Researchers Expose New Credit Card Fraud Risk

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

Get rid of the damn things!

[seanadams.com]

The reason the security is so poor is because the banks don't give a s**t. It's the _merchants_ that are liable for fraud, even though it's almost entirely the fault of the banks! They banks only have to make it just good enough that it's easier for the merchants to take credit cards than cash - even after the exorbitant ($0.25 + 2.5%) processing fees that they charge just to move the bits around.

The powers that be LOVE us using credit cards. They can track us, and they can dupe the feeble-minded among us into spending our way into a lifetime of indentured servitude.

The failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

Re:Get rid of the damn things!

[the+brown+guy]

I tried paying for my university tuition with cash (I have a cash based job) and the woman there said that I can only pay online with a credit card. After explaining that I am too young to have a credit card, and that I only had cash she relented. Even then, she said that they couldn't give me any change, so I had to go and get exact change. Its bullshit, not everybody can have a credit card, plus I like the anonymity that paying via cash provides.

Where's the crypto?

[Junta]

I've been wanting something much more sophisticated than a 'shared secret' that you have to give to anyone to give money. If I let random restaurant a charge me 2 bucks for a drink, I have to give them potentially full access to my accounts.

Where's my private/public cryptography? I want to carry around my own damned device with keypad and display. The display would show me *exactly* what my financial institution will think I'm authorizing, and the keypad would be used to enter the passphrase to decrypt my private key, which is never ever ever transferred outside of the devices local filesystem. It's generated by the device and the public portion uploaded in a secure manner to my financial institution. The secure manner is a complicated issue, but there are degrees of inconvenience that can be induced to do it right, and allow me to opt to allow nothing more convenient than that.

I go to a damn store or online retailer.. When ready to purchase, it somehow gets the data to my device (maybe encrypt with my public key, maybe direct connect to my device, maybe through the financial institution, whatever, the security risk in this transaction being the nature of what I'm buying, not in any way risking the actual money being transfered). I enter my passphrase (which could be as simplistic as a 4-digit pin, but at my discretion, not theirs) to signify accepting the terms my display gives me (i.e. authorized wal-mart to take 5 dollars from my account this one time, or authorize phone company to withdraw no more than 25 dollars on a monthly basis, the transaction may have tolerances and periodic, but always show me the tolerances and period and *who* I'm really authorizing to get the mony). With my private key decrypted, use it to sign the payload, then my financial institution *must* receive that cryptographically signed authorization to transfer payment. The retailer *never* has anything more than data to confirm that one transaction (or reuse for repeat data if I declare that trust, within definable thresholds). To commit 'identity theft' (horrible phrase), they would either need to compromise the financial institutions database with *write* access to replace my public key with their own (by the way, invalidating my real key so I should notice it) or steal my device physically, which I should know. The device should overwrite memory contents where the key was with random bytes every time it completes an authorization, and therefore physical theft or tampering should lead to a dead end without my passphrase.

Re:Is anyone here really surprised?

[whyloginwhysubscribe]

My bank in the UK (Barclays) has issued me with a secure ID card, that I type my PIN into, and it then gives me a number to type into the online banking system.

I think it is only a matter of time before this gets transferred to shop terminals - if you need to bring something and remember something, then it makes life a lot harder for hackers.

Re:Tough Interview

[d3vi1]

KUDOS to the BBC for being a leader in all fronts of the Mass-Media. This video proves that they can do serious journalism, something that most media companies have forgotten how to do.
Short, correct and difficult to answer questions. Ask the right questions, that's all it takes.

Bravo BBC

Keypad on the card

[Alain+Williams]

What is really needed is that the cards have an integral keypad - so that communication between the chip and the keypad cannot be intercepted, you entering your PIN would activate the card that could then talk over an encrypted link (eg SSL) directly to the bank's computer.

OK: this would make the cards somewhat bulky and since people tend to have several cards their pockets would bulge. So why not allow people to buy their own small keypads (which they trust to not have been tampered with) that they can plug their cards into and plug the whole lot into the retailer's machine.