Chip and Pin "Weakness" Exposed By Cambridge Researchers

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

Never trust security through obscurity

[dajjhman]

Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

Re:Never trust security through obscurity

[scdeimos]

A web cam pointed at a lava lamp works for some people.

Re:Never trust security through obscurity

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.

It's referring to a credit card & a pin number combination for security.

Re:Never trust security through obscurity

credit and debit card too.

Re:Never trust security through obscurity

[whoever57]

Does cash not work over there anymore?

Actually, US-issued credit cards can be problematic in the UK because some ignorant shopkeepers and workers think that they cannot accept a card that does not have chip-and-pin.

Re:Never trust security through obscurity

[stepho-wrs]

It means smart cards (typically embedded in credit/debit cards) that have a chip on the card.
You enter your PIN into the payment terminal at a store and it uses the PIN to form part of the key used for comms with the card.

Whereas magnetic credit cards and PINs (er, I mean personal PIN numbers) have been used since the 1960s without a chip on the card.

Re:Never trust security through obscurity

[lxs]

It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.

Re:Never trust security through obscurity

[stepho-wrs]

A personal PIN number is what you enter into an automatic ATM machine or an electronic EFT terminal.

Re:Never trust security through obscurity

[Mithent]

Cash works here, but I'd rather use a card if the store accepts one, because it's more convenient for me. Cash involves trips to the ATM, bulking out my wallet with coins, and hopefully having appropriate denominations for the purchase at hand (a £20 note seems a bit much for a 60p purchase, while a collection of 10p and 5p pieces is going to be annoying if it's £5). If it gets stolen, it's essentially guaranteed lost, which means I shouldn't carry a lot of it at once, whereas if my card gets stolen, I can hopefully cancel it before it's used by the thief, which Chip and PIN makes more difficult. There are also additional protections afforded for purchases on credit cards, and my credit card offers 1% cashback. Yes, it would be stupid to run up credit card debt, but that's easy to avoid by paying the full balance each month.

I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.

Re:Never trust security through obscurity

[Captain+Hook]

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries

While thats true, you are forgetting that handling cash is not free for the merchant either.

It has to be handled by staff that can lose or steal it, it has to be transported around the store securely and transported to a bank to be paid in to an account (banks charge businesses for pay cash into an account) so the business can use the money for purchasing of supplies, paying rents and mortgage etc.

Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.

Re:Never trust security through obscurity

[LordKronos]

You are clueless.

Cash can be lost, stolen

And credit cant.

No. Federal law limits my liability to $50 by law, but every single one of my credit cards actually goes further and limits my liability to $0. No risk to me.

devalues through inflation.

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

Not sure how my "credit devalues through inflation". My "credit" has no actual cash value to me. The only effect inflation has is on my spending ability for a given credit line, but given the size of my credit line, I'll never reach that point...especially since lenders tend to increase that credit line over time.

My credit accounts are other peoples money

The problem with spending other peoples money is that other people are going to want their money back... with interest.

Funny. I haven't paid a cent in interest to a credit card in way more than a decade. On the other hand, I've made thousands from my credit cards, in the form of cash back and (more importantly) sign up bonuses.

A question that no credit addled fool has been able to answer is "why would a bank, a profit oriented business, offer you a service they dont make money on".

They lend me money because most people DO pay interest. They take a gamble on me that I'll be just as profitable. They lose that gamble every time.

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries. This comes straight back to you in the form of higher prices.

If you could get everyone (or at least a very significant number of people) in the country to switch to cash, then maybe prices would go down. Otherwise, me switching to cash isn't going to reduce my costs one bit. All it's going to do is stop earning me cash back and sign up bonuses.

I wont even bother telling you about the amount I've saved in the last four years by paying with my own money. Even just in avoiding CC surcharges I've made $500. Credit cards have their place, just not for everyday transactions. For that I use cash or debit.

LOL. I've MADE almost $2500 just this year from credit card sign up bonuses, and that doesn't count what my wife has earned from the same.

Re:Never trust security through obscurity

[drinkypoo]

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

Uh no.

Credit doesn't devalue through inflation because if they think they can drive you into debt someday they will keep raising your limits.

$1000 borrowed is not $1000+interest unless you borrow the money for longer than 30 days. If you repay within the window you don't actually pay any interest. And in the case of hyperinflation, you'd actually make money by not paying, so there are situations where you're even more wrong. Credit has its uses.

Re:Never trust security through obscurity

[petermgreen]

The ideal RNG collects as much entropy from the real world as there is information in it's output. Second best is a cryptographically secure PRNG. To be cryptographically secure given an arbitary sized sample of the outut it must be computationally infeasible to predict the next bit with an accuracy greater than random chance. This requires both an algorithm that is resistant to reversal and sufficient seed data and internal state to prevent brute forcing of the random number genertor's state.

