damned device with keypad and display. The display would show me *exactly* what my financial institution will think I'm authorizing, and the keypad would be used to enter the passphrase to decrypt my private key, which is never ever ever transferred outside of the devices local filesystem. It's generated by the device and the public portion uploaded in a secure manner to my financial institution. The secure manner is a complicated issue, but there are degrees of inconvenience that can be induced to do it right, and allow me to opt to allow nothing more convenient than that.

I go to a damn store or online retailer.. When ready to purchase, it somehow gets the data to my device (maybe encrypt with my public key, maybe direct connect to my device, maybe through the financial institution, whatever, the security risk in this transaction being the nature of what I'm buying, not in any way risking the actual money being transfered). I enter my passphrase (which could be as simplistic as a 4-digit pin, but at my discretion, not theirs) to signify accepting the terms my display gives me (i.e. authorized wal-mart to take 5 dollars from my account this one time, or authorize phone company to withdraw no more than 25 dollars on a monthly basis, the transaction may have tolerances and periodic, but always show me the tolerances and period and *who* I'm really authorizing to get the mony). With my private key decrypted, use it to sign the payload, then my financial institution *must* receive that cryptographically signed authorization to transfer payment. The retailer *never* has anything more than data to confirm that one transaction (or reuse for repeat data if I declare that trust, within definable thresholds). To commit 'identity theft' (horrible phrase), they would either need to compromise the financial institutions database with *write* access to replace my public key with their own (by the way, invalidating my real key so I should notice it) or steal my device physically, which I should know. The device should overwrite memory contents where the key was with random bytes every time it completes an authorization, and therefore physical theft or tampering should lead to a dead end without my passphrase.

Re:Where's the crypto?

[Junta]

You forgot the step where your computer has a key logger installed and someone overseas now has all your data. Someone steals my device or gains unauthorized access and *then* returns it to me unnoticed is *far* more likely to be noticed than taking my card, scribbling the number on the front and back, and putting it back. Or for random POS equipment to be instrumented that I interact with. Or for some old-fashioned place with the carbon copies or some stands to be set up. At least the security risk lies in the implementation of the device, *not* fundamental to the system. Sure, *the* most secure proposition is currency, but other than direct physical interaction, currency is *not* feasible for the same reasons its good for face to face. Mail currency and anyone can intercept and use it, as it's not traceable and not targeted.

That's not even getting into your other major flaw, and your incorrect assumption. It would be much easier to discuss those points if you at least mentioned what they were.

Re:Is anyone here really surprised?

[whyloginwhysubscribe]

My bank in the UK (Barclays) has issued me with a secure ID card, that I type my PIN into, and it then gives me a number to type into the online banking system.

I think it is only a matter of time before this gets transferred to shop terminals - if you need to bring something and remember something, then it makes life a lot harder for hackers.

Re:Tough Interview

[d3vi1]

KUDOS to the BBC for being a leader in all fronts of the Mass-Media. This video proves that they can do serious journalism, something that most media companies have forgotten how to do.
Short, correct and difficult to answer questions. Ask the right questions, that's all it takes.

Bravo BBC

Re:Tough Interview

[trainman]

Indeed, I wish the media in this continent (we have the same problem with flaccid media in Canada too) would ask the tough questions like that. Alas most of the time the reporter doesn't even know what the story is about, and simply doesn't have the subject knowledge to ask such pointed questions. Then of course they would have to care enough to hold the subject accountable.

Far too often I hear interviews were the subject gives some double-talk half twisted lie which makes no sense, and the interviewer simply accepts this line as fact. No follow up question, no challenging. It's turned me off watching TV news completely, because politicians continue to get away with the same lies unchallenged.

I wish I knew how to fix this problem. I'm sure corporate control is part of the problem somehow. :)

Keypad on the card

[Alain+Williams]

What is really needed is that the cards have an integral keypad - so that communication between the chip and the keypad cannot be intercepted, you entering your PIN would activate the card that could then talk over an encrypted link (eg SSL) directly to the bank's computer.

OK: this would make the cards somewhat bulky and since people tend to have several cards their pockets would bulge. So why not allow people to buy their own small keypads (which they trust to not have been tampered with) that they can plug their cards into and plug the whole lot into the retailer's machine.

Re:I can build an atomic weapon with a paper clip

[johnny+maxwell]

Well, you have to admit that that in this case the paper clip is quite important.
For those of you who haven't actually read the article (it is not unheard of!):
They use it to peel through a hole in the back of a owner-accessible compartment for some rarely used extra modules to insert it into an open via in the pcb which just happens to carry a serial data line transmitting PIN and card details...

You could even nicely mount your eavesdropper circuit in that compartment.

This is quite startling IMO, as the designers of the module have gone to great lengths to hide most signals under layers of a dense sensor-maze to prevent access by drilling your way into the lower layers of the circuit board.