Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack (net-security.org)

Posted by timothy on from the tab-a-slot-b-oops dept.

An anonymous reader writes: When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable." After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.

23 of 145 comments (clear)

  1. I didn't think of it means... by bobbied · · Score: 3, Insightful

    Improbable anybody would do it..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:I didn't think of it means... by Capt.Albatross · · Score: 4, Insightful

      It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

      Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

    2. Re:I didn't think of it means... by AmiMoJo · · Score: 4, Interesting

      I'm wondering if they really fixed this kind of vulnerability too. If you read the paper it seems that that device they added to the card was not fully compliant with the spec, not by a long way. So the most obvious and quick mitigation is to test for something that it is not compliant in. Such a test could be quickly bypassed once discovered, and turn the whole thing in to a game of cat-and-mouse like the fake cable TV cards became.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:I didn't think of it means... by fustakrakich · · Score: 4, Insightful

      Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

      Maybe you should ask their boss that question...

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:I didn't think of it means... by TemporalBeing · · Score: 3, Insightful

      It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

      Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?

      Because everyone is stupid when it comes to security until something security related happens to them.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    5. Re:I didn't think of it means... by Baron_Yam · · Score: 4, Insightful

      Because the frauds committed aren't even big enough to be a line item in their budget. Why invest in security now when you might not need to fix the problem for a budget year or two?

      It's a coldly calculated financial decision.

    6. Re:I didn't think of it means... by IamTheRealMike · · Score: 3, Informative

      Yes, it's fixed properly. From the paper:

      It is important to underline that, as we write these lines, the attack described in this paper is not applicable anymore, thanks
      to the activation of a new authentication mode (CDA, Combined Data Authentication) and network level protections acting as a second line of defense. Until the deployment of CDA, this fraud was stopped using network-level counter-measures and PoS software updates.

    7. Re:I didn't think of it means... by Anonymous Coward · · Score: 2

      Not easily hacked: As long as your home is adequately protected from break-ins.

      Not easily tracked: Unless you spend more than $10k, in which case the purchase will be reported to the IRS.

      The worst part is that since a PIN hack puts liability for fraud on the cardholder (bank logic: PIN is unbreakable, so its the cardholders fault if it gets stolen) this ends up being bad for the consumer. That's why I'm OK with PIN/swipe & signature (bank logic: signatures are unreliable, so the bank writes off the odd case of fraud here and there).

    8. Re: I didn't think of it means... by Cyberax · · Score: 3, Funny

      Why would the govt need to know what guns I have or how many I have?

      To easily trace you once you turn into a mass-murderer.

    9. Re:I didn't think of it means... by Capt.Albatross · · Score: 5, Informative

      because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.

      Wrong. It was already fixed.

      If you want a good, detailed look at the story, read it on Ars:
      http://arstechnica.com/tech-po...

      The Ars article contains nothing to support your assertion. On the other hand, the Cambridge group that originally discovered the flaw behind the exploit report that the industry did nothing between being alerted to the problem and the publication of their paper. Instead, it attempted to dismiss the problem as impractical to exploit, even though the Cambridge group demonstrated a practical attack, presented good empirical evidence that it was being exploited in the wild, and proposed mitigating measures.

      One of the team members recently wrote "What we do know with confidence is that had the banks acted to close the vulnerability immediately after we notified them, these criminals would not have been able to commit this fraud."

      We have to take the industry's word for it that they have now fixed the problem, and our confidence in that claim should be weighted by its previous proclivity to dissemble. Perhaps they have just fixed the liability shift part of the problem.

      https://www.cl.cam.ac.uk/resea...
      https://www.benthamsgaze.org/2...

    10. Re:I didn't think of it means... by idontgno · · Score: 2

      Yes. This is very precisely a MITM attack.

      Why is the card response so pitifully simple? It should have been cryptographically signed with a private key embedded in the card, so that the "yes" answer can't be synthesized by the interception chip.

      Sigh.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    11. Re:I didn't think of it means... by KGIII · · Score: 2

      Then you're not really in the industry. DirecTV had the greatest reverse troll of all time. Basically the card cloners were keeping busy while DTV kept adding more and more security methods. Except they were sneaking in a little extra code at the time so all of their updates eventually built a time-bomb, in effect, and so the cloners were all happy and the war kept going. Finally, on Super Bowl Sunday, the DTV code got a final update which nuked every single one of the cloned cards that was plugged into the system - forever. Someone tried to figure out what went on and, sure enough, in the last code update - when disassembled, said something like, "Ha ha! We win!" It was epic. The greatest hack battle of all time. Even better than playing with live SysOps while you trashed their corporate system.

