UK researchers have uncovered a serious flaw in the Chip and PIN machines that authenticate debit and credit card transactions. Two of the most popular PIN entry devices (PED) in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a "tapping attack", using nothing more sophisticated than a paper clip, a needle and a …
It's not the banks money
"The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out,"
Reminds me, when I go to close my account I'll use the line "not economically viable for me to remain a customer of yours". They're probably right - why bother getting all this equipment for the odd few cards when you can pay an Indian call centre employee to do the job quicker and cheaper?
"...not currently economically viable for a fraudster to carry out,"
...well not yet because they havent YET pillaged everyone's accounts with this hack yet.
Where do they get these guys?
I thought this article was going to be about how people could no longer use credit cards without a little pop-up assistant saying "It looks like you're entering your Pin. Would you like some help?"
That's what you need professors for
well said that man, the secrecy involved in these matters just doesn't help, they always get something wrong - silly, fixable mistakes.
Publicising your approach for peer review is the only method that works, though getting GCHQ involved probably works too
How anyone can say that "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out" beats the shit out of me. £80k sounds pretty worthwhile to me.
Chip and Pin is flawed
I had two charges made to my Barclay's debit card even though it was rejected by the merchants terminal (it kept saying 'pin number blocked'). So I was billed twice but still had to pay with another credit card. I called Barclay's and told them about it - they still took the money out of my account and they don't have a mechanism for repaying their fraudulent withdrawals from my account.
Good research. I was less impressed by the vendor response, which consists of the usual excuses deployed for the last quarter-century.
BTW, the researchers are using an old version of WordPress that was updated to fix a fairly critical security vulnerability. A classic case of the cobbler's children going barefoot.
No icon because the selection is inadequate. Please add one showing the southbound end of a northbound mule.
Heads in the sand
I don't like the typical "that isn't going to happen" response from the banks, but ifthey admitted fault then I guess they would then be liable for the costs of any fraud. At the moment, if you're a victim of one of these attacks, the bank will just deny that it's possible and not compensate you...."you must have given your PIN away."
The technical report on their blog is worth a read. These guys seem to know what they're doing, and had rather too much fun doing it! Figure 14 is a classic!
All it takes is a needle and paper clip??
Heh, pretty soon Macgyver will be sitting there with a roll of duct tape, some chewing gum and thread and he will be taking your bank account for thousands of dollars and the banks will never find out.
/mines the one with the duct taped elbows
what the APACS spokesman really said
He is quoted as saying: "The types of attack on PIN entry devices detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out,"
I think he really said: "They couldn't even hit an elephant from that dis..."
...why my typical on-line transaction now goes something like....
<clickety click> Submit order
"Your card has been declined :("
...more time passes
...get to talk to someone with a heavy foreign accent. Give verbal DNA sample. Explain problem. Get transfered to fraud department.
...even more time passes
... get to talk to someone else with a different (but more local) foreign accent. Give verbal DNA sample. Explain problem again. Recite the last few transactions on the card. Blush. Get put on hold. Get told how wonderful their anti-fraud system is for blocking my unusual transaction (with a company I've only placed a few thousand pounds of order with over the last few years). Get told patronisingly that my card is now being unlocked and I can continue to use it in a few minutes time. Get asked if there is anything else they can help me with today. Resist making arrestable suggestion.
Wait a few minutes
Return to site
<clickety click> Submit order
"Your session has expired. For your security blah blah blah..."
Re-enter card details
<clickety click> Submit order
"Thank you for your custom...."
Swear mildly with relief, trying to think how to avoid this pantomime next time.
Thought the word "boffin" was banned on El Reg?
Paris, as she loves a good boffin.
"argues that the technology has reduced fraud"
hmm. all it seems to have done for the consumer is take the liability away from the banks and put much of it on the consumer. so that when something does go wrong good luck proving it was not your fault. after all if the system is as secure as they'd like us to think we must have done something wrong.
> difficult to undertake
> The types of attack on PIN entry devices detailed in this report are
> difficult to undertake and not currently economically viable for a
> fraudster to carry out," an APACS spokesman said.
Oh right, so that explains why they've already happened... I would be interested in *real* information about how much fraud has actually diminished in total, including all those folks who haven't managed to prove to the bank that their PIN was highjacked...
"Other fields, from as voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities."
We had Ross Anderson as a lecturer for our 2nd year Computer Science Software Engineering course. He seems quite battle hardened, and seemed very bitter throughout it all! So this statement sounds entirely like our lecture course.
