Chip and Pin "Weakness" Exposed By Cambridge Researchers

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

Never trust security through obscurity

[dajjhman]

Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

Re:Never trust security through obscurity

[scdeimos]

A web cam pointed at a lava lamp works for some people.

Re:Never trust security through obscurity

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.

It's referring to a credit card & a pin number combination for security.

Re:Never trust security through obscurity

credit and debit card too.

Re:Never trust security through obscurity

[MadMaverick9]

Does cash not work over there anymore?

gee - where do you live?

It's "1984" and governments and big corporations want to know what you're doing and where you're doing it.

Can't do that with cash.

Re:Never trust security through obscurity

[whoever57]

Does cash not work over there anymore?

Actually, US-issued credit cards can be problematic in the UK because some ignorant shopkeepers and workers think that they cannot accept a card that does not have chip-and-pin.

Re:Never trust security through obscurity

[mjwx]

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.
Guessing it has something to do with a credit card type thing?

Chip and Pin is the brand name for bank card security in the UK. It refers to a PIN (Number) and a chip embedded in the card. Chipped cards are a bit harder to replicate than regular mag stripe cards.

Does cash not work over there anymore?

Yes, cash still works in merry old England,

but much like a lot of fools in the US and Australia they have been brainwashed by their bank overlords to shun cash and pay for everything using credit. This is because the bank overlords get to charge the merchant for accepting credit but not for accepting cash (which is in turn passed onto the unsuspecting fool of a customer in the form of higher prices).

Re:Never trust security through obscurity

[foniksonik]

Cash can be lost, stolen and devalues through inflation. My bank account is tied to my market account which can not be lost or stolen (FDIC) and does not devalue, often increasing in value over time.

My credit accounts are other peoples money I borrow to pay debts with a float and no interest unless I choose to pay it while my money is increasing more quickly or I can get a better return in an investment.

My money increases slowly but surely. Your cash is a pile of paper with no future.

Re:Never trust security through obscurity

> Can't do that with cash.

Are you serious. Scanning devices for bill's serial numbers are ubiquitous. The ATM knows who it gave the bills to, the cash register knows who it got the bills from and so on.

If you want to stay anonymous, pay everything with coins. Those are secure for now.

Re:Never trust security through obscurity

[stepho-wrs]

It means smart cards (typically embedded in credit/debit cards) that have a chip on the card.
You enter your PIN into the payment terminal at a store and it uses the PIN to form part of the key used for comms with the card.

Whereas magnetic credit cards and PINs (er, I mean personal PIN numbers) have been used since the 1960s without a chip on the card.

Re:Never trust security through obscurity

[mjwx]

Cash can be lost, stolen

And credit cant.

Awaken from your dreamy state

devalues through inflation.

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

My credit accounts are other peoples money

The problem with spending other peoples money is that other people are going to want their money back... with interest. Would you lend your money for free ?

A question that no credit addled fool has been able to answer is "why would a bank, a profit oriented business, offer you a service they dont make money on". And no, your not an outlier who's outsmarted the bank.

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries. This comes straight back to you in the form of higher prices.

My money increases slowly but surely. Your cash is a pile of paper with no future.

Wrong again.

My money increases at the same rate as yours, the difference is I have no debt to pay off that reduces it.

Actually do the numbers, over 4 years you will at best have earned $500 more interest than me and if you miss one payment you will have wiped that off completely and some. Remember that at that time you will owe money and I will not so I will end up with more money after you've paid your debts.

Seriously, do the numbers. If I earn $2,000 p/m and have expenses of $1,500 p/m. If my initial payment is $500 @ 5% PM I have $26,512 after 48 months ($2, 512 in interest). If I deposited the entire $2000 for that first month I would have $28,334 after 48 months ($2844 in interest) but I'd still have to pay off $1,500 so that brings my total down to $26,834 giving you a grand total of $500 extra at the very best.

However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.

Once again, we go back to the question "why would a bank lose money on you". The simple answer is they don't, they love people like you because you make them money without even realising it.

Also don't give me any bollocks about not missing a payment, say you're fired, in hospital or your payments are screwed up in any other fashion.

I wont even bother telling you about the amount I've saved in the last four years by paying with my own money. Even just in avoiding CC surcharges I've made $500. Credit cards have their place, just not for everyday transactions. For that I use cash or debit.

Re:Never trust security through obscurity

[SuricouRaven]

An ideal RNG uses a quantum entropy source. Usually thermal noise, sometimes radioactive decay. It has to be done in hardware. Some modern processers include a thermal noise RNG on-die, but for a high-volume application like banking that wouldn't be enough entropy, so they'd have to use an RNG periheral. You can get them as USB sticks or PCI(/e) cards.

Re:Never trust security through obscurity

[lxs]

It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.

Re:Never trust security through obscurity

[tubs]

> (er, I mean personal PIN numbers)

You do know that PIN is a TLA that stands for "Personal Identification Number" :-)

Re:Never trust security through obscurity

[tubs]

If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl. If they handle a lot of cash, then they also have to deal with security - safe, how to get the money deposited etc etc.

Unless a merchants average transactions are less than about 5 pounds, it makes economic sense to do things via electronic transactions rather than by cash.

Re:Never trust security through obscurity

However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.

The merchant fees are paid by all the merchant's customers though (through higher prices). Also the ones paying in cash.

Re:Never trust security through obscurity

[Dr_Barnowl]

not for accepting cash

Not true ; banks charge merchants for handling cash. So much so that supermarkets here will offer to add some cash to your bill ("cashback"), obviating the need for you to visit an ATM. You benefit from increased convenience and they benefit from reduced cash handling charges.

Re:Never trust security through obscurity

[cybernanga]

yes, but they don't know where the note has been, or who has had it in between those two points.

Therefore, as I long as I don't get cash from the bank, or an ATM, or deposit cash into my own account, they'll never know what I've been up to.

Re:Never trust security through obscurity

[stepho-wrs]

whoosh....

Re:Never trust security through obscurity

[stepho-wrs]

A personal PIN number is what you enter into an automatic ATM machine or an electronic EFT terminal.

Re:Never trust security through obscurity

[Mithent]

Cash works here, but I'd rather use a card if the store accepts one, because it's more convenient for me. Cash involves trips to the ATM, bulking out my wallet with coins, and hopefully having appropriate denominations for the purchase at hand (a £20 note seems a bit much for a 60p purchase, while a collection of 10p and 5p pieces is going to be annoying if it's £5). If it gets stolen, it's essentially guaranteed lost, which means I shouldn't carry a lot of it at once, whereas if my card gets stolen, I can hopefully cancel it before it's used by the thief, which Chip and PIN makes more difficult. There are also additional protections afforded for purchases on credit cards, and my credit card offers 1% cashback. Yes, it would be stupid to run up credit card debt, but that's easy to avoid by paying the full balance each month.

