UK police arrests of a gang reckoned to have tampered with Chip and PIN entry devices to harvest PIN numbers and cardholder details have sparked calls to revamp the security of devices. Banking industry sources maintain that this type of fraud is rare but recent posts on underground forums suggest that the know-how on how to …
What's the REAL timeline on this hack?
This method is even older than November of last year.
I remember the BBC had a piece 18 months ago (Feb 2007) demonstrating the work of Drimel et. al.
And Saar Drimer added this to lichtbluetouchpaper showing a modified chip & pin terminal used to play tetris:
Weaknesses have been known for nearly 2 years and it's disgusting that the banking industry haven't woken up to the threat. I know for them it's a cost decision, loss versus cost of preventing the loss, but for society as a whole it encourages crime and victims get stressed out sorting out the aftermath.
Putting a padlock on a paper bag
Some time ago I saw a TV programme where a presenter got a job as a waitress solely to steal customers' PINs. She carried a small card reader that she used to swipe the card's magnetic strip details and then she watched the PIN being entered into the terminal. With those two captured items of data she was then able to create a card that could be used at certain cash machines.
Chip & PIN seems secure but having the magnetic strip too leaves a gaping hole in the system.
it doesnt need to be 100%
secure, its stopped all the petty street n urban dumb asses walking imto any shop after a mugging
Put the keypad on the card
While you are at it, put a display on the card that shows the amount and the recipient. Also use proper encryption - libssl is only about 200k, so it will easily fit on a chip.
Engineers and managers can end up in prison for not taking enough care with safety. Unfortunately that law does not apply to bankers funding crime with customer's money. (All customers - not just the ones who use 'portable' terminals at an open air auction.)
easy fix with just plugin upgrade!
easy way to defeat those pesky spy cameras and card reading phisers
STICK A 2Watt+ output 2.4-2.5 / 5.8Ghz JAMMER on every cash terminal !!!
Then those crooks wont be able to recieve any of our account data, whilst parked up opposite the ATM!!!
So they are put out of busiiness by simply jamming all open access wi-fi/wi-max and bluetooth frequencies.
maybe Visa and MC need to employ a Bofh n Pfy or 2, for a change instead of lots of qualified id10t rated managers...
Its totally broken
Its wide open now.
Not dealing with this, and I mean dealing with this is pure negligence from both retailers, businesses and especially the banks, and in particular APACS which is actually still peddling lines that are both untrue and misleading.
Having been through a recent case, I can tell you its a huge mess, and there is nothing trustworthy about chip and pin at all as it stands right now.
In fact, I'd go as far as to say the FSA and government have to step in right now, yesterday. Thats how grim the security is. And the UK banking system needs this like a hole in the head.
for the sanctimonious prat from Chip&Pin corp ( the one on the telly last year telling us how secure C&P is) to wiggle out of this one!!
If c&p is so good, why does my bank require me to plug in c&p card to useless reader thing to transfer 5 quid to another account in the same bank, while logged using https?
Heart, because Valentines Day was when it was all going to be mandatory
There's no cure for fraud.
Before chip and pin fraudsters (tier 2) would pay minimum wage cashiers (tier 1) to write down card numbers and 3 digit "security digits". Cashiers would receive a small amount for each card number. It'd also be bleeding obvious who it was that had given the card numbers out, but minimum wage or not, it was their own greed that got them caught (tier 1). Meanwhile the fraudsters just needed to arrange a place to meet and hand over a few 20s for a piece of paper. Which they would then resell to someone else further up the criminal pyramid (tier 3) who had employed people in third world countries and/or the US to make fraudulent transactions.or sold the details to them(tier 2). This is classic "Card not present" fraud, and is the most common form of fraud seen on cards - and still happens because Chip and Pin is not mandatory, nor are people particularly careful with their cards, and more importantly Chip and Pin doesn't exist for the most part abroad. Tier 1 people got caught and couldn't inform on the tier 2 guys. Tier 2 guys when caught didn't have so much contact with tier 3 guys.
