Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack (net-security.org)

← Back to Stories (view on slashdot.org)

Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack (net-security.org)

Posted by timothy on Tuesday October 20, 2015 @03:02AM from the tab-a-slot-b-oops dept.

An anonymous reader writes: When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable." After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.

15 of 145 comments (clear)

Min score:

Reason:

Sort:

I didn't think of it means... by bobbied · 2015-10-20 03:07 · Score: 3, Insightful

Improbable anybody would do it..

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
1. Re:I didn't think of it means... by Capt.Albatross · 2015-10-20 03:14 · Score: 4, Insightful
  
  It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.
  Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?
2. Re:I didn't think of it means... by AmiMoJo · 2015-10-20 03:20 · Score: 4, Interesting
  
  I'm wondering if they really fixed this kind of vulnerability too. If you read the paper it seems that that device they added to the card was not fully compliant with the spec, not by a long way. So the most obvious and quick mitigation is to test for something that it is not compliant in. Such a test could be quickly bypassed once discovered, and turn the whole thing in to a game of cat-and-mouse like the fake cable TV cards became.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:I didn't think of it means... by fustakrakich · 2015-10-20 03:35 · Score: 4, Insightful
  
  Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?
  Maybe you should ask their boss that question...
  
  --
  “He’s not deformed, he’s just drunk!”
4. Re:I didn't think of it means... by TemporalBeing · 2015-10-20 03:44 · Score: 3, Insightful
  
  It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.
  Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?
  Because everyone is stupid when it comes to security until something security related happens to them.
  
  --
  Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
5. Re:I didn't think of it means... by Baron_Yam · 2015-10-20 04:02 · Score: 4, Insightful
  
  Because the frauds committed aren't even big enough to be a line item in their budget. Why invest in security now when you might not need to fix the problem for a budget year or two?
  It's a coldly calculated financial decision.
6. Re:I didn't think of it means... by IamTheRealMike · 2015-10-20 04:23 · Score: 3, Informative
  
  Yes, it's fixed properly. From the paper:
  
  It is important to underline that, as we write these lines, the attack described in this paper is not applicable anymore, thanks
  to the activation of a new authentication mode (CDA, Combined Data Authentication) and network level protections acting as a second line of defense. Until the deployment of CDA, this fraud was stopped using network-level counter-measures and PoS software updates.
7. Re: I didn't think of it means... by Cyberax · 2015-10-20 04:52 · Score: 3, Funny
  
  Why would the govt need to know what guns I have or how many I have?
  To easily trace you once you turn into a mass-murderer.
8. Re:I didn't think of it means... by Capt.Albatross · 2015-10-20 07:12 · Score: 5, Informative
  
  because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.
  Wrong. It was already fixed.
  If you want a good, detailed look at the story, read it on Ars:
  http://arstechnica.com/tech-po...
  The Ars article contains nothing to support your assertion. On the other hand, the Cambridge group that originally discovered the flaw behind the exploit report that the industry did nothing between being alerted to the problem and the publication of their paper. Instead, it attempted to dismiss the problem as impractical to exploit, even though the Cambridge group demonstrated a practical attack, presented good empirical evidence that it was being exploited in the wild, and proposed mitigating measures.
  One of the team members recently wrote "What we do know with confidence is that had the banks acted to close the vulnerability immediately after we notified them, these criminals would not have been able to commit this fraud."
  We have to take the industry's word for it that they have now fixed the problem, and our confidence in that claim should be weighted by its previous proclivity to dissemble. Perhaps they have just fixed the liability shift part of the problem.
  https://www.cl.cam.ac.uk/resea...
  https://www.benthamsgaze.org/2...
Chip cards would not have prevented Target Breach by sasparillascott · 2015-10-20 03:26 · Score: 4, Insightful

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:

https://krebsonsecurity.com/20...

"0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."
So stupid and ignorant of history. by serviscope_minor · 2015-10-20 03:35 · Score: 4, Informative

You'd think it would be obvious, but an attack never gets less good over time.
Of course the research attack was large and bulky. It had a full laptop in a backpack and a bunch of not very dense electronics and stuff since it was part of a research demo. Research demos are generally the minimum required to prove that something works.
Once an attack has been found the only vaguely sensible thing to assume is that it gets better, easier and more slick over time.
Then again, the banks were idiots in the first place and tried legal threats to keep it quiet. Because as we all know that makes security holes vanish.

--
SJW n. One who posts facts.
Re:Chip cards would not have prevented Target Brea by TemporalBeing · 2015-10-20 03:47 · Score: 3, Interesting

Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article: https://krebsonsecurity.com/20... "0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."
Correct. Chip & PIN would not have solved anything.

To provide an example...I used my Chip card the other day. The vendor was having an issue with their chip reader, so the POS operator put in an override to allow it to be swiped. So another easy way to by pass the Chips? Make a hack that makes the system think the reader is unusable.

--
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Re:We can safely ignore Chip&Pin by DarenN · 2015-10-20 04:11 · Score: 4, Informative

Chip and PIN is secure if used:
1. With the card present
2. With a PIN pad
3. With online validation
Which is all it ever guaranteed.
Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)
However what this attack enables is allowing stolen cards to be used because the fake chip would pass through the request to generate the ARQC to the chip card. So if your card's stolen, report it quickly. It's the same problem with the contactless cards. If it's stolen it can be used until it's blocked for the smaller amounts that it allows, but it's difficult to clone (I won't say impossible but I have not heard of it being done) because there's cryptographic key on the chip which generates a cryptogram that has to validate before the transaction will be approved.
Chip of any flavour does not stop card-not-present fraud, so internet fraud and over-the-phone purchase fraud will continue unabated. It solves a different problem.

--
Rational thought is the only true freedom
Re:Chip is good security theatre by IamTheRealMike · 2015-10-20 04:26 · Score: 4, Insightful

"I used my card in the old insecure mode several times and then am surprised when the card got skimmed"? Really?
pfft, PIN by j2.718ff · 2015-10-20 04:40 · Score: 3, Funny

We in the US have chip and signature, and are therefore immune to any such attack involving a PIN.