      That's just a brief history but that's the gist of it. If you worked in the industry then you'd know this. It's the stuff of legends. By the way, the DTV code took months and months and months to set up - they included something like an extra four bytes in their updates or something like that. It all went together like a giant puzzle in the background and hidden. It was beautiful - I think they overvolted the chip on them or did something to the memory but I don't recall exactly and am too lazy to look it up. My understanding is that some of the people who'd been stealing the service actually called and tried to get new cards and complained about the loss of equipment. It was, from an outsider, epic. I don't actually watch TV so it doesn't affect me but I still read about it as did everyone else. Which means you're probably not in the business.

      --
      "So long and thanks for all the fish."
    12. Re:I didn't think of it means... by Jack+Griffin · · Score: 2

      Because everyone is stupid when it comes to security until something security related happens to them.

      Not so much stupid as lazy. And a big part of the problem is that most of the time, security people are the boy crying wolf.
      How many times have we heard about vulnerabilities that had no impact? If we react to every single warning we'd never get anything done. So maybe the correct path is to ignore security people most of the time. The real trick however, is knowing when to pay attention and act.

  2. Chip cards would not have prevented Target Breach by sasparillascott · · Score: 4, Insightful

    Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:

    https://krebsonsecurity.com/20...

    "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

  3. Chip and Signature by rjstanford · · Score: 2

    If you read TFA, you'll see that the issue exists because people wanted the card to be able to be used without the PIN present, presumably in cases where a PIN terminal wasn't available. All that the hack does is convince the card to process the transaction as if it was a chip-and-signature transaction, which most places can choose to trigger by hand.

    As long as you want cards to work without the PIN, they will be vulnerable to being told to work without the PIN. That's just a fact, unfortunately.

    The other benefits of chip transactions, the best of which is that each transaction is unique rather than simply a relay of TRACKDATA with a M_ID and an amount attached to it (basically making stolen card transmissions worthless instead of the current "just as good as a real card"), still remain and are highly significant.

    --
    You're special forces then? That's great! I just love your olympics!
    1. Re:Chip and Signature by rjstanford · · Score: 2

      I could have been more clean; it returns that information to the POS, and it tells the card that its in signature mode rather than PIN mode.

      --
      You're special forces then? That's great! I just love your olympics!
  4. So stupid and ignorant of history. by serviscope_minor · · Score: 4, Informative

    You'd think it would be obvious, but an attack never gets less good over time.

    Of course the research attack was large and bulky. It had a full laptop in a backpack and a bunch of not very dense electronics and stuff since it was part of a research demo. Research demos are generally the minimum required to prove that something works.

    Once an attack has been found the only vaguely sensible thing to assume is that it gets better, easier and more slick over time.

    Then again, the banks were idiots in the first place and tried legal threats to keep it quiet. Because as we all know that makes security holes vanish.

    --
    SJW n. One who posts facts.
  5. Re:Chip cards would not have prevented Target Brea by ShanghaiBill · · Score: 2

    Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article

    The CC number would have been compromised. But the PIN would be secret. The whole point of the PIN is that the CC# alone is not enough to complete a transaction.

  6. Re:Chip cards would not have prevented Target Brea by TemporalBeing · · Score: 3, Interesting

    Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article: https://krebsonsecurity.com/20... "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."

    Correct. Chip & PIN would not have solved anything.

    To provide an example...I used my Chip card the other day. The vendor was having an issue with their chip reader, so the POS operator put in an override to allow it to be swiped. So another easy way to by pass the Chips? Make a hack that makes the system think the reader is unusable.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  7. Re:Chip cards would not have prevented Target Brea by AmiMoJo · · Score: 2

    This doesn't seem to be right. To make online transactions you need the CCV number on the back of the card. That number is not normally transmitted when you make a chip-and-pin payment. At least, that's the way it works in Europe, maybe the US chip-and-pin system is different.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Re:We can safely ignore Chip&Pin by DarenN · · Score: 4, Informative

    Chip and PIN is secure if used:
    1. With the card present
    2. With a PIN pad
    3. With online validation

    Which is all it ever guaranteed.

    Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)

    However what this attack enables is allowing stolen cards to be used because the fake chip would pass through the request to generate the ARQC to the chip card. So if your card's stolen, report it quickly. It's the same problem with the contactless cards. If it's stolen it can be used until it's blocked for the smaller amounts that it allows, but it's difficult to clone (I won't say impossible but I have not heard of it being done) because there's cryptographic key on the chip which generates a cryptogram that has to validate before the transaction will be approved.

    Chip of any flavour does not stop card-not-present fraud, so internet fraud and over-the-phone purchase fraud will continue unabated. It solves a different problem.

    --
    Rational thought is the only true freedom
  9. Re:Chip is good security theatre by IamTheRealMike · · Score: 4, Insightful

    "I used my card in the old insecure mode several times and then am surprised when the card got skimmed"? Really?

  10. pfft, PIN by j2.718ff · · Score: 3, Funny

    We in the US have chip and signature, and are therefore immune to any such attack involving a PIN.