Yet another ""...not currently economically viable for a fraudster to carry out"
I suppose it's possible the cost of paper clips and needles has skyrocketed since I last checked, but I submit that normally such things are within the financial reach of all but the most financially challenged citizen. In which case a quick wander through just about anywhere that uses office supplies and a gander through your mum's sewing kit would yield the necessary tools for free.
...cash is still King.
Life is easy when you use cash.
hmm Let see now they make it sound so easy:
Account can be hacked with:
paper clip - simple item to get hold of
Pin - simple item to get hold of
then 'a small recording device' - this is the bit that is considerably more complex and not as easy to get/make/steal as you might think.
while I admit that I am a bit surprised it is that easy - at this stage I doubt many crooks have access to the Technical capability of obtaining a 'small recording device'
Don't think it will keep me up at night (although maybe I should check any eftpos machine I use for pins or paper-clips.
Who's fault is it if a forged signature is accepted. The bank. Whos fault is it if a PIN number is fraudulently used? Your's for letting someone know your PIN. Chip and Pin has been engineered to shift the liability away from the bank and onto us.
So far only the machibes have been hacked. Pretty easy to get your hands on one really. Next the chip will be exposed and it's memory read with a scanning electron microscope or maybe just a finer pointed needle.
If they keyboard passes unencrypted keypresses to the CPU then maybe the card passes the private key unencrypted through it's registers.
The arogance of the people promoting chip and pin as uncrackable is simply asking for trouble.
Cash is King, yeah right
Life is easy. You've just got to avoid having your wallet pinched. And if it does happen, you have ZERO chance of persuading the Bank of England to reissue you with the cash. And of course, the shops and services have to have massive secure vans to transport the stuff in, which can also be targetted by thieves.
Yes, cash is King - for criminals. For the rest of us, we actually quite like something that gives us a reasonable chance of getting our money back if we have our wallet pinched.
Yes, we'd like it to be better and more secure. But the sooner cash actually dies, the better.
But by all means, you keep your folding stuff in your mattress if you wish. Good luck.
"Life is easy when you use cash."
cos all online shops take cash
Chip 'n' pin - live in fear
as a Daily Mail reader, I know that chip and PIN aids terrorists, causes global warming, gives you cancer, causes house prices to plummet, fuels drug addiction, leads to moral decline and makes it easier for illegal immigrants to traffic children (only white British ones) into peadophile slavery.
Chip and PIN is also responsible for our shambolic railways, low standards of education and the phenomenal rise of incapacity benefit.
Oh, and AIDS.
Not economical, that would be why I lost 600 quid to a cahs machine in pakistan
Tuesday - buy petrol - Teaxco on A217 Surrey
Wednesday - 300 quid removed from my account in Pakistan
Friday - cant get any cash out as Wednesdays transaction clears my account
Monday - Further 300 goes,
Looks very economical from their point of vew. They got 300 quid in the end, took 30 seconds for them to capture the data, one email, and one visit to a cash machine in Pakistan and I ahve now funded a war or similar. Took me days on the phone to get the money back with the bank.
Why chip and pin - simple - the banks changed their terms and conditions, they place the onus on the indivdual and the merchant for the loss, when it was a signature the onus was on the bank. Thats why you cant buy a plasma in richer sounds without 2 forms of ID, the fact the card goes though fine means nothing for the retailer.
way back when
a certain large credit card company was developing its chip and pin stuff, I recall one person very high up in the project saying "the crooks are two steps ahead of us, the idea that this will be secure is a smokescreen, to make the public feel safe"
rather like ID cards methinks
@ Richard Freeman
"then 'a small recording device' - this is the bit that is considerably more complex and not as easy to get/make/steal as you might think."
It's not that easy to make a semi-automatic weapon in your bedroom either, but that doesn't stop loads of little shits from running around shooting each other with them.
The waiters & petrol station staff who skimmed your card in the magstripe days didn't make the skimmers themselves. They were issued them from further up the organised criminal ladder. It only takes one bent geek to work out and sell a design, then factories in China will be knocking them out by the thousands.
I suspect that anyone with a relevant degree could knock up a microcontroller circuit that could record the necessary signals. The reseach suggests that this could even be made to fit inside some card readers so it's undetectable from outside.
And there's still the issue that you only need one clever person to make a load and sell them to others to make it's use widespread. The hardware equivalent of script kiddies. It's easy when someone has already made you one!
Anyone involved in card security should start screaming about this. It's not trivial to do, but it's way easier that it should be.
