Slashdot Mirror
Criminals Hacked Chip-and-PIN System By Perfecting Point-of-Sale Attack (net-security.org)
An anonymous reader writes: When in 2010 a team of computer scientists at Cambridge University demonstrated how the chip and PIN system used on many modern payment cards can be bypassed by making the POS system accept any PIN as valid, the reaction of the EMVCo and the UK Cards Association was to brand the attack as "improbable." After all, the researchers used a bulky tech setup that had to be carried around in a backpack but, as it ultimately turned out, a year later an engineer based in France found a less obvious way to perform the attack.
It is worse than that, because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.
Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?
I'm wondering if they really fixed this kind of vulnerability too. If you read the paper it seems that that device they added to the card was not fully compliant with the spec, not by a long way. So the most obvious and quick mitigation is to test for something that it is not compliant in. Such a test could be quickly bypassed once discovered, and turn the whole thing in to a game of cat-and-mouse like the fake cable TV cards became.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Just good to mention that Chip & PIN cards would not have prevented the Target breach in any way as mentioned in Brian Krebs follow up article:
https://krebsonsecurity.com/20...
"0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions)."
You'd think it would be obvious, but an attack never gets less good over time.
Of course the research attack was large and bulky. It had a full laptop in a backpack and a bunch of not very dense electronics and stuff since it was part of a research demo. Research demos are generally the minimum required to prove that something works.
Once an attack has been found the only vaguely sensible thing to assume is that it gets better, easier and more slick over time.
Then again, the banks were idiots in the first place and tried legal threats to keep it quiet. Because as we all know that makes security holes vanish.
SJW n. One who posts facts.
Why is it that the stupidest people always seem to be the ones making the decisions in matters of security?
Maybe you should ask their boss that question...
“He’s not deformed, he’s just drunk!”
Because the frauds committed aren't even big enough to be a line item in their budget. Why invest in security now when you might not need to fix the problem for a budget year or two?
It's a coldly calculated financial decision.
Chip and PIN is secure if used:
1. With the card present
2. With a PIN pad
3. With online validation
Which is all it ever guaranteed.
Chip and Signature should help reduce card cloning attacks because unless the cryptographic key on the chip can be read the application request cryptograms will never be correct so the transactions will be flagged. What happens in the case of an ARQC validation failure is up to your bank, but they can hardly refuse a refund if they approve a transaction where the ARQC validation failed. (Well, they can, but they're likely to get shafted for it eventually)
However what this attack enables is allowing stolen cards to be used because the fake chip would pass through the request to generate the ARQC to the chip card. So if your card's stolen, report it quickly. It's the same problem with the contactless cards. If it's stolen it can be used until it's blocked for the smaller amounts that it allows, but it's difficult to clone (I won't say impossible but I have not heard of it being done) because there's cryptographic key on the chip which generates a cryptogram that has to validate before the transaction will be approved.
Chip of any flavour does not stop card-not-present fraud, so internet fraud and over-the-phone purchase fraud will continue unabated. It solves a different problem.
Rational thought is the only true freedom
"I used my card in the old insecure mode several times and then am surprised when the card got skimmed"? Really?
because after they were shown that it could be done, they did nothing about it until this latest exploit threatened to make their failure general knowledge.
Wrong. It was already fixed.
If you want a good, detailed look at the story, read it on Ars:
http://arstechnica.com/tech-po...
The Ars article contains nothing to support your assertion. On the other hand, the Cambridge group that originally discovered the flaw behind the exploit report that the industry did nothing between being alerted to the problem and the publication of their paper. Instead, it attempted to dismiss the problem as impractical to exploit, even though the Cambridge group demonstrated a practical attack, presented good empirical evidence that it was being exploited in the wild, and proposed mitigating measures.
One of the team members recently wrote "What we do know with confidence is that had the banks acted to close the vulnerability immediately after we notified them, these criminals would not have been able to commit this fraud."
We have to take the industry's word for it that they have now fixed the problem, and our confidence in that claim should be weighted by its previous proclivity to dissemble. Perhaps they have just fixed the liability shift part of the problem.
https://www.cl.cam.ac.uk/resea...
https://www.benthamsgaze.org/2...