Now they need to get the cashier to remove the machine, and replace it, and also collect information from the machine. I'd imagine that would put up a barrier to entry for criminals meaning that the tier 3 guys, who would be the guys with the "know-how" would need to gain access to this technology (meaning less of them). It would also mean far greater level of contact between the tiers of the pyramid. Meaning the cashier would likely now have a contact number or an location where the guy that's paying them buttons to do the dirty work could be found. And likewise the tier 2 guy (if he wasn't taken out of the equation completely) would have much more to incriminate him when his house is raided than a sheet of paper which could be far easier to hide than hacked machines.
Surely this won't cut out fraud, but it will expose the higher tier guys to more chance of being caught, and reduce the ability of people entering the thieving marketplace.
With every new financial technology there's some tweed coated university type bleating on about some new kind of fraud that's far more expensive and complicated than frauds that still work now, and trying to pass it off as a clear and present danger to the public. Remember the ridiculous outcry that keyloggers could eventually work out your security number if you log into your internet banking account 10 or however many times? Funny how it's not used by fraudsters because there's still plenty of morons happily typing their login details to fake bank servers.
Banks do have option to deter all fraud crimes
Banks do have option to deter virtually all fraud crimes simply by making signature and PIN systems reliable as proposed on website www.xwave.co.uk
Why would anyone get tempted to do identity fraud when they know that their signature personalised with their ID sticker will expose their identity? Current signature system does not even expose person's gender and so boosts identity fraud.
Why would anyone get tempted to use stolen or skimmed cards when they know that they will not be able to activate the transaction without new security code which will change to a new value after every transaction?
This system will also eliminate the need for us to protect our personal an card details since fraudsters will not be tempted to misuse these stolen details.
Organisations would make their customers personalise signatures by letting them use mobile phone size device which will capture image and activate printer to print their ID sticker virtually instantly.
This KEY and PIN system could be treated like international ID card since it will personalise signature and PIN to the right individual in any country in the world.
To make the government and banks exploit proposed system media could help by debating these systems with the public.
Xwave = Not the answer
Almost all card not present fraud is conducted outside of the UK with card details obtained within the UK.
Chip and Pin is not excessively sophisticated, but it doesn't need to be until every possible way you can you use your card is up to the same level of security.
The chain is only as strong as it's weakest link, and that weakest link is virtually every country outside of the UK.
The only way to have a real impact on card fraud just now is to by default decline every card transaction conducted outside of the UK, unless the card holder advises that they'll be using the card outside of the UK. Since banks and retailers foot the bill for fraud, and they've not decided to do that because of the collateral damage to customers who didn't know they needed to do it and got their cards declined trying to buy something then it won't happen.
At present it's in between. Banks use sophisticated systems to detect card fraud. If everybody at El Reg was to go online shopping in non-English speaking countries with a delivery address different to the one registered for the card then (I'm afraid I can only guess at the %age) a significant number would be declined at point of sale, because the banks systems would believe the card use was out of sorts for the cardholder.
Sadly because many of the banks customers are morons who'll type in their security details to any site masquerading as the real thing. Those wossit machines aren't to combat card fraud, they're to combat fishing emails.
Cell Phones are the answer
Why don't people understand. Things are only secure if you own them. You cannot trust a third party with unencrypted data. *you* must own the device that encrypts the transaction, or else you have no idea whether it is encrypted at all.
Cell phones *need* NFC right now, and credit card terminals should *only* except asymmetrically signed/encrypted transactions. As long as a static credit card number is all that is needed to authenticate a transaction, this will happen. And as long as you are asked to type your 'secret' pin into a machine that you do not own, this will continue to happen.
RSA Keychains and the like have been around for 20 years, and yet we still are subject to this pathetic level of security. It is bleeding infuriating.
is to blowfish encrypt info on the card itself, decrypt in ped memory,
@Xwave = Not the answer / AC
Thanks for the clarification.
I make a point of checking the certificate, but last month it was invalid, so no banking for me for 3 days.
However my bank promises to honour the transaction if I use the latest browser, have anti spam/trojan software and keep the system patched.
So why the wossit?, if I go to the wrong site, thats my fault, its a kin to blaming the car manufacturer for my speeding ticket.
