Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chip and Pin "Weakness" Exposed By Cambridge Researchers

Posted by samzenpus on from the get-them-where-they're-weak dept.

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

15 of 133 comments (clear)

  1. Never trust security through obscurity by dajjhman · · Score: 4, Informative

    Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

    --
    The man who cannot imagine a horse galloping on a tomato is an idiot - Andre Breton
    1. Re:Never trust security through obscurity by scdeimos · · Score: 4, Funny

      A web cam pointed at a lava lamp works for some people.

    2. Re:Never trust security through obscurity by lxs · · Score: 5, Informative

      It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.

    3. Re:Never trust security through obscurity by stepho-wrs · · Score: 3, Funny

      A personal PIN number is what you enter into an automatic ATM machine or an electronic EFT terminal.

    4. Re:Never trust security through obscurity by Mithent · · Score: 3, Interesting

      Cash works here, but I'd rather use a card if the store accepts one, because it's more convenient for me. Cash involves trips to the ATM, bulking out my wallet with coins, and hopefully having appropriate denominations for the purchase at hand (a £20 note seems a bit much for a 60p purchase, while a collection of 10p and 5p pieces is going to be annoying if it's £5). If it gets stolen, it's essentially guaranteed lost, which means I shouldn't carry a lot of it at once, whereas if my card gets stolen, I can hopefully cancel it before it's used by the thief, which Chip and PIN makes more difficult. There are also additional protections afforded for purchases on credit cards, and my credit card offers 1% cashback. Yes, it would be stupid to run up credit card debt, but that's easy to avoid by paying the full balance each month.

      I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.

    5. Re:Never trust security through obscurity by Captain+Hook · · Score: 3, Insightful

      The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries

      While thats true, you are forgetting that handling cash is not free for the merchant either.

      It has to be handled by staff that can lose or steal it, it has to be transported around the store securely and transported to a bank to be paid in to an account (banks charge businesses for pay cash into an account) so the business can use the money for purchasing of supplies, paying rents and mortgage etc.

      Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.

      --
      These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
    6. Re:Never trust security through obscurity by necro81 · · Score: 3, Informative

      IEEE Spectrum reported last year on new RNG tech from Intel, called Bull Mountain, and implemented in Ivy Bridge processors. It uses a large array of cross-coupled inverters. Thermal noise (a semi-random process) causes them to each inverter pair to latch to 1 or 0 very quickly. The inverters are reset, then allowed to re-latch, many times per second. This isn't particularly new. But they also add circuitry that continuously checks the statistical randomness of the output, and combines multiple number streams to ensure maximum randomness. The result then becomes the seed for a more conventional PRNG. The upshot is the ability to produce billions of demonstrably random numbers per second, all in a low-power peripheral on the microprocessor.

  2. Security by obscurity by jenningsthecat · · Score: 4, Insightful

    All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.

    The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.

    And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    1. Re:Security by obscurity by Solandri · · Score: 4, Interesting

      And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

      If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

      The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

  3. Presumed secure = blame the user by muhula · · Score: 5, Informative

    In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

    1. Re:Presumed secure = blame the user by rover42 · · Score: 3, Informative

      muhula writes: The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds ... banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds Ross Anderson heads the Cambridge group that found this attack and the earlier man-in-the-middle attack (a gadget between card & reader that makes all PIN verifications succeed no matter what number you enter). He's been writing about bank vulnerabilities for years. A famous older paper: "Why cryptosystems fail" http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html Problems with PIN numbers: http://bits.blogs.nytimes.com/2012/02/20/security-of-self-selected-pins-is-lacking/

  4. The problem is shifting liability by nemesisrocks · · Score: 4, Interesting

    The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

    With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

    1. Re:The problem is shifting liability by mattsday · · Score: 3, Insightful

      I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.

      Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.

      From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).

      --
      Now there's one hoopy frood who really knows where his towel is!
  5. Re:Wasn't this already covered by scdeimos · · Score: 3, Informative
    Maybe you're thinking of this /. story from 2010, which is about a different attack (a MITM that allows the wrong PIN to be verified as correct) from the same Cambridge researchers?

    European Credit and Debit Card Security Broken

    http://news.slashdot.org/story/10/02/11/2129212/european-credit-and-debit-card-security-broken

  6. Its worse - Liability is shifted to the CARDHOLER by brunes69 · · Score: 4, Informative

    Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

    By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

    I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.