Re:Never trust security through obscurity

[necro81]

IEEE Spectrum reported last year on new RNG tech from Intel, called Bull Mountain, and implemented in Ivy Bridge processors. It uses a large array of cross-coupled inverters. Thermal noise (a semi-random process) causes them to each inverter pair to latch to 1 or 0 very quickly. The inverters are reset, then allowed to re-latch, many times per second. This isn't particularly new. But they also add circuitry that continuously checks the statistical randomness of the output, and combines multiple number streams to ensure maximum randomness. The result then becomes the seed for a more conventional PRNG. The upshot is the ability to produce billions of demonstrably random numbers per second, all in a low-power peripheral on the microprocessor.

Re:Never trust security through obscurity

[swillden]

Full specifications are available. There is no security through obscurity here.

Doh, managed to delete the rest of my post before submitting. I guess I should actually look at the preview.

Anyway, the problem here isn't obscurity, it's just implementation errors. Granted that the systems should have been audited.

Re:Never trust security through obscurity

[fatphil]

Because we are not sanctioning "GNU Unix", nor ever would, and the expansion of the "P" in "PIN" is not "PIN". There's practically no similarity between the two cases apart from the fact that there are TLAs involved.

Security by obscurity

[jenningsthecat]

All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.

The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

Re:Security by obscurity

[Solandri]

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Re:Security by obscurity

[drinkypoo]

Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Or the government could quit sucking corporate cock, permitting more players into the game to provide some actual competition.

Re:Security by obscurity

[tlhIngan]

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Well, first of all, handling cash is not free. The more cash you handle, the more expensive it becomes. If your business takes in $50k worth of cash - how do you deposit it? Rent an armored car ($1-2K per call, meaning 2-4% "transaction fee")? Carry it to the bank and hope you don't get robbed (100+% - if you require medical treatment or counselling, plus loss of the day's take), etc.

You can choose to take debit only (cheaper - 25 cents (paid by cardholder) plus well under 1% (paid by the merchant)), though many people are wary and banks love to charge lots of fees to account holders.

And in Canada, it was found that yes, credit card companies were effectively strongarming merchants and merchants were given rights to charge extra to credit card holders, the ability to refuse some credit cards, etc. (Which may be noble, but potentially impractical if it results in customers lining up with $100 worth of stuff, then not completing the transaction because they refuse to pay an extra $3-5 in credit card fees and leaving for someone else).

The only way to advertise it is to build it into prices and have the cashier say "your total is $100, but if you pay by cash, I'll give you a discount - you'll only pay $95". (Customers hate having things "tacked on" at the end - they want to know that the item they're buying is the price shown on the tag. Of course, giving a discount is a nicety where you pay less than tagged price, or even if you couch it as "If you pay by cash, I won't charge sales tax")

Presumed secure = blame the user

[muhula]

In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

Re:Presumed secure = blame the user

[rover42]

muhula writes: The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds ... banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds Ross Anderson heads the Cambridge group that found this attack and the earlier man-in-the-middle attack (a gadget between card & reader that makes all PIN verifications succeed no matter what number you enter). He's been writing about bank vulnerabilities for years. A famous older paper: "Why cryptosystems fail" http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html Problems with PIN numbers: http://bits.blogs.nytimes.com/2012/02/20/security-of-self-selected-pins-is-lacking/

no liability for banks

Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

The problem is shifting liability

[nemesisrocks]

The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

Re:The problem is shifting liability

[mattsday]

I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.

Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.

From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).

Re:The problem is shifting liability

[noc007]

As one who worked for a processing gateway in the US, the liability was on the merchant first. When a chargeback is initiated by the cardholder, the funds are taken from the merchant's account and credited to the cardholder's account. If the merchant doesn't have the funds (gateways or processors are pretty strict on them having the funds incase of chargebacks and will hold funds or institute a rolling reserve if the merchant doesn't have the funds or is has a higher risk of potential chargebacks), it is on the gateway or processor to front the money. It is then on the merchant to prove that the transaction is legitimate with a signed receipt. If they produce that and satisfy the gateway or processor and the card issuing bank, then the funds and debited from the card holder's account and credited back to the merchant; the merchant still has to pay transaction fees on all three of the transactions.

I don't know the full procedure if the merchant has a signed receipt and the card holder still disputes the transaction. I believe in that case usually, depending on the circumstances, both parties keep the funds and the card issuing bank writes it off as a loss. Really the merchant gets pwned in most cases and really can only get out of it if they have some ironclad evidence like a signed document stating that the card holder is satisfied with the services and/or products they have received; I know of a merchant that xeroxes their driver's license as well just to protect themselves.