I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.

Re:Never trust security through obscurity

[mjwx]

If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl. If they handle a lot of cash, then they also have to deal with security - safe, how to get the money deposited etc etc.

Unless a merchants average transactions are less than about 5 pounds, it makes economic sense to do things via electronic transactions rather than by cash.

Please note, I said credit not electronic transactions. Electronic transactions on Debit (I.E. using your own money rather than the banks) attract a much lower service fee in Australia, some as low as A$0.20 here in Oz, most CC transactions cost more even before the interchange fee comes out. I'd be surprised if the UK were different.

Secondly, if it were true that cash costs more than EFT for anything over A$20/GBP 5, why would car yards offer better deals for cash? Every business is different, for a lot of businesses that do a high frequency of trade (cafe's, restaurants, 7-11/convenience stores) EFT costs a lot more than cash, OTOH, for places that do a low volume trade on high margin items (laptops, jewellery) the costs of using EFT are minimised. In both cases, credit as opposed to debit always costs the business more.

Re:Never trust security through obscurity

[mjwx]

not for accepting cash

Not true ; banks charge merchants for handling cash. So much so that supermarkets here will offer to add some cash to your bill ("cashback"), obviating the need for you to visit an ATM. You benefit from increased convenience and they benefit from reduced cash handling charges.

Are you trying to say there is a per transaction charge for handling cash?

If you aren't, it has no baring on what I said.

You need to give this a read and consider the costs to businesses. When you put everything on credit, you make a dent in that businesses profit and they have to in turn raise prices to compensate. Whilst massive super chains can bury costs like interchange and service fees in huge contracts, franchise owners and small businesses cant. Realistically if you think putting everything on the credit card is saving or earning you anything you're deluding yourself. Ask yourself, why would a bank, one of the most solid profit oriented businesses on earth, offer you a service they lose money on?

Re:Never trust security through obscurity

[Captain+Hook]

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries

While thats true, you are forgetting that handling cash is not free for the merchant either.

It has to be handled by staff that can lose or steal it, it has to be transported around the store securely and transported to a bank to be paid in to an account (banks charge businesses for pay cash into an account) so the business can use the money for purchasing of supplies, paying rents and mortgage etc.

Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.

Re:Never trust security through obscurity

A personal PIN number is what you enter into an automatic ATM machine or an electronic EFT terminal.

I think you've got this one mixed up. EFT is "electronic funds transfer"

Re:Never trust security through obscurity

He's right, somewhat.

It's Personal Identification PIN Number.

Re:Never trust security through obscurity

[LordKronos]

You are clueless.

Cash can be lost, stolen

And credit cant.

No. Federal law limits my liability to $50 by law, but every single one of my credit cards actually goes further and limits my liability to $0. No risk to me.

devalues through inflation.

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

Not sure how my "credit devalues through inflation". My "credit" has no actual cash value to me. The only effect inflation has is on my spending ability for a given credit line, but given the size of my credit line, I'll never reach that point...especially since lenders tend to increase that credit line over time.

My credit accounts are other peoples money

The problem with spending other peoples money is that other people are going to want their money back... with interest.

Funny. I haven't paid a cent in interest to a credit card in way more than a decade. On the other hand, I've made thousands from my credit cards, in the form of cash back and (more importantly) sign up bonuses.

A question that no credit addled fool has been able to answer is "why would a bank, a profit oriented business, offer you a service they dont make money on".

They lend me money because most people DO pay interest. They take a gamble on me that I'll be just as profitable. They lose that gamble every time.

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries. This comes straight back to you in the form of higher prices.

If you could get everyone (or at least a very significant number of people) in the country to switch to cash, then maybe prices would go down. Otherwise, me switching to cash isn't going to reduce my costs one bit. All it's going to do is stop earning me cash back and sign up bonuses.

I wont even bother telling you about the amount I've saved in the last four years by paying with my own money. Even just in avoiding CC surcharges I've made $500. Credit cards have their place, just not for everyday transactions. For that I use cash or debit.

LOL. I've MADE almost $2500 just this year from credit card sign up bonuses, and that doesn't count what my wife has earned from the same.

Re:Never trust security through obscurity

[Charliemopps]

Can't buy pot with a debit card. Well... except for California.

Re:Never trust security through obscurity

[drinkypoo]

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

Uh no.

Credit doesn't devalue through inflation because if they think they can drive you into debt someday they will keep raising your limits.

$1000 borrowed is not $1000+interest unless you borrow the money for longer than 30 days. If you repay within the window you don't actually pay any interest. And in the case of hyperinflation, you'd actually make money by not paying, so there are situations where you're even more wrong. Credit has its uses.

Re:Never trust security through obscurity

Correct. Most banks require one to enter a PIN into a security token before arranging an EFT through on-line banking.

Re:Never trust security through obscurity

[petermgreen]

The ideal RNG collects as much entropy from the real world as there is information in it's output. Second best is a cryptographically secure PRNG. To be cryptographically secure given an arbitary sized sample of the outut it must be computationally infeasible to predict the next bit with an accuracy greater than random chance. This requires both an algorithm that is resistant to reversal and sufficient seed data and internal state to prevent brute forcing of the random number genertor's state.

Re:Never trust security through obscurity

[SQLGuru]

I assume a Car Yard is what I refer to as a Car Dealership -- a place to purchase cars.......

I think the key is who is taking the risk. A car dealership gives a discount for cash because they don't take any risk. If you take a loan, there's a chance you will default.....and they take a hit for that. A normal shop (i.e. for clothes) doesn't take the hit if you use credit (other than increased transaction fees), so they don't give a discount.

If you were to go in to a car dealership and negotiate as if you were paying cash, but paid with a credit card, they would still give you the discount.

Re:Never trust security through obscurity

that should be the case *ONLY* if the customer has a card with chip&pin.

Re:Never trust security through obscurity

[necro81]

IEEE Spectrum reported last year on new RNG tech from Intel, called Bull Mountain, and implemented in Ivy Bridge processors. It uses a large array of cross-coupled inverters. Thermal noise (a semi-random process) causes them to each inverter pair to latch to 1 or 0 very quickly. The inverters are reset, then allowed to re-latch, many times per second. This isn't particularly new. But they also add circuitry that continuously checks the statistical randomness of the output, and combines multiple number streams to ensure maximum randomness. The result then becomes the seed for a more conventional PRNG. The upshot is the ability to produce billions of demonstrably random numbers per second, all in a low-power peripheral on the microprocessor.

Re:Never trust security through obscurity

[cayenne8]

...the cash register knows who it got the bills from and so on.

Wow...where do you live where you're seen a cash register that scans money put in or taken out of it???