Re: Standard Denials
Regarding "the researchers are using an old version of WordPress that was updated to fix a fairly critical security vulnerability"
I did apply the vendor fix when news of the flaw was announced, but the patch doesn't update the version number. Our Wordpress install is not actually vulnerable, even though it apparently is an old version.
And people still havent cracked the xbox 360
The security in the xbox 360 has survived this long, yet these guys find such blatent holes in the chip and pin systems....
Ross Anderson & agendas
Professor Anderson heads up a very able bunch of researchers and their work into the inadequacy of technical information security implementations is very important. Professor Anderson is morally outraged by the attitude and approach taken by The Man to security and the use of technology to move the point of risk assessment downstream to us, the individuals (Wayland S & others previous). The approach of the banks to suspected fraud of 'litigate (against the defrauded) rather than investigate (the weakness of their implementations)' is indefensible and needs to be vigorously and rigorously challenged. Professor Anderson wants to motivate public opinion to support his outrage and rebel against The Man; unfortunately, he tends to the hysterical and hype and I am not convinced that this approach engenders the necessary gravitas.
Consequently, the Man (APACS in this case), feel they can counter with the ludicrous fobbing-off that "difficult to undertake and not currently economically viable" exemplifies.
By the way: included in the 'Newsnight' article was the simple statement from CESG (the relevant bit of GCHQ); "We have not evaluated the terminal device that you mention" in response to questiopn posed by BBC journalist.
Fact is: there exists NO PIN Entry Device that has been subjected to a public domain (i.e. Common Criteria) evaluation. APACS (& other bank card consortia) run their own (closed) 'evaluations'.
Re: That's what you need professors for
"Publicising your approach for peer review is the only method that works, though getting GCHQ involved probably works too"
The real significance of this *published* work is that it is now impossible for the banks to assert in court that their system can't be beat. It is now common knowledge that Chip-n-Pin is not secure and so no matter what your bank might say in the T+Cs, the onus of proof lies with them.
Do remember that chip and PIN was never ever about security; it was about switching the cost of fraud to the card holder.There was never a secret about that; CHIP cards were hacked before they were ever introduced....and the card issuers knew that.
Chip and PIN is fundamentally broken
Chip and PIN is fundamentally broken and the best way to reform it is to scrap it. If fraud figures have decreased, it is simply for the reason that any chip-and-PIN transaction is considered legitimate by default.
The problem is that, compared to a signature -- essentially, a complex hand gesture unique to an individual yet readily reproducible at will by that individual -- a PIN is just far too easy to replicate. And it's foolish in the extreme to assume that the associated smartcards are not replicatable. Even if it takes two briefcases of electronics linked to a dummy card by means of a multi-core cable the thickness of a fire hose, it can be done; and the reader won't know the difference.
If a signature-backed card is stolen, it always requires some time for the thief to learn to forge the signature convincingly -- time in which the victim can report the theft. If a PIN-backed card is stolen, the thief need only hold a knife to the victim's throat to get the PIN, and keep it there for as long as it takes an accomplice to verify the PIN in a nearby store (possibly even using a mobile phone also liberated from the victim to report success or otherwise). Alternatively, if the PIN is already known (perhaps observed being entered into a terminal elsewhere; yes, some people really are that careless) the card can be lifted without alerting the victim.
Lots of cloning going on
We had a big rash of cloning in the Southend-on-Sea area in late 2006. I had both a credit and debit account abused months apart AND they got the pin for at least one of them! They even linked me to a new virgin mobile account but their system leaked that one to me.
The police/press blamed a lot of it locally on a particular petrol station BUT I heard of a number of people who suspected a different posher BP petrol station (as they never used the other one) which never appeared to get investigated.
Keeping it quiet seemed the order of the day.
If you've got nothing to hide...
...you've got nothing to worry about.
Er... though do remember to keep your PIN secret at all times... er... I'm confused.
Where's a government minister to tell you what to think and not to worry when you need one? Hiding, perhaps? Got something to worry about, have they?
I'm just going to go back to nicking things, it seems much safer than attempting to pay for them.
"Yes, we'd like it to be better and more secure. But the sooner cash actually dies, the better."
I don't think either of those events are going to happen. The banks will only reduce their risks to a certain point beyond which it becomes economically pointless to try and reduce losses any further. And as many commenters have pointed out, chip and pin has certainly succeeded in one of its objectives of heaping the risk onto the consumer, with a large JCB.
I doubt cash will die out any time soon, in fact I believe that the distribution of hard currency is currently on the increase. Despite its many problems, cash remains the fastest, most reliable transaction. After all, with cash you can't lose more than the wad that you're holding.
