Slashdot Mirror
Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack (net-security.org)
An anonymous reader writes: When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable." After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.
You'd think it would be obvious, but an attack never gets less good over time.
Of course the research attack was large and bulky. It had a full laptop in a backpack and a bunch of not very dense electronics and stuff since it was part of a research demo. Research demos are generally the minimum required to prove that something works.
Once an attack has been found the only vaguely sensible thing to assume is that it gets better, easier and more slick over time.
Then again, the banks were idiots in the first place and tried legal threats to keep it quiet. Because as we all know that makes security holes vanish.
SJW n. One who posts facts.
Chip and PIN is secure if used:
1. With the card present
2. With a PIN pad
3. With online validation
Which is all it ever guaranteed.
Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)
However what this attack enables is allowing stolen cards to be used because the fake chip would pass through the request to generate the ARQC to the chip card. So if your card's stolen, report it quickly. It's the same problem with the contactless cards. If it's stolen it can be used until it's blocked for the smaller amounts that it allows, but it's difficult to clone (I won't say impossible but I have not heard of it being done) because there's cryptographic key on the chip which generates a cryptogram that has to validate before the transaction will be approved.
Chip of any flavour does not stop card-not-present fraud, so internet fraud and over-the-phone purchase fraud will continue unabated. It solves a different problem.
Rational thought is the only true freedom
Yes, it's fixed properly. From the paper:
because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.
Wrong. It was already fixed.
If you want a good, detailed look at the story, read it on Ars:
http://arstechnica.com/tech-po...
The Ars article contains nothing to support your assertion. On the other hand, the Cambridge group that originally discovered the flaw behind the exploit report that the industry did nothing between being alerted to the problem and the publication of their paper. Instead, it attempted to dismiss the problem as impractical to exploit, even though the Cambridge group demonstrated a practical attack, presented good empirical evidence that it was being exploited in the wild, and proposed mitigating measures.
One of the team members recently wrote "What we do know with confidence is that had the banks acted to close the vulnerability immediately after we notified them, these criminals would not have been able to commit this fraud."
We have to take the industry's word for it that they have now fixed the problem, and our confidence in that claim should be weighted by its previous proclivity to dissemble. Perhaps they have just fixed the liability shift part of the problem.
https://www.cl.cam.ac.uk/resea...
https://www.benthamsgaze.org/2...