I've only seen the conventional kind with a human teller as the go between myself and my money to the till, which I've not ever seen scan money...??

Re:Never trust security through obscurity

I'll pay by cash if I have to, but I'd much rather pay by card

I go months without carrying any cash, not a cent. I pay 10-cent transactions with my debit card. There's barely any occasion in the Finnish society where you'd need cash, and there's never any transaction charge.

(The only exception I can think of is volunteers' coffee stands at childrens' soccer fields. They don't have the POS equipment and accept cash only.)

Re:Never trust security through obscurity

[cayenne8]

If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl.

Not sure where you get that idea. I have a business account with the bank, and I don't pay for any type of deposits (cash or check), nor do I get charged a fee for withdrawals of either.....

Re:Never trust security through obscurity

PNS Syndrom much?

Re:Never trust security through obscurity

[leonardluen]

Why do geeks get so bent out of shape about people saying "PIN Number" when we have things like GNU?

Re:Never trust security through obscurity

[leonardluen]

Are you trying to say there is a per transaction charge for handling cash?

yes actually there is! the store needs to keep their register stocked with small bills and change in order to make change for customers using cash. At least in the US businesses typically pay a fee to buy large quantities of coins and small bills from banks. sometimes they also need to pay a fee to deposit large quantities of coins, such as if they end up with too many nickels in the register and don't know what to do with them.

you also then have to somehow securely transfer the money to the bank, and the change from the bank to your registers. this is a direct cost that is incurred to the business for using cash.

as well a smart business balances their registers every night, or shift change. this takes 1 or more employees time to count the cash in the drawer to make sure your employee wasn't crooked and stealing from you. (or just stupid and doesn't know how to count out correct change)

there are other indirect costs to handling cash.
1) making change is often slower than credit cards (time is money)
2) you have various fraud risks, such as a bill being fake
3) the cashier could just pocket the cash (or even just giving out the wrong change to the patron)
4) it is a target for thugs. credit card receipts don't interest them much, but cash does.

Handling cash definitely isn't free

Re:Never trust security through obscurity

Almost every store I got to in Texas has a (or multiple) self-checkout isle, surely these scanners can record serial numbers since they scan the bill for denomination anyway.

Re:Never trust security through obscurity

[tragedy]

It's so depressing that it's the 21st century and they can't even get this right yet. It's so bloody simple to make the security perfect (DISCLAIMER: providing physical security is maintained for the device and the bank's servers aren't compromised and also that potentially unprovable truths about cryptography hold true). We have tiny and inexpensive solid state storage that can hold gigabytes. You throw one into the chip and pin device and you fill it up with random strings created on the bank's servers (and you use a good source of randomness and also randomly distribute the random strings so that there aren't runs of strings created in order) and loaded into the device when it's made. The storage on the device is write-once, read-never (it can be read internally, but not from an external reader without cutting up the device and modifying it). Every random string loaded onto the device is assigned to a unit of time, such as a single minute, in the lifetime of the card. With one gigabyte, for example, you could store about twenty years worth of 128 byte strings at one minute intervals. Then, every time a transaction is made, the authentication for the transaction (which should fit into 128 bytes easily) is XORed against the random string for the particular minute that the transaction takes place in (it can even be done offline, without any time synchronization as long as the clock on the checkout device isn't way off). You combine that with additional encryption using another hidden key and the PIN (which you obviously don't store anywhere on the card, you just save a hash of it on the bank's servers).

With a system like that, which is conceptually dead simple and obvious, you're using a theoretically unbreakable (but maybe unprovably so) one time pad for every transaction as well as using a PIN. To falsify a transaction, someone either needs to break the security on the bank's servers, or both obtain your PIN and your authentication device and perform some fancy surgery on it.

Re:Never trust security through obscurity

[swillden]

Full specifications are available. There is no security through obscurity here.

Re:Never trust security through obscurity

[swillden]

Full specifications are available. There is no security through obscurity here.

Doh, managed to delete the rest of my post before submitting. I guess I should actually look at the preview.

Anyway, the problem here isn't obscurity, it's just implementation errors. Granted that the systems should have been audited.

Re:Never trust security through obscurity

[mcgrew]

Scanning devices for bill's serial numbers are ubiquitous.

Who is Bill and why didn't you capitalize his name? Is his serial number tattooed on his forehead or something?

Re:Never trust security through obscurity

[fatphil]

Because we are not sanctioning "GNU Unix", nor ever would, and the expansion of the "P" in "PIN" is not "PIN". There's practically no similarity between the two cases apart from the fact that there are TLAs involved.

Re:Never trust security through obscurity

That's odd, a lot of things I have read say to not mention the fact that you are paying cash until the haggling is done. The argument is that many dealerships get kickbacks from the onsite loan department, and so can go lower in prices. (External loans, say from your bank, are effectively cash as far as the dealership is concerned)

Re:Never trust security through obscurity

[tubs]

Chip & PIN is an electronic transaction (done via credit card or by debit card as it supports both), indeed I don't think you'd find many places that can do a manual credit card transaction (although it is possible) just beacuse banks don't give out the slips and the streamline machines.

Re:Never trust security through obscurity

Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.

They have to take "the cost of cash" anyway - but the cost of credit cards is optional. At least here you are not allowed to refuse cash payment - cash is "forced currency". If you run a shop, the law says a customer can demand to pay in cash. You don't have to accept cards, cheques or gold though.

Re:Never trust security through obscurity

And in the case of hyperinflation, you'd actually make money by not paying, so there are situations where you're even more wrong. Credit has its uses.

Banks are not going to loose money like that. When there is inflation, the interest rate will be even higher.

Re:Never trust security through obscurity

[plover]

surely these scanners can record serial numbers since they scan the bill for denomination anyway.

Surely they don't.

Bill acceptors rely on several attributes to test a piece of paper to ensure it really is money. They shine various lights at it and through it, they run it over a magnetic ink detector, they check the thickness, they measure the dimensions, they match the images to a database of known images, but they do not record the images of the bills they accept. They just keep track of the amount.

Now, the cameras over the cash registers are taking plenty of photos of you. It would be possible to go back through a day's footage and see who paid in cash throughout the day, and figure out which image had you spending the $100 bill. But even that's just a picture, and it still doesn't tell me what your name is.

Re:Never trust security through obscurity

[plover]

If you could get everyone (or at least a very significant number of people) in the country to switch to cash, then maybe prices would go down. Otherwise, me switching to cash isn't going to reduce my costs one bit. All it's going to do is stop earning me cash back and sign up bonuses.

If everyone switched to cash, prices would likely go up, not down. For large merchants, I know the cost of handling cash is substantially higher than the cost of handling credit transactions.

