Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Credit and Debit Card Security Broken

Posted by timothy on from the pounding-marks-for-euros dept.

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

7 of 245 comments (clear)

  1. Re:Chip and Chip security... wait a second! by Spad · · Score: 4, Informative

    RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.

    So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead.

    TBH I'm rather surprised that any information is allowed to be pulled off the chip without the PIN authenticating the user first; if you had to provide the correct PIN before the card would provide any information it would make it much harder to carry out the fraudulent transaction.

  2. Not News by sexconker · · Score: 4, Informative

    This is not news.
    This is the way the system was designed.

    It was designed to be shitty and insecure so fraud could continue.
    It was sold as being highly secure in order to get them into widespread use and to get the laws set up to remove all liability from the banks as long as the system says the card is good.

    The banks profit off of fraud.

    This is all intentional, and it has been going on in criminal circles with these cards before day one. The only difference now is that some group has publicly revealed the sordid details.

  3. Re:RFID passports by Spad · · Score: 4, Informative

    Only because America decided they wouldn't let any of us into the country if we didn't implement RFID passports.

  4. Re:Chip and Chip security... wait a second! by LostCluster · · Score: 5, Informative

    No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.

  5. I work in the fraud department of a UK bank by Anonymous Coward · · Score: 5, Informative

    and this actually happens quite a bit, we usually pay out unless

    it matches the customers spending pattern,
    they tell us they kept the pin with the card,
    a family member was doing it.

  6. Re:We Already Know This by Peter+H.S. · · Score: 4, Informative

    This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

    Please note that while this is a MIM attack, neither the ATM nor its communication links are compromised. The MIM part is in the _card_, that gives out an "This is a valid transaction PIN code" no matter what. So attach a fake card to some wires running up your sleeve into a laptop and FPGA in a back pack, and and you can draw money from the account to the maximum limit with a fake card and without entering a correct PIN code.

    The sad thing is that the banks are in total denial about this, claiming that since no such attacks have been discovered, the problem doesn't exist.

    --
    Regards

  7. Re:Not really surprising... by cdrguru · · Score: 4, Informative

    The problem is that the merchants have insurance and the number of fraudulent accesses is pretty small. So merchants are reluctant to spend $10,000 per terminal for a system as you describe.

    They have been already forced to spend $1000-$2000 per terminal already for something that has $100 of components in it.

    Sure, it could be done as you suggest. But a lot of these systems were designed to work over a 300 baud modem or with no external connection at all - just buffering stuff up until later. So now you would also require a real Internet connection from each terminal. Well, the costs just keep going up on the merchant.

    The end result is that merchants just say they can't implement something like that in all locations. Or the box is too expensive and they aren't buying any of them. So instead of universal penetration it is 5 or 10 percent of the merchants.

    The reason they went with a low-cost, easy-to-implement solution in the first place was to gain wide (if not universal) acceptance so these things could be at every POS location everywhere. No matter what system the merchant was using or at least minimal interface requirements. It is like credit card terminals in the US - there are still a large number of places where they put the sale information into one system and then re-key the sale into a credit card terminal because integrating is too expensive and the terminals are relatively cheap.