European Credit and Debit Card Security Broken

← Back to Stories (view on slashdot.org)

European Credit and Debit Card Security Broken

Posted by timothy on Thursday February 11, 2010 @09:52AM from the pounding-marks-for-euros dept.

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

25 of 245 comments (clear)

Chip and Chip security... wait a second! by LostCluster · 2010-02-11 09:52 · Score: 3, Insightful

Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.
Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.
If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.
1. Re:Chip and Chip security... wait a second! by Spad · 2010-02-11 10:01 · Score: 4, Informative
  
  RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.
  So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead.
  TBH I'm rather surprised that any information is allowed to be pulled off the chip without the PIN authenticating the user first; if you had to provide the correct PIN before the card would provide any information it would make it much harder to carry out the fraudulent transaction.
2. Re:Chip and Chip security... wait a second! by LostCluster · 2010-02-11 10:07 · Score: 5, Informative
  
  No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.
3. Re:Chip and Chip security... wait a second! by Spad · 2010-02-11 10:09 · Score: 3, Informative
  
  Replying to myself, if you read the PDF it details the process on page 3; the card actually does almost all of the transaction work before the PIN is entered, all the PIN enables is the "Is this transaction allowed? Yes, it's allowed. OK" part of the process.
4. Re:Chip and Chip security... wait a second! by spun · 2010-02-11 10:37 · Score: 4, Insightful
  
  It seems this system was designed expressly to limit bank's liability by providing the illusion of security. "Oh, fraudulent charges, are they? But you entered your PIN... Can you prove your PIN was compromised? no? Tough then, pay up."
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
5. Re:Chip and Chip security... wait a second! by LostCluster · 2010-02-11 10:47 · Score: 3, Insightful
  
  MitM would just learn this and deny once and then accept whatever is sent the second time.
  I call the scheme you're promoting as "hut-hut-HIKE" security. Jump offsides on a false call and you're in trouble. If there's a random number of fakes before the real one comes through, then you've got something.
6. Re:Chip and Chip security... wait a second! by shentino · 2010-02-11 11:44 · Score: 4, Interesting
  
  The problem is that the server storing your account information is trusting the terminal.
  If the terminal can get away with trusting the signal it's getting from the card, then it's actually possible for a counterfeit terminal to rob you without even having the card.
7. Re:Chip and Chip security... wait a second! by AVee · 2010-02-11 21:28 · Score: 3, Insightful
  
  I'm fairly certain that's at least a risky thing to do. Assuming the chips in the UK behave pretty much the same as those in the Netherlands, the chip will lock up and refuse to authorize anything after 3 failed attempts in a row. Up to the point where you have to go to your bank and request a new card, it won't (and hopefully can't) be reset.
  Now imagine mistakenly using the PIN from your other card in a terminal which decides to pre-test with 2 random PINs.
  
  Regardless, even though this attack is not technically extremely complex, it isn't that easy to pull it of in practice. You need to steel a card, and use a fake cards with wires dangling from it in a shop. You also need to buy something which isn't registered to your name in any way, which is easy to convert to cash, valuable enough to make it worth the risk and effort and preferably sold somewhere without CCTV.
  It sure isn't impossible, but it's probably easier to earn your illegal cash some other way.
Sigh! Go ahead, by kclittle · 2010-02-11 09:58 · Score: 4, Funny

... blame Python! :)

--
Generally, bash is superior to python in those environments where python is not installed.
Strike at the heart of the problem by OglinTatas · 2010-02-11 10:01 · Score: 5, Funny

The researchers used off-the-shelf components (PDF), and a laptop running a Python script...
It is long past time for governments to criminalize the use of Python.

--
More music, fewer hits
1. Re:Strike at the heart of the problem by spun · 2010-02-11 10:40 · Score: 3, Funny
  
  The researchers used off-the-shelf components (PDF), and a laptop running a Python script...
  It is long past time for governments to criminalize the use of Python.
  Or at least criminalize its use... on a plane.
  