Credit transactions: A cash register has to be on a network, and have a PIN pad attached. A reader has to read a card, and some bits take a few milliseconds to flow through a wire. An occasional piece of paper has to be printed, signed, and collected. Visa and the bank take their cut on the back end. Occasionally, a bad credit transaction will be charged back to the retailer. All in all, the process is very automated from start to finish, with a few special hardware requirements like PIN pads, and some secure handling activities go on, like changing certificates.

Cash transactions: A store keeps a large, expensive safe full of money in a secured back room. Two people open the safe, take out the day's money, and run it through another expensive machine to count it. They put it in bags, and someone carries those bags to the cash registers. Cashiers take those bags, count the money, and put it in their specially designed armored money drawers (tills). Customer comes, and says "I'd like to pay with cash." Cashier takes time to manually count the customer's money, places it in the till, then counts out and returns the correct change to the customer. At the end of the day, the cash is collected from the tills, brought to the back room, counted in the expensive machine, and is then stored in the expensive safe. The next day, an armored car service is contracted to drive up and pick up the contents of the safe, which they then drive to a bank. All that security equipment, safes, cash counters, cash register tills, money room security systems, alarms, all cost a lot of money to buy and maintain. The handling of the money so many times throughout the day costs a lot in labor. And the cost of an armored car service takes their cut as well.

Finally, cash has a lot of unique risks. There's a risk that people who are trusted to handle it might actually steal it; there's a risk that someone will pass you forged money; and it's a deliciously tempting robbery target, meaning all those people who handle it throughout the day are at risk of being shot by a robber. Nobody ever gets shot for a stack of credit slips.

For small retailers, the expenses are likely much lower. The safe might be right under the single cash register. The manager would likely have free time at the start and end of day to do some of the cash management activities. The money is probably deposited in the bank by the shop owner, and not driven in an armored car. But for the big stores, accepting cash is a huge expense.

Re:Never trust security through obscurity

[makomk]

The entire point of this article is that, due to really stupid cryptographic flaws in debit and credit cards, money can be stolen from your bank account too - and the banks will hold you liable because they've got rock-solid "proof" that the money must've been withdrawn using your card and your PIN.

Re:Never trust security through obscurity

[dajjhman]

Full specifications are available. There is no security through obscurity here.

Actually, it is obscurity. The specification you linked to was NOT followed by the device manufacturer, they just assumed since they didn't tell anyone they violated a proper practice that no one would notice. The specifications listed by you requires devices to adhere to the random number generating requirements outlined in ISO 18031, which the machines did not. This standard mandates a unpredictable entropy source be used as the seed for any random number generating function. The devices were implementing the use of date and time as a seed. This is what a lot of kids are taught in school for computer class, but any cryptographer is supposed to avoid.

Re:Never trust security through obscurity

[dajjhman]

your second reply never made it to my feed, allow me to clarify my first reply having seen this one now: If the program is implemented wrong, and they are banking on people having the impression it is fully secure without having actually analyzed the system, then it is security through obscurity. Now, if they had opened it up to auditors and this implementation was genuinely missed, it would have simply been an implementation error.

Re:Never trust security through obscurity

[SQLGuru]

Oh, the best bet is to negotiate the price and then negotiate the financing. They are two different transactions (one with the dealer and the other with the financing company) and you should treat them as such. But he indicated that there was a cash discount. My point was that paying with a credit card should get the same discount as cash.

Re:Never trust security through obscurity

[drinkypoo]

Banks are not going to loose money like that. When there is inflation, the interest rate will be even higher.

If your agreement says they can raise your rates without notice, then you deserve what you get.

Re:Never trust security through obscurity

[AK+Marc]

However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.

I pay $0 per transaction with my credit card. Your facts are all wrong. Your logic is wrong, and your conclusions are all wrong.

Wasn't this already covered

in DEF CON 19 last year?

Re:Wasn't this already covered

[scdeimos]

Maybe you're thinking of this /. story from 2010, which is about a different attack (a MITM that allows the wrong PIN to be verified as correct) from the same Cambridge researchers?

European Credit and Debit Card Security Broken

http://news.slashdot.org/story/10/02/11/2129212/european-credit-and-debit-card-security-broken

Security by obscurity

[jenningsthecat]

All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.

The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

Re:Security by obscurity

[Solandri]

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Re:Security by obscurity

[drinkypoo]

Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Or the government could quit sucking corporate cock, permitting more players into the game to provide some actual competition.

Re:Security by obscurity

Or they could come out with a government system. Not a stretch really, considering they already print the money.

Re:Security by obscurity

[scamper_22]

With something as crucial as the nation's payment infrastructure, one might think engineers or computer scientists would have a thing or two to say about it.

Perhaps they should have a professional body to ensure some level of quality and system review.

Perhaps they should be regulated like the FDA approves drugs.

Or perhaps the system works as is and the costs shifted and paid around.

Re:Security by obscurity

[tlhIngan]

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Well, first of all, handling cash is not free. The more cash you handle, the more expensive it becomes. If your business takes in $50k worth of cash - how do you deposit it? Rent an armored car ($1-2K per call, meaning 2-4% "transaction fee")? Carry it to the bank and hope you don't get robbed (100+% - if you require medical treatment or counselling, plus loss of the day's take), etc.

You can choose to take debit only (cheaper - 25 cents (paid by cardholder) plus well under 1% (paid by the merchant)), though many people are wary and banks love to charge lots of fees to account holders.

And in Canada, it was found that yes, credit card companies were effectively strongarming merchants and merchants were given rights to charge extra to credit card holders, the ability to refuse some credit cards, etc. (Which may be noble, but potentially impractical if it results in customers lining up with $100 worth of stuff, then not completing the transaction because they refuse to pay an extra $3-5 in credit card fees and leaving for someone else).

The only way to advertise it is to build it into prices and have the cashier say "your total is $100, but if you pay by cash, I'll give you a discount - you'll only pay $95". (Customers hate having things "tacked on" at the end - they want to know that the item they're buying is the price shown on the tag. Of course, giving a discount is a nicety where you pay less than tagged price, or even if you couch it as "If you pay by cash, I won't charge sales tax")

Re:Security by obscurity

[mcgrew]

WTF, moderators? I don't care that drinkypoo is on my freaks list, that was in no way flamebait. He should be modded insightful, not flamebait.

Please, slashdot, bring back the old style metamoderation! He's right, the CC companies need better regulatulation (in this case, more regulation) and more competetion.

