Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Credit and Debit Card Security Broken

Posted by timothy on from the pounding-marks-for-euros dept.

Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

16 of 245 comments (clear)

  1. Sigh! Go ahead, by kclittle · · Score: 4, Funny

    ... blame Python! :)

    --
    Generally, bash is superior to python in those environments where python is not installed.
  2. Re:Chip and Chip security... wait a second! by Spad · · Score: 4, Informative

    RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.

    So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead.

    TBH I'm rather surprised that any information is allowed to be pulled off the chip without the PIN authenticating the user first; if you had to provide the correct PIN before the card would provide any information it would make it much harder to carry out the fraudulent transaction.

  3. Strike at the heart of the problem by OglinTatas · · Score: 5, Funny

    The researchers used off-the-shelf components (PDF), and a laptop running a Python script...

    It is long past time for governments to criminalize the use of Python.

    --
    More music, fewer hits
  4. Not really surprising... by davebert · · Score: 4, Insightful

    Chip & Pin has never been about minimising fraud - it's about pushing the responsibility from the banks onto the customers. And they're doing the same thing with the ridiculous Verified By Visa programme which just trains people to fall for phishing scams.

    1. Re:Not really surprising... by cdrguru · · Score: 4, Informative

      The problem is that the merchants have insurance and the number of fraudulent accesses is pretty small. So merchants are reluctant to spend $10,000 per terminal for a system as you describe.

      They have been already forced to spend $1000-$2000 per terminal already for something that has $100 of components in it.

      Sure, it could be done as you suggest. But a lot of these systems were designed to work over a 300 baud modem or with no external connection at all - just buffering stuff up until later. So now you would also require a real Internet connection from each terminal. Well, the costs just keep going up on the merchant.

      The end result is that merchants just say they can't implement something like that in all locations. Or the box is too expensive and they aren't buying any of them. So instead of universal penetration it is 5 or 10 percent of the merchants.

      The reason they went with a low-cost, easy-to-implement solution in the first place was to gain wide (if not universal) acceptance so these things could be at every POS location everywhere. No matter what system the merchant was using or at least minimal interface requirements. It is like credit card terminals in the US - there are still a large number of places where they put the sale information into one system and then re-key the sale into a credit card terminal because integrating is too expensive and the terminals are relatively cheap.

  5. Not News by sexconker · · Score: 4, Informative

    This is not news.
    This is the way the system was designed.

    It was designed to be shitty and insecure so fraud could continue.
    It was sold as being highly secure in order to get them into widespread use and to get the laws set up to remove all liability from the banks as long as the system says the card is good.

    The banks profit off of fraud.

    This is all intentional, and it has been going on in criminal circles with these cards before day one. The only difference now is that some group has publicly revealed the sordid details.

  6. Figures... by DoofusOfDeath · · Score: 4, Funny

    Leave it to an English university to focus on phish and chips...

  7. Re:RFID passports by Spad · · Score: 4, Informative

    Only because America decided they wouldn't let any of us into the country if we didn't implement RFID passports.

  8. Re:Chip and Chip security... wait a second! by LostCluster · · Score: 5, Informative

    No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.

  9. Re:Chip and Chip security... wait a second! by spun · · Score: 4, Insightful

    It seems this system was designed expressly to limit bank's liability by providing the illusion of security. "Oh, fraudulent charges, are they? But you entered your PIN... Can you prove your PIN was compromised? no? Tough then, pay up."

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  10. Re:We Already Know This by russotto · · Score: 4, Insightful

    Chip and pin is definitely better then card swipe, or card swipe and pin.

    Card swipe and PIN appears to be better. While I can easily copy a card, there's no way I can manufacture a card which will work with any PIN.

    The only problem is the banks are treating the increase in security as absolute security, and refusing to handle any fraud concerning a chip and pin transaction.

    This is one of the areas where the US is actually ahead of the game. For credit cards, there's $50 liability maximum for the cardholder. For ATM/debit cards, it's also $50 if you notify them within 2 days, but $500 if you notify them within 60 days, of finding out about it. They can't just say "Impossible" and have you jailed for having the temerity to claim a charge was fraudulent (as has happened in the UK).

  11. I work in the fraud department of a UK bank by Anonymous Coward · · Score: 5, Informative

    and this actually happens quite a bit, we usually pay out unless

    it matches the customers spending pattern,
    they tell us they kept the pin with the card,
    a family member was doing it.

  12. Re:Chip and Chip security... wait a second! by shentino · · Score: 4, Interesting

    The problem is that the server storing your account information is trusting the terminal.

    If the terminal can get away with trusting the signal it's getting from the card, then it's actually possible for a counterfeit terminal to rob you without even having the card.

  13. Re:We Already Know This by Peter+H.S. · · Score: 4, Informative

    This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

    Please note that while this is a MIM attack, neither the ATM nor its communication links are compromised. The MIM part is in the _card_, that gives out an "This is a valid transaction PIN code" no matter what. So attach a fake card to some wires running up your sleeve into a laptop and FPGA in a back pack, and and you can draw money from the account to the maximum limit with a fake card and without entering a correct PIN code.

    The sad thing is that the banks are in total denial about this, claiming that since no such attacks have been discovered, the problem doesn't exist.

    --
    Regards

  14. Re:Noviant Haydont by CrashandDie · · Score: 4, Interesting

    The Chip and PIN principle is a lot older in Europe than anywhere else in the world. Asia is far behind, however converting fast, and the US is down the drain. France has implemented a Chip'n'PIN system since the early 90s, and Belgium has been using its local equivalent (Bancontact) since the mid-90s. Because credit/debit cards are synonymous to Chip and PIN cards in Europe, EMV has become a synonym for a unified European payment system.

    The US has massive plans to implement EMV. The main difference is that banks are quite opposed to it because the cost of overhauling their complete architecture for the sake of fraud is quite a difficult thing to sell -- we're not talking about a simple card update, every single Point of Sale will need a new terminal, every single individual will need his card replaced. How many credit cards are used in North America? 700 million if my memory serves me well, or more. At roughly $15 per card, when bought in high quantities, that's quite a lot of money. Each terminal costs roughly $150-$230, so that's not a small investment either.

    Next to that, you need the network connectivity, and the servers to handle it. I remember discussing this with a colleague some time ago, and by eyeballing it quickly, we got a number of roughly $100 to $130 per customer. Obviously, the banks could always ask for more cash from the government to pay for it?

    Source: I work in the industry.

  15. APACS rumbled - all scarper by dugeen · · Score: 4, Insightful

    The idea of forcing people to enter PINs into any machine controlled by a retailer was ridiculous from day one - the supposed extra security of Chip & Fraud was merely a way for the banks to transfer liability for fraud to the customer. (Happily the FSA has now forbidden them to do this unless they have actual genuine proof that the customer gave away their PIN - well done guys, springing into action after only 4 years of complaints).