Chip+Pin IMHO, put all of the liability on the card holder. The card holder is lead to believe that it is secure and doesn't know if a terminal is compromised or not. If the terminal is compromised and funds are debited fraudulently, they're still on the hook and the bank to the processor will claim that it's impossible to duplicate card even though it's been proven for years that it's not as secure as they claim. The only defense that they have is to destroy the card and use a different form of payment (eg. cash).

Re:Wasn't this already covered

[scdeimos]

Maybe you're thinking of this /. story from 2010, which is about a different attack (a MITM that allows the wrong PIN to be verified as correct) from the same Cambridge researchers?

European Credit and Debit Card Security Broken

http://news.slashdot.org/story/10/02/11/2129212/european-credit-and-debit-card-security-broken

Why the quotes?

[rebelwarlock]

I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

BBC is a "news" provider.

Re:Why the quotes?

[mysticalreaper]

The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.

If you read the full article of any headline that contains quotes, you will find that the origin of the statement in quotes is not the BBC's writers, but another organization or person: a third party.

The BBC is trying to help you understand the source of the informaiton, an important part of journalism. They are trying to help you understand what they are reporting, not belittling your intelligence with 'emphasis' quotes.

Re:Why the quotes?

[L4t3r4lu5]

They're called quotation marks. They're quoting the researchers saying that this is a "weakness" in the security of chip and pin cards, in that the researchers used the word "weakness" to describe the vulnerability.

Re:damn right they do

[Rockoon]

Fraud is overhead that needs to be paid for regardless of who is left holding the empty bag at the end, and that overhead will always end up being reflected in the retail prices.

So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?

Re:damn right they do

[FireFury03]

In my storefront if a card holder chips a card and types their pin, there is no way they can charge back.

That sounds incorrect to me, since (at least under UK law) there are various reasons why a credit card transaction may be subject to a chargeback even if it was a legitimate transaction at the time.

In an online transaction does "verified by visa" / "mastercard securcode" not effectively provide you as a merchant the same protections?

3Dsecure is, frankly, a joke and does nothing to increase security (in fact it actually decreases security). It was introduced as yet another way of pushing the liability away from the bank rather than actually being secure.

Unfortunately, my experience with banks is that, when it comes to digital security, they have no clue and are only interested in security theatre, even in situations where well thought out real security would actually be easier for everyone than the security theatre they invent instead.

Re:damn right they do

[SuricouRaven]

Verified by VISA? I've seen that one. Whenever I have to buy something online, I need to enter an extra code in addition to the card number, expirary date and CCV. It seems quite pointless to me, because I have to enter them all at once - which means I store them all in the same place, and anyone who has compromised my system can key-log the whole lot at once. The only time it'll add any security is in stopping someone who stole the card from using it to buy things online, and if that was their goal it would be easier to just take the CCV number off the card. Plus, using VBV is optional for the merchant, so it just ensures the frauster would shop with some company that doesn't require it.

Exaggeration (and a bit of scandal mongering)

[bhaktha]

Folks, I read the paper by Omar and Co in a fair amount of detail. Here is the gist. Some ATMs do not have a true RNG (Random Number Generator), something like FIPS 140.2 compliant. With such defective systems in a particular country, at a particular time and for a particular amount and a system which can do a transaction at mS granularity accuracy an attack is possible. And the card has to be in the system (which is recording) for a longer time than it is for a typical transaction. That is a very NARROW vulnerability (not that it is justified ...). The paper clearly says on a large set of ATMs they could NOT decipher the "algo" for the UN generation. This is a exploitation of a very very corner case. The paper also clearly says that EMVCo HAS ALREADY published rigorous tests to test the randomness of UN generation (before this paper was published). So the title here, in the BBC website and some of the comments are way off. (understand that BBC and /. have to have readership ...) Couple of additional comments, EMV cards are unclonable (so are the SIM cards used in phones which use similar technology), the standards are open (you can download the standards for free from the emvco website) and there are plenty of fraud detection algos running on issuer servers to detect suspicious transactions. The paper in the second page unambiguously states that AFTER the introduction of EMV cards "card-not-present" transaction fraud went up, precisely because EMV cards are secure. There will be always studies like this which exposes flaws (this particular one was an extremely corner case) which generally strengthen the current systems. I have followed the research coming out of cambridge on related topics (have exchanged notes with some of them), they are fine researchers and if you read the paper, you will see that they are NOT saying EMV is insecure but are identifying corner cases and defective implementations. Cheers, -Bhaktha

Its worse - Liability is shifted to the CARDHOLER

[brunes69]

Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.

Re:Chip & Pin was already broken no later than

[Capt.Albatross]

That's right, this is at least the second independent way Chip & Pin has been found to be broken. The banks claim to have multiple layers of security, but what they actually have are multiple breaches of security.