Re:Security by obscurity

Amen. The current incentives have a perverse effect. Chip'n'pin is an excellent idea, but as long as the banks don't pay the consequences of their shoddy implementations the criminals will benefit along with the bank.
(Moderately insider, so posting AC)

Presumed secure = blame the user

[muhula]

In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

Re:Presumed secure = blame the user

[rover42]

muhula writes: The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds ... banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds Ross Anderson heads the Cambridge group that found this attack and the earlier man-in-the-middle attack (a gadget between card & reader that makes all PIN verifications succeed no matter what number you enter). He's been writing about bank vulnerabilities for years. A famous older paper: "Why cryptosystems fail" http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html Problems with PIN numbers: http://bits.blogs.nytimes.com/2012/02/20/security-of-self-selected-pins-is-lacking/

Re:Presumed secure = blame the user

[Formalin]

Hah, yep. I noticed my "agreement of the services" with visa states that if chip authentication is used, it's assumed I authorized it - i.e. there are no fraudulent transactions that use the chip, I'm liable.

Makes you want to rip the contacts off the card...

Re:Presumed secure = blame the user

[pipedwho]

This might be true if 'you' used the chip authentication. However, if someone else has cloned your card (however they managed to do it), then 'you' haven't agreed to that transaction, and thus 'you' never used any kind of authentication, let alone "chip and pin".

Re:Presumed secure = blame the user

This is why I refuse to sign up for online banking with my bank.

The TOS says that anything that happens through the web interface is my fault (supposedly because I didn't pick a good password, but it also asks me for security questions, so I'm immediately suspicious. It's a bank. If I forget my password, I'll walk into a branch with two forms of ID.).

Re:Presumed secure = blame the user

[drinkypoo]

Makes you want to rip the contacts off the card...

buy a UV-curing clear coat repair pen, $3 or so, the rest is obvious

Re:Presumed secure = blame the user

lmfao, good fuckin luck getting your card company to buy into that one. Chip & pin is a scam designed solely to remove *ALL* liability of fraud from the card company, after all, its *your* fault you let your chip get cloned ; )

Re:Presumed secure = blame the user

[mcgrew]

That's why I no longer use a debit card, or indeed, any kind of card. Someone watched me enter my PIN, stole the card and some checks, cashed forged checks and withdrew money with the card. I was reimbursed by the bank for the fraudulent checks, but the card cost me hundreds of dollars -- if you have the card and PIN, then you have the right to use it, even if you've stolen both. Worse, it made a check for a downpayment on a car bounce and I almost was liable for a felony. REAL pain in the ass, that cost hundreds more to get out of.

So, no more plastic for me; paper only. Cash or check or I don't do business with you.

no liability for banks

Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

Re:no liability for banks

[alexo]

Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

Citation please.

The problem is shifting liability

[nemesisrocks]

The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

Re:The problem is shifting liability

[DeBaas]

The way I understood it is that the liability shift does not work that way. The least secure is liable. See http://en.wikipedia.org/wiki/EMV

The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.[2]

If a merchant does not support chip and the issuer (your bank) and the acquirer (bank of the merchant do), the merchant is liable.
If the acquirer does not support EMV (aka Chip and pin), that bank is liable. Etc.

So only when the merchant keeps an old terminal that only supports magswipe despite his bank and the bank (/card issuer) of the customer supporting EMV and the chip, is the merchant liable.

Re:The problem is shifting liability

[mattsday]

I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.

Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.

From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).

Re:The problem is shifting liability

[Mithent]

If this story is to be believed, you can get away with signing pretty much anything and it's highly unlikely that anyone will even look at your signature.

Chip and PIN might not be perfect, but at least it makes it more than entirely trivial to use a card that you've just found somewhere in a store.

Re:The problem is shifting liability

[NJRoadfan]

Don't some of the major processor's merchant agreements forbid ID verification? They don't check your ID because they aren't allowed. A few of my friends think they are smart and put "See ID" in the signature box of their card... right next to where it says "this card not valid unless signed"!

Re:The problem is shifting liability

All of my cards have a small signature on them (to be compliant with cc regulations) and then in large and very bold "SEE IDENTIFICATION". You know how often I'm asked for ID? Well I only recall being asked once in the last year or so, and I use the card every single day.

You seriously want some idiot being your handwriting validation expert when a vast majority of them can't even take the time to ask for ID when the card itself says to?

Re:The problem is shifting liability

[DarenN]

The flip side of this is that the processing fees for Chip & PIN cards are significantly lower. The fact is that fraud is vastly reduced by using Chip & PIN, so the fees charged can account for that.

Re:The problem is shifting liability

[noc007]

As one who worked for a processing gateway in the US, the liability was on the merchant first. When a chargeback is initiated by the cardholder, the funds are taken from the merchant's account and credited to the cardholder's account. If the merchant doesn't have the funds (gateways or processors are pretty strict on them having the funds incase of chargebacks and will hold funds or institute a rolling reserve if the merchant doesn't have the funds or is has a higher risk of potential chargebacks), it is on the gateway or processor to front the money. It is then on the merchant to prove that the transaction is legitimate with a signed receipt. If they produce that and satisfy the gateway or processor and the card issuing bank, then the funds and debited from the card holder's account and credited back to the merchant; the merchant still has to pay transaction fees on all three of the transactions.

I don't know the full procedure if the merchant has a signed receipt and the card holder still disputes the transaction. I believe in that case usually, depending on the circumstances, both parties keep the funds and the card issuing bank writes it off as a loss. Really the merchant gets pwned in most cases and really can only get out of it if they have some ironclad evidence like a signed document stating that the card holder is satisfied with the services and/or products they have received; I know of a merchant that xeroxes their driver's license as well just to protect themselves.

Chip+Pin IMHO, put all of the liability on the card holder. The card holder is lead to believe that it is secure and doesn't know if a terminal is compromised or not. If the terminal is compromised and funds are debited fraudulently, they're still on the hook and the bank to the processor will claim that it's impossible to duplicate card even though it's been proven for years that it's not as secure as they claim. The only defense that they have is to destroy the card and use a different form of payment (eg. cash).

Re:The problem is shifting liability

[subreality]

my card is almost never checked

That's because signing the receipt is not for authentication. Read the receipt: you're signing a contract to pay the bank back for the stuff you're buying.

Re:The problem is shifting liability

[0100010001010011]

I was asked ONCE while on holiday in the UK because the signatures don't match. I usually draw a circle, square, triangle.

damn right they do

[slashmydots]

We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

Yeah, they pass it along to sellers like me. Almost all fraud gets taken straight out of the pockets of the business owner but hey, we've got money, right? Total bullshit. Well guess what I'm refusing to accept ever under any circumstances.

Re:damn right they do

We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

Yeah, they pass it along to sellers like me. Almost all fraud gets taken straight out of the pockets of the business owner but hey, we've got money, right? Total bullshit. Well guess what I'm refusing to accept ever under any circumstances.

Other people's money??

Re:damn right they do

I'm curious in what way.

In my storefront if a card holder chips a card and types their pin, there is no way they can charge back.
If it was fraudulent transaction, the end user is charged for giving out their pin or bank/visa pays for insecurity.
As a merchant I have no other way to verify the transaction.