 Unless you're stuck behind old Doris and her purse full of pennies.
 And of course many people like to deal in cash for 'obvious' reasons.
Not currently viable?
So you are telling me that a guy working night shift at a petrol station for minimum wage, with a little expertise in electronics, would not consider it economicaly viable to put a small, inexpensive microcontroller and support circuitry with a small flash chip or card slot on a breadbord (prototyping circuit board for those who dont know) and hook it up the the chip and pin device, then disappear on a cheap return flight to eastern europe, withdraw cash from a load of cloned cards, and fly back to buy that new BMW he always wanted? Or even just disappear with the (possibly) hundreds of thousands of pounds
It would not be difficult to do, not be expensive to do, and not be that risky to do. And the reward could be a life of luxury in eastern europe for the rest of his life if done right.
Bend Over, Here It Comes
"Do remember that chip and PIN was never ever about security; it was about switching the cost of fraud to the card holder.There was never a secret about that; CHIP cards were hacked before they were ever introduced....and the card issuers knew that."
Chip-and-PIN has a second purpose: to acclimatise people to the concept of inserting a card into a reader and keying in a number. All these separate plastic cards, one for each account, are a pain in the backside, right? Soon, all your bank accounts will be accessible via your Biometric National Identity card. Which will also replace your workplace ID. Then your car keys (and the vehicle will even be able to check if you have been using your card to buy alcohol recently, download some information about your metabolism and disable itself until you've had long enough to sober up. Not everyone's car will have this safety feature, of course, so random breath tests -- and car searches -- will still have to be carried out).
The next logical extension, of course, will be for your ID card to replace your house keys. And from there, additional locks will be banned so as to secure the ability for the Secret State Police to enter your home for the purpose of protecting you.
Get Over It Cambridge
This University Department suffers from Obsessive Convulsive Disorder with regard to Chip and PIN. In this latest 'revelation' they have come up with yet a might be, could be, if attack to obtain data that is already being compromised to the tune of thousands of card accounts a day. Obtaining mag stripe data and PINs is already achieved at retail outlets using skimmers and cameras and the resultant information used to obtain cash from ATMs across Europe.
Their previous spectacular was 'compromising' PIN delivery methods and before that 'Decimalisation' attacks involving redundant HSMs inside Banks. As I recall this theory was rejected by a court.
Criminals will always seek the easy option and do not have the luxury of pontificating in a lab for years on end. There are many issues regarding the whole credit and debit card system which are currently being absorbed as shrinkage or methods are being devised to ensure liability transfer to the individual.
Time for a copyleft hardware design to be published?
I think the next logical step would be to publish a schematic and layout for the non-volatile data snaffling device, small enough to fit in the Ingenico terminal.
This would hopefully force the bank's hand into quickly reissuing cards with the mag-stripe CVV code different to the Chip one. This will result in the cloning being made much more difficult.
Finally - if you are worried about this, there is a simple solution. Keep a separate credit card specifically for chip/pin and never use it to withdraw cash. Change the pin regularly on this card - altering one digit should be enough. Wipe the mag stripe with a strong magnet to prevent the CVV from being skimmed. And only use your bank card in trusted ATM's.
What a stupid article. Lets see what has happened here, some publicity seeking students at Cambridge University have "suddenly" discovered an attack that has been known for over 10 years. This want to obtain some publicity for their department and the media want to whip up a scandal to sell news.
There are two types of cards on the market, those not using assymetic cryptography and those using it. EMV (Europay, Mastercard, Visa; the new banking card specification) was designed to have different levels of security with easy upgrade paths. This way banks could decide on implementing the most sensible solution financially and upgrade the security (and cost) when required.
When the UK started looking at implementing Chip and PIN (note this project took over 10 years to develop before roll-out) assymetic cards were extremely expensive. It is only very recently that that the price has come down. The objective of Chip and PIN is not to eliminate fraud but to reduce it taking into account the cost of the security itself.
While it does not make a good story, the people in charge of security at APACS do know what they are talking about. Most of your readers seem to think that one should just replace the current world-wide banking system (a system that works) with a new highly security one overnight with no regard to cost or risk (or reality). Clearly the only safe root is to carefully evolve the system overtime while providing incentives for other countries and banks to follow course.
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Analysis Who is the mystery sixth member of LulzSec?
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE
- Analysis Hey, Teflon Ballmer. Look, isn't it time? You know, time to quit?
- Murdoch Facebook gloat: You're like my $580m, 'CRAPPY' MySpace