  --
  - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Not really surprising... by davebert · 2010-02-11 10:02 · Score: 4, Insightful

Chip & Pin has never been about minimising fraud - it's about pushing the responsibility from the banks onto the customers. And they're doing the same thing with the ridiculous Verified By Visa programme which just trains people to fall for phishing scams.
1. Re:Not really surprising... by Tanktalus · 2010-02-11 11:43 · Score: 3, Insightful
  
  But do you have any reason to say that they aren't actually interested in preventing fraud?
  Because they keep outsourcing the development of a mission-critical security system to the lowest bidder instead of the most qualified. They probably throw in laughable constraints, too, such as having to work on existing POS terminals.
  If they were truly interested in preventing fraud instead of denying liability (while still getting to say in marketing that they protect you from fraud), they would contract the design of this system out to some real security experts - and, given the obvious quality of their design team in matters of security, they could post the job offer on slashdot to get some reasonable candidates - who would then use a public-private key encryption scheme where the POS terminal's public key would have to be signed by the credit card authority's private key, which could be verified by the chip by using the public key therein, and then the chip would use that public key to encrypt its own public key, which would be used by the POS terminal to encrypt the PIN that the user typed in, and send it back. And then, no matter whether the PIN is valid or not, the chip would send back some sort of data encrypted with the POS' public key again. That data would decrypt to something that was encrypted with the credit card company's public key, so that the POS terminal would then have to send it back to the credit card center (Visa, MC, Amex, whatever) to get it decrypted (along with its own public key so the credit card company could re-encrypt its response) to validate. The data sent back to the credit card company would include: the encrypted confirmation from the card (plus some random data that can get chopped off, e.g., some JSON-like data: '{verified:true,defeat-listeners:"adsh65ouhdsakljt"}' would be easy enough for the credit card company to get what it needs while discarding the rest while resulting in the packet changing every time), the amount of the transaction, the public key of the POS terminal, all encrypted again with the upstream public key. Upstream could decrypt, extract, and decrypt again. Oh yeah, and before the chip gets printed, its own public key would have to be signed by the credit card company, just to make it that tiny bit more difficult to forge.
  For a laptop to sit in the middle and get anything out of such a system would be practically impossible. And, if done right, defeating it once won't mean easy-sailing after that. Maybe an electron-microscope on an exposed chip might help ... but even then, I'm not sure it'd help enough.
  And before real security experts jump on me, this is just something I thought up over the last ten minutes. If I were given a $50,000 consulting contract to design this, I'd spend far more than 10 minutes on it, and might find some of the kinks that are likely obvious to much more experienced people than I.
2. Re:Not really surprising... by cdrguru · 2010-02-11 12:27 · Score: 4, Informative
  
  The problem is that the merchants have insurance and the number of fraudulent accesses is pretty small. So merchants are reluctant to spend $10,000 per terminal for a system as you describe.
  They have been already forced to spend $1000-$2000 per terminal already for something that has $100 of components in it.
  Sure, it could be done as you suggest. But a lot of these systems were designed to work over a 300 baud modem or with no external connection at all - just buffering stuff up until later. So now you would also require a real Internet connection from each terminal. Well, the costs just keep going up on the merchant.
  The end result is that merchants just say they can't implement something like that in all locations. Or the box is too expensive and they aren't buying any of them. So instead of universal penetration it is 5 or 10 percent of the merchants.
  The reason they went with a low-cost, easy-to-implement solution in the first place was to gain wide (if not universal) acceptance so these things could be at every POS location everywhere. No matter what system the merchant was using or at least minimal interface requirements. It is like credit card terminals in the US - there are still a large number of places where they put the sale information into one system and then re-key the sale into a credit card terminal because integrating is too expensive and the terminals are relatively cheap.
Not News by sexconker · 2010-02-11 10:03 · Score: 4, Informative

This is not news.
This is the way the system was designed.
It was designed to be shitty and insecure so fraud could continue.
It was sold as being highly secure in order to get them into widespread use and to get the laws set up to remove all liability from the banks as long as the system says the card is good.
The banks profit off of fraud.
This is all intentional, and it has been going on in criminal circles with these cards before day one. The only difference now is that some group has publicly revealed the sordid details.
Figures... by DoofusOfDeath · 2010-02-11 10:05 · Score: 4, Funny

Leave it to an English university to focus on phish and chips...
Re:RFID passports by Spad · 2010-02-11 10:06 · Score: 4, Informative

Only because America decided they wouldn't let any of us into the country if we didn't implement RFID passports.
We Already Know This by segedunum · 2010-02-11 10:26 · Score: 3, Insightful

This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

What have we heard about this in the mainstream press and media? Nothing. People, and those with a vested interest, obviously just want to deny that it can happen.
1. Re:We Already Know This by russotto · 2010-02-11 11:24 · Score: 4, Insightful
  
  Chip and pin is definitely better then card swipe, or card swipe and pin.
  Card swipe and PIN appears to be better. While I can easily copy a card, there's no way I can manufacture a card which will work with any PIN.
  
