Slashdot Mirror
European Credit and Debit Card Security Broken
Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."
Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.
Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.
If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.
They finally figured out how to bail themselves out
FTA: "The central problem with the EMV protocol is that it allows the card and the terminal to generate ambiguous data about the verification process, which the bank will accept as valid... while a PIN must be entered, any PIN code would be accepted by the terminal."
That's a serious flaw. You've got to insist on data being valid if you are going to record it as valid.
It's a good thing that we don't rely on ambiguous data in any other part of life.
Liberal? Conservative? Compare perspectives at Left-Right
... blame Python! :)
Generally, bash is superior to python in those environments where python is not installed.
The researchers used off-the-shelf components (PDF), and a laptop running a Python script...
It is long past time for governments to criminalize the use of Python.
More music, fewer hits
Chip & Pin has never been about minimising fraud - it's about pushing the responsibility from the banks onto the customers. And they're doing the same thing with the ridiculous Verified By Visa programme which just trains people to fall for phishing scams.
This is not news.
This is the way the system was designed.
It was designed to be shitty and insecure so fraud could continue.
It was sold as being highly secure in order to get them into widespread use and to get the laws set up to remove all liability from the banks as long as the system says the card is good.
The banks profit off of fraud.
This is all intentional, and it has been going on in criminal circles with these cards before day one. The only difference now is that some group has publicly revealed the sordid details.
Leave it to an English university to focus on phish and chips...
Only because America decided they wouldn't let any of us into the country if we didn't implement RFID passports.
According to http://www.visa.ca/chip/cardholders/emvstandard/index.jsp, the EMV Chip & PIN standard is also used in Canada, not just Europe.
If they were smart enough to do that they wouldn't be in the mess to start with. Fucking wops.
Thank you for confirming the stereotype of American
1) arrogance,
2) redneck-ism,
3) ignorance of domestic issues,
4) ignorance of foreign issues, and
5) racism
in a mere 19 words. If there was a Nobel Prize for dumbest twat, you'd be a shoe-in.
This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.
What have we heard about this in the mainstream press and media? Nothing. People, and those with a vested interest, obviously just want to deny that it can happen.
Use Cash.
You are being MICROattacked, from various angles, in a SOFT manner.
You know what helps you sound informed and intelligent? Reading the article. You know what makes you sound, well, silly? Not reading the article. Here's a clue to spark your interest: it isn't the card readers that are performing the man in the middle, it is the person in possession of the card performing the attack against a standard card reader.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
http://www.youtube.com/watch?v=U1QAnb-wnTs ohhhhhhhhhhhhhhh CHIP AND PIN FAIL
and this actually happens quite a bit, we usually pay out unless
it matches the customers spending pattern,
they tell us they kept the pin with the card,
a family member was doing it.
I'm just curious as the article summary and article don't mention (I guess the PDF might, but from the article's description, it isn't clear)...
Do they still need the card?
The article seems to describe the attack as a man-in-the-middle attack.. i.e. card -> their device -> the card reader/writer. So the card instigates all the important bits (which back account number, etc.), and then their device sends back an 'OK' to the card reader/writer, happily ignoring the PIN part.
But does that mean they do still need to have a card? Or could they easily make their own card with the details of whoever (let's say they grab the bank account # off of some business registry website), and then go ahead and perform transactions with it + their device?
The article states that the banks dont accept liability for a transaction performed with PIN. This is true however the liability isn't pushed to the consumer, it is accepted by the card issuer instead (i.e. mastercard, visa etc.).
I also disagree with their assertion that chip and pin is fundamentally broken. EMV requires the card to generate a cryptogram at the end of the transaction. The card can simply refuse to generate this data if it hasn't received the correct PIN. I am a little suprised that the cards they tried don't do this already.
Some people here have suggested that the PIN be authenticated online. The EMV standard actually supports online authentication of PIN, its just that some banks choose to issue cards that use a PIN that is verified by the card instead because they don't have the systems in place to support online verification. Many banks
For all the people saying that the designers of the system dont know what they are doing i suggest they read the specifications (freely available on the emvco website). They are actually quite good and do support pretty much all of the improvements people here have suggested (and more). The problem is they need to be practical as well, something that most comments here don't consider. There is no point designing a foolproof system that no-one can use.
This hole can be removed and it most certainly will be if criminals start to exploit it.
One of the selling points of this system is that you DON'T need to let your card leave your sight, or even your hand, as before when magnetic strips were used that was good indication of having your card copied.
The terminal you put your card is is usually wireless or has a long cord so you can pick it up to better hide your pin when you enter it. This makes using a card with wires going up your sleeve quite easy to get away with and keeping hold of the card is not unusual behaviour that would arouse suspicion. See the BBC video here:
http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html
Come as you are, do what you must, be who you will.
The Chip and PIN principle is a lot older in Europe than anywhere else in the world. Asia is far behind, however converting fast, and the US is down the drain. France has implemented a Chip'n'PIN system since the early 90s, and Belgium has been using its local equivalent (Bancontact) since the mid-90s. Because credit/debit cards are synonymous to Chip and PIN cards in Europe, EMV has become a synonym for a unified European payment system.
The US has massive plans to implement EMV. The main difference is that banks are quite opposed to it because the cost of overhauling their complete architecture for the sake of fraud is quite a difficult thing to sell -- we're not talking about a simple card update, every single Point of Sale will need a new terminal, every single individual will need his card replaced. How many credit cards are used in North America? 700 million if my memory serves me well, or more. At roughly $15 per card, when bought in high quantities, that's quite a lot of money. Each terminal costs roughly $150-$230, so that's not a small investment either.
Next to that, you need the network connectivity, and the servers to handle it. I remember discussing this with a colleague some time ago, and by eyeballing it quickly, we got a number of roughly $100 to $130 per customer. Obviously, the banks could always ask for more cash from the government to pay for it?
Source: I work in the industry.
The idea of forcing people to enter PINs into any machine controlled by a retailer was ridiculous from day one - the supposed extra security of Chip & Fraud was merely a way for the banks to transfer liability for fraud to the customer. (Happily the FSA has now forbidden them to do this unless they have actual genuine proof that the customer gave away their PIN - well done guys, springing into action after only 4 years of complaints).