In an online transaction does "verified by visa" / "mastercard securcode" not effectively provide you as a merchant the same protections?

Re:damn right they do

[Rockoon]

Fraud is overhead that needs to be paid for regardless of who is left holding the empty bag at the end, and that overhead will always end up being reflected in the retail prices.

So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?

Re:damn right they do

Counterpoint : What motive do banks have to secure their system if they are not liable for its insecurity

(Also merchants pay %2.5-%5 of every transaction to the processor for visa/mastercard. More for Amex.
Surely this HUGE sum of money skimmed from EVERY transaction can pay for the overhead?)

Re:damn right they do

The liability should be with the party that has the power to do something about it: the card companies. If not, it will grow out of control, since there is little incentive to contain it.

Re:damn right they do

[Rockoon]

Counterpoint : What motive do banks have to secure their system if they are not liable for its insecurity

Nothing has changed with your scenario because its based on the faulty premise that someone other than the consumer will pay the cost. The consumer is the side of the trade that has the money, and all costs must be definition by paid for out of that money.

Re:damn right they do

[Rockoon]

The liability should be with the party that has the power to do something about it: the card companies.

So neither person at the point of sale has the power to do something about it? Its the institution that is by definition not at the point of sale?

Re:damn right they do

[pipedwho]

So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?

The answer to that question is: The party that has control over the implementation of the financial transaction system.

Anything less and there's no incentive for the financial institutions to improve security and reduce overall losses in the system. There is no way a merchant or a consumer has any control over this. The most they can do is refuse to accept 'plastic', but due to the ubiquitous nature of credit based transactions, that would be akin to closing the door on a large portion of their income.

Re:damn right they do

[pipedwho]

But, those costs would never have occurred if the banks secured (or continue to secure) their system properly. Thus the 'losses' that end up being paid for by the consumer end up being negligible.

Re:damn right they do

[pipedwho]

The liability should be with the party that has the power to do something about it: the card companies.

So neither person at the point of sale has the power to do something about it? Its the institution that is by definition not at the point of sale?

The best the consumer and/or merchant can do is complain to the 'authorities' that their bank just sucked a huge chunk of cash out of their account. Maybe they could sue the bank for losses incurred due to a poorly secured transaction system. But, all that does is send the responsibility back to where it belongs in the first place: with the banks.

Re:damn right they do

[0111+1110]

There is not much consumers can do about having their card numbers stolen. They could never let the card leave their sight, only use Linux for online purchases, and use temporary card numbers for purchases from merchants they are not certain of, but even then their number could still be stolen. This problem is not one that the cardholder has created and it is not one that the cardholder can fix.

I think chip and pin was a great idea. Relying on it as perfect security and holding the user responsible for every transaction however was stupid. If Iived in the UK or another chip and pin EU country I would be way too paranoid to ever use my card. Instead of a credit card I'd probably use a debit card and transfer the exact amount needed from another account for every purchase. Thieves can't steal from you if there is nothing to steal.

US banks will generally cover you even if you knowingly gave away your ATM pin number in one of those ATM kidnappings so popular in certain parts of the world. The whole pin and chip thing was a raw deal for EU cardholders. They get no benefit, but all the risk. It's definitely not an equitable solution. Bank of America has a two factor authentication system for their online banking, but I don't think they hold the user responsible for fraudulent transactions.

So, aside from the thief, who is to blame for a fraudulent transaction? Almost never the cardholder or the merchant. The two parties at the point of sale are just using the system. They didn't create it and holding them responsible for the lax security of the system is absurd and unjust. All that consumers and merchants can really do is just stop using/accepting credit cards, and I don't think either the bank who issued the card or Visa/Mastercard want that.

Re:damn right they do

[FireFury03]

In my storefront if a card holder chips a card and types their pin, there is no way they can charge back.

That sounds incorrect to me, since (at least under UK law) there are various reasons why a credit card transaction may be subject to a chargeback even if it was a legitimate transaction at the time.

In an online transaction does "verified by visa" / "mastercard securcode" not effectively provide you as a merchant the same protections?

3Dsecure is, frankly, a joke and does nothing to increase security (in fact it actually decreases security). It was introduced as yet another way of pushing the liability away from the bank rather than actually being secure.

Unfortunately, my experience with banks is that, when it comes to digital security, they have no clue and are only interested in security theatre, even in situations where well thought out real security would actually be easier for everyone than the security theatre they invent instead.

Re:damn right they do

[SuricouRaven]

Verified by VISA? I've seen that one. Whenever I have to buy something online, I need to enter an extra code in addition to the card number, expirary date and CCV. It seems quite pointless to me, because I have to enter them all at once - which means I store them all in the same place, and anyone who has compromised my system can key-log the whole lot at once. The only time it'll add any security is in stopping someone who stole the card from using it to buy things online, and if that was their goal it would be easier to just take the CCV number off the card. Plus, using VBV is optional for the merchant, so it just ensures the frauster would shop with some company that doesn't require it.

Re:damn right they do

[drinkypoo]

So, aside from the thief, who is to blame for a fraudulent transaction? Almost never the cardholder or the merchant.

The merchant is often [at least partly] at fault. It used to be poor control over carbons; you could steal CC numbers just by strolling into the local drug store in between busy times and raiding a checkstand's trash can while someone else occupied the checkers. Now it's poor control over readers, permitting criminals to install skimmers, or outright complicity.

Re:damn right they do

[KevReedUK]

I think chip and pin was a great idea. Relying on it as perfect security and holding the user responsible for every transaction however was stupid. If Iived in the UK or another chip and pin EU country I would be way too paranoid to ever use my card. Instead of a credit card I'd probably use a debit card and transfer the exact amount needed from another account for every purchase. Thieves can't steal from you if there is nothing to steal.

A great idea, BUT...

Some institutions in the UK allow certain vendors (and there are quite a few of these) a "floor limit" for debit card transactions where, if the value of the transaction is below this threshold the transaction is automatically authorised at point-of-sale even without checking the account's available balance.

This is also the system used for "offline" transactions, where the vendor's card reader has no network access and instead batches the transactions for subsequent communication with the card networks (an example of this would be card transactions made on airliners, cruise ships and trains, although some of these are now in a permanent "online" mode).

In this situation, even if the account is empty, the funds will still be debited, taking the account overdrawn, potentially incurring overdraft interest, perhaps even unplanned overdraft fees (and don't get me started on these!).

Because the transaction in question is chip-and-pin, the bank will (in the absence of evidence to the contrary) take the position that it was the card-holder themselves that made the transaction and therefore hold the card-holder liable not only for the debt, but for the additional charges and interest applied.