  The only problem is the banks are treating the increase in security as absolute security, and refusing to handle any fraud concerning a chip and pin transaction.
  This is one of the areas where the US is actually ahead of the game. For credit cards, there's $50 liability maximum for the cardholder. For ATM/debit cards, it's also $50 if you notify them within 2 days, but $500 if you notify them within 60 days, of finding out about it. They can't just say "Impossible" and have you jailed for having the temerity to claim a charge was fraudulent (as has happened in the UK).
2. Re:We Already Know This by Peter+H.S. · 2010-02-11 12:20 · Score: 4, Informative
  
  This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.
  Please note that while this is a MIM attack, neither the ATM nor its communication links are compromised. The MIM part is in the _card_, that gives out an "This is a valid transaction PIN code" no matter what. So attach a fake card to some wires running up your sleeve into a laptop and FPGA in a back pack, and and you can draw money from the account to the maximum limit with a fake card and without entering a correct PIN code.
  The sad thing is that the banks are in total denial about this, claiming that since no such attacks have been discovered, the problem doesn't exist.
  --
  Regards
3. Re:We Already Know This by JackHoffman · 2010-02-11 14:13 · Score: 3, Informative
  
  Doesn't anybody read the paper?
  You can not use a fake card. You need a genuine card. The MITM is between the genuine card and the terminal. The transaction goes through because "chip and PIN" isn't the only acceptable protocol. The card can also be used in combination with a signature instead of the PIN. The trick is to make the terminal think that the card is using PIN authentication while the card actually performs the (authenticated!) chip and signature protocol.
  The bank usually gets the information that no PIN was sent to the card, but this information is not relayed back to the terminal in way which is both standardized and authenticated. The "PIN-OK" message from the card to the terminal is not authenticated and the authenticated transaction request/accept messages between the card and the bank (through the terminal) only contain the information in an unstandardized format. That's the flaw.
I work in the fraud department of a UK bank by Anonymous Coward · 2010-02-11 11:42 · Score: 5, Informative

and this actually happens quite a bit, we usually pay out unless
it matches the customers spending pattern,
they tell us they kept the pin with the card,
a family member was doing it.
Slightly wrong by Anonymous Coward · 2010-02-11 13:15 · Score: 3, Interesting

The article states that the banks dont accept liability for a transaction performed with PIN. This is true however the liability isn't pushed to the consumer, it is accepted by the card issuer instead (i.e. mastercard, visa etc.).
I also disagree with their assertion that chip and pin is fundamentally broken. EMV requires the card to generate a cryptogram at the end of the transaction. The card can simply refuse to generate this data if it hasn't received the correct PIN. I am a little suprised that the cards they tried don't do this already.
Some people here have suggested that the PIN be authenticated online. The EMV standard actually supports online authentication of PIN, its just that some banks choose to issue cards that use a PIN that is verified by the card instead because they don't have the systems in place to support online verification. Many banks
For all the people saying that the designers of the system dont know what they are doing i suggest they read the specifications (freely available on the emvco website). They are actually quite good and do support pretty much all of the improvements people here have suggested (and more). The problem is they need to be practical as well, something that most comments here don't consider. There is no point designing a foolproof system that no-one can use.
This hole can be removed and it most certainly will be if criminals start to exploit it.
Re:Noviant Haydont by CrashandDie · 2010-02-11 17:33 · Score: 4, Interesting

The Chip and PIN principle is a lot older in Europe than anywhere else in the world. Asia is far behind, however converting fast, and the US is down the drain. France has implemented a Chip'n'PIN system since the early 90s, and Belgium has been using its local equivalent (Bancontact) since the mid-90s. Because credit/debit cards are synonymous to Chip and PIN cards in Europe, EMV has become a synonym for a unified European payment system.

The US has massive plans to implement EMV. The main difference is that banks are quite opposed to it because the cost of overhauling their complete architecture for the sake of fraud is quite a difficult thing to sell -- we're not talking about a simple card update, every single Point of Sale will need a new terminal, every single individual will need his card replaced. How many credit cards are used in North America? 700 million if my memory serves me well, or more. At roughly $15 per card, when bought in high quantities, that's quite a lot of money. Each terminal costs roughly $150-$230, so that's not a small investment either.

Next to that, you need the network connectivity, and the servers to handle it. I remember discussing this with a colleague some time ago, and by eyeballing it quickly, we got a number of roughly $100 to $130 per customer. Obviously, the banks could always ask for more cash from the government to pay for it?

Source: I work in the industry.
APACS rumbled - all scarper by dugeen · 2010-02-11 22:40 · Score: 4, Insightful

The idea of forcing people to enter PINs into any machine controlled by a retailer was ridiculous from day one - the supposed extra security of Chip & Fraud was merely a way for the banks to transfer liability for fraud to the customer. (Happily the FSA has now forbidden them to do this unless they have actual genuine proof that the customer gave away their PIN - well done guys, springing into action after only 4 years of complaints).