Re:damn right they do

[DarenN]

If you, as a merchant, are accepting Chip & PIN transactions, then you're paying significantly lower fees to reflect the significantly lower risk . If you're accepting mag-strip & signature, then you're paying more for the transaction because there's a much higher risk that it's a fraud. If you're doing a card-not-present transaction (i.e. online) then you're paying even more because the risk is even higher.

This technique, which is a result of insecure hardware on the devices, is very hard and requires a lot of infrastructure, for lack of a better word. In 2010, the US had 27% of all card transactions worldwide, but 47% of all fraudulent transactions. The facts and figures say that Chip & PIN is more secure. The problem is that the US is so used to hucksters and fraudsters that they need the safety blanket, whereas in the EU the instance of fraud is so much lower that it's not seen as a problem.

All transactions are also vetted by more than the EMV, previous transaction history and known locations are taken into account, as well as overall usage. The PIN itself is separate from EMV (they go in two separate data elements in a transaction), and EMV has more than just this number, it also has other checks like an Application Transaction Counter.

And lastly, whatever the specifics of where liability lies, the banks treat disputes fairly because it's easy for them to do, and the person getting done is generally the merchant. Bear in mind, to get money off a card you need the following:
1. A machine, registered to a bank which is regulated by that country's local regulator (so no "magic" banks).
2. A merchant account, verified by said bank,
3. for which you need to be a registered business.

It should also be noted that the number they're talking about is not random and was never intended to be random, which is why they use the term "unpredictable" rather than the technical term "random".

Re:damn right they do

[ThatsMyNick]

It may not seem like much of a benefit to you, but merchants benefit a lot by requiring VBV (reread your post from the point of view of a merchant).

Re:damn right they do

[plover]

Out of everybody involved, the merchant is almost the least at fault. In order to accept a few dollars worth of a transaction, the merchant is forced to handle these things called "account numbers" and "credit cards" that represent tremendous potential value, even though the merchant might be a dollar store with transactions never worth more than a few dollars. Imagine a two-buck shrimp shack on the beach, where half the customers pay with thousand dollar bills, and they each expect $998 in change. That's pretty close to the current situation.

The customers are not really to blame, either, except that they have proven themselves incapable of coping with increased security measures. They demand convenience and speed, perhaps unreasonable convenience given the value their cards represent. They take little responsibility for their own security, because the law says they're liable for only $50 worth of loss.

The banks are slightly more to blame. They are supposed to be responsible for securely handling all my money, but if they screw up they can send it all out the doors without my approval.

The real culprits are the card payment networks. The entire credit system is insecure from start to end, from its inception through today. The card networks are the ones who established the insecure systems and the insecure standards, they approved the insecure protocols, and they way they were designed back in the 1980s they didn't care about anything except making sure they got their slice of the money as it passed through their networks. When the fraud problems got too high, instead of redesigning their systems to be secure, they took a giant stick to the retailers and said "make your systems carry our insecure data more securely or we will fine you and kick you out of the credit card club." They didn't even tell the retailers what to do, or give them secure protocols, or provide tools for them to do it, they just said "you figure out a way to make it secure, or else." So now thanks to those very expensive non-standardized regulations, there are ill-defined and haphazardly implemented patchworks of security here and there, and little wonder that there are data breaches reported almost daily.

Why the quotes?

[rebelwarlock]

I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

BBC is a "news" provider.

Re:Why the quotes?

It's because it's not a mere "weakness", it's a fundamental flaw

Re:Why the quotes?

The BBC "always" puts lots of "quotes" around "words" in their titles. I don't know why; it "doesn't" change the meaning "of" the words, it's like the heavy-metal umlaut:.. http://en.wikipedia.org/wiki/Metal_umlaut

Re:Why the quotes?

I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

BBC is a "news" provider.

It simply means the BBC is reporting but not necessarily endorsing the claim. Journalistic integrity many other more sensationalist outlets could learn from!

Re:Why the quotes?

[mysticalreaper]

The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.

If you read the full article of any headline that contains quotes, you will find that the origin of the statement in quotes is not the BBC's writers, but another organization or person: a third party.

The BBC is trying to help you understand the source of the informaiton, an important part of journalism. They are trying to help you understand what they are reporting, not belittling your intelligence with 'emphasis' quotes.

Re:Why the quotes?

Husband "kills" wife.

The BBC keeps quoting verbs such as "kill" in its headlines. How should I interpret this? (In case it isn't obvious, I'm not a native speaker).

Re:Why the quotes?

[L4t3r4lu5]

They're called quotation marks. They're quoting the researchers saying that this is a "weakness" in the security of chip and pin cards, in that the researchers used the word "weakness" to describe the vulnerability.

Re:Why the quotes?

One obvious reason for Husband "kills" wife is that the husband is a suspect and probably did it, but has not been convicted yet so it should not be considered an established fact.

Re:Why the quotes?

The BBC is trying to help you understand the source of the informaiton, an important part of journalism.

Apparently they are doing good job. :)

Reminds me of a story about my bank. In Denmark, we have a system where stone-age organizations can sign up and send their mail digitally (PDFs) to consumers that have also signed up. This is pretty retarded compared to just asking for my email address, but, well.

Now, one day I login and discover I have probably around 20 unread PDFs from my bank, all just printouts of my account transactions. As if I would ever look at these compared to just logging into the bank. So I write to my bank and ask them not to spam me. The reply I get back is that they sometimes send one if there's been a slightly suspicious transaction (e.g. I've bought something on Ebay) in the previous period. Huh? Now they don't explain this anywhere, they just send the stupid printout with transactions.

Re:Why the quotes?

[Neil+Boekend]

Somehow I usually interpret it as sarcasm, or a euphemism.
For example: She had some huge "eyes".
It usually doesn't work, but it causes enough hilarity not to change it.

My debit card

doesn't even have a chip. It's from a major American bank.

Chip & Pin was already broken no later than 20

[mark-t]

And, in fact, the pdf paper that the article links to even mentions it as one of the references.

This appears to be something new, however

Old News

The crooks have been cloning chip and pin cards for a couple of years now, why is it that it only becomes news when Cambridge Researchers catch up and realise the same thing ?

You can buy the gear you need to do it for about £200 from online retailers no questions asked.

I realised how frail and easily crackable the entire system was when I was asked to research an EPOS system using an online payment gateway setup and discovered that at certains points in the system all the information exists in plain text, the onus is on the developer to ensure the data remains encrypted.

Exaggeration (and a bit of scandal mongering)

[bhaktha]

Folks, I read the paper by Omar and Co in a fair amount of detail. Here is the gist. Some ATMs do not have a true RNG (Random Number Generator), something like FIPS 140.2 compliant. With such defective systems in a particular country, at a particular time and for a particular amount and a system which can do a transaction at mS granularity accuracy an attack is possible. And the card has to be in the system (which is recording) for a longer time than it is for a typical transaction. That is a very NARROW vulnerability (not that it is justified ...). The paper clearly says on a large set of ATMs they could NOT decipher the "algo" for the UN generation. This is a exploitation of a very very corner case. The paper also clearly says that EMVCo HAS ALREADY published rigorous tests to test the randomness of UN generation (before this paper was published). So the title here, in the BBC website and some of the comments are way off. (understand that BBC and /. have to have readership ...) Couple of additional comments, EMV cards are unclonable (so are the SIM cards used in phones which use similar technology), the standards are open (you can download the standards for free from the emvco website) and there are plenty of fraud detection algos running on issuer servers to detect suspicious transactions. The paper in the second page unambiguously states that AFTER the introduction of EMV cards "card-not-present" transaction fraud went up, precisely because EMV cards are secure. There will be always studies like this which exposes flaws (this particular one was an extremely corner case) which generally strengthen the current systems. I have followed the research coming out of cambridge on related topics (have exchanged notes with some of them), they are fine researchers and if you read the paper, you will see that they are NOT saying EMV is insecure but are identifying corner cases and defective implementations. Cheers, -Bhaktha

Re:Exaggeration (and a bit of scandal mongering)

And the fact that the issue existed at all is a major embarassement.
In addition the fact that they could not break many other ATMs doesn't really say much about their security, since so much information is secret it is very hard to know that not in fact _all_ of them would be easily attackable in a similar way by an insider.
Which all comes down to the banking sector usually doing the opposite of long-established security best-practices.

Re:Exaggeration (and a bit of scandal mongering)

[Capt.Albatross]

Bhaktha says:

...So the title here, in the BBC website and some of the comments are way off.

I think your analysis makes some valid points but is somewhat complacent. Firstly, I am not convinced that the concept of a corner case is valid in security matters; attackers do not randomly stumble upon vulnerabilities, they assiduously seek them out, and a great many exploits are based on 'corner cases'. If you were ripped off to the extent of your credit limit, would you dismiss it as just a corner case?

The fact that 'card-not-present' fraud went up is hardly surprising, and not much of an indication that EMV is secure; criminals will naturally chose the easiest attacks, especially before they have had time to test the new technology. As the "card-not-present" window closes, EMV will come under greater attack, and then we will get a better idea of how secure it is in practice.

It is not particularly helpful to say that EMV is secure but the implementation is faulty, as it is useless without implementations. You might as well say that the cliff-edge is safe because it is hitting the ground that kills you. The backers of EMV have to take control of the whole development and implementation process for it to be trustworthy: as far as security is concerned, half a fence is no fence.

Whenever errors start showing up, it is reasonable to assume that they are just a sample of the problems that are out there. When dumb errors start showing up, it is reasonable to assume that the implementation was in the hands of people who did not try too hard to do it right, and who probably could not have done a good job if they tried.

The dissembling and apparently complacent response of the banks to these disclosures underlines the researchers' point (made in an earlier paper) that the banks' stated primary goal of chip & pin is to divest themselves of the cost of fraud. I find it disturbing that in many cases they have been able to pass the cost on to customers without producing transaction logs that might have vindicated the customer. This is a social rather than technical issue, but all security issues are, to a degree. It is only through the possibility of costly sanctions that we can realistically expect the banks to give customer security its due attention.

Its worse - Liability is shifted to the CARDHOLER

[brunes69]

Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.

We should move to fish & cushion!

http://www.youtube.com/watch?v=B80SyRmtbdI

Serge Humpich, anyone???

[JigJag]

I know it happened 12 years ago, but come on, the chip cards with pin have been cracked and crackable for a long time. In 2000, Serge Humpich, a french hacker found a flaw in the chip design and used Japanese algorithm to factorize the prime used in the chip card.

In French:
https://fr.wikipedia.org/wiki/Serge_Humpich
http://www.bibmath.net/crypto/moderne/cb.php3

In English:
http://www.theregister.co.uk/2000/02/26/french_credit_card_hacker_convicted/
http://www.amazon.com/Serge-Humpich/e/B001K7H3DE

I remember my reaction when chip cards appeared in Canada *after* 2000, as if they were waiting on having a backdoor before they deployed them.

JigJag

Mod parent up!

The main problem with chip-and-pin, from the consumer's perspective, is that it shifts the liability onto the CARDHOLDER, not the merchant. The issuers insist that merchants bear the liability for old magstripe transactions, but for chip-and-pin transactions it is presumed that you, the CARDHOLDER, are responsible unless you can *prove* otherwise. That's why the merchants were all so eager to get the chip-and-pin hardware deployed... it reduces their fraud costs (shifting them onto the victim cardholders instead).

Here's this attack in a nutshell:

The protocol between card and ATM incorporates an "Unpredictable Number" which is generated by the ATM and sent to the card as part of a transaction request. The card returns a response which includes this Unpredictable Number, and is encrypted with a secret symmetric key stored on the card. The other copy of the symmetric key is known only to the issuing bank. The ATM sends this response to the issuing bank over the network, where the transaction is vetted and approved.

The important role played here by the "Unpredictable Number", is to guarantee the _freshness_ of the transaction to the issuing bank: its how they know that the challenge sent to the card, and the response returned from the card, were generated _while the user was using the ATM_ and not at some much earlier time. Unfortunately, the party relying on the unpredictability of the number is the issuing bank (the one who issued you the card) and the party *generating* the number is the ATM, which might be in a different country, might be operated by an adversary, might be compromised by malware, might be in a Mafia-owned store and have been tampered with, etc. To be secure, the number should have been generated by the issuing bank at the start of the transaction, but the system is not designed that way (probably because it would slow the transactions down too much). So instead of a few hundred issuing banks, you're relying on literally _thousands_ of different ATM manufacturers and operators, to securely generate unpredictable random numbers for you. But many of them don't... they use crappy generators like stdlib rand() or system timers which can be forced into a known state by power-cycling the ATM.

If the attackers can predict what "Unpredictable Number" the ATM will generate (and using the techniques from the paper, they often can) then that means they can send those numbers to the user's card when its inserted in a compromised ATM or POS terminal, and get the card to encrypt their illicit "request" as needed. Then at some later time (maybe days or even weeks later) they present the card's response to a real ATM somewhere else, and take money out of the cardholder's account. The attackers have to choose the amount and the date of the attack in advance, but they can use any vulnerable ATM in the same country as the compromised terminal where the cardholder's info was skimmed from.

So this attack is basically as strong as card cloning. There's basically nothing you could do with a cloned card, that you can't do with this attack.

Re:Chip & Pin was already broken no later than

[Capt.Albatross]

That's right, this is at least the second independent way Chip & Pin has been found to be broken. The banks claim to have multiple layers of security, but what they actually have are multiple breaches of security.