Be useful if the wossit could double as a calculator, more trash in my handbag!!
Banks are well known for...
...sticking fingers in their ears and going LALALALALALALA!!! every time there's an issue about their security.
A few years ago some hacker(the proper kind) found a flaw in one of the banks online system.
He went to them discussed it with them(wanting to sell them the info).
First they agreed, then they reported him to the police who promptly arrested him and siezed his gear. The guy later supposedly commited suicide(which I highly doubt it).
So here's their system today:
Said issue still exists, their online passwords are simple(they don't allow things such as . , () etc... only alphanumerics), they do provide an optional password which you get asked 2 letters from at certain transactions(but I'm guessing this is another liability scam like P&C).
Banks should be leading the security field not simply catching up decades afterwards...
The Good ol' USofA
The good old USofA could help a lot here. The majority of their banks are squabbling about trying to avoid spending any money on more advanced card security to minimise costs, but this is where the largest amount of card fraud of UK/EU cards occurs. Fake card fraud has been practically wiped out in the EU, we just need the rest of the world to catch up.
ATM is well on the way to being wiped out as the majority of ATMs in the UK (not sure about EU) no longer use the magstripe. Indeed my bank's ATMs will not auth a chipped card with it's magstripe.
@ xwave not the answer
Not a crtiique of your header (which is absolutely correct, xwave is just plain nonsense (but a good laugh that someone thought to patent it!!)) but you've a few errors in the underlying text. Card not present fraud is not mostly conducted outside the UK (well, if we take APACS figures, which admittedly underreport the problem, though not as much as some make out in my opinion).
We know a lot of copied cards are used overseas to exploit the fact that they don't need chip and PIN. We also know that CNP fraud has risen dramatically because they don't need chip and PIN. Why bother using CNP overseas when you could just walk up to a cashpoint and take the cash? It just increases the risks. So the vast majority of CNP fraud should be in the UK.
And your point @ Aimee may be their justification, to combat phishing, but it doesn't work. If I send you a phishing email (and your stupid enough to respond) if you log on to my spoofed site then you're expecting it to be the real one. So I'll have to send you a challenge so that you can enter it to your reader, enter your PIN and give me the response. So whilst you log onto my spoofed site, I'll log onto the real one to get a real challenge, to relay to you so you can give me a real response, so that I can pass it back to the real site to gain access. Then I can give you your real information (as I'm now logged on as you (and I definitely am you as I've got your valid response, so I must be you)) so you can see your live info, including the curry from last night so you're confident you're on the real site, and I'm confident I've just emptied your account (and with faster payments off it goes round the world 1000 times a day until I've laundered it enough).
Now try proving that you didn't do it :)!
I agree with you on the default decline overseas though (with a facility to unblock for specified countries when you know that you (the real you) are abroad).
Paris because she's the only one open to more abuse than the banking system.
PR-speak: "There's no evidence to suggest the chip was actually cracked and used in a meaningful way. If it was then chip security would be upgraded,"
Translation: "We are going to wait until the horse has bolted, THEN close the stable door. I mean screw it - it's not like it's our horse/money and we have weasled the terms so if your horse/money escapes it's your fault for not protecting it, not ours."
Chip 'n' PIN was never about security anyway
Why anyone believed that Chip 'n' PIN was about "security", rather than banks weaseling their way out of wearing customer-present fraud is a mystery to me. Not for nothing was the switch known as "The Liability Shift" within the industry
How do I get a Chip-and-Signature card?
In the meantime, is it good enough to write "DO NOT ACCEPT THIS CARD FOR ANY CHIP AND PIN TRANSACTIONS" across my bank card using an indelible marker?
The real risk of Chip-and-PIN **isn't** sophisticated criminals doing transactions abroad -- it's street robbers demanding the PIN that goes with your card, along with your card, your mobile and any loose change (so you won't be able to report it straight away). One of the gang makes a test purchase to confirm the PIN, while the others detain you and administer any necessary punishment if the PIN was wrong.
The other risk is of someone observing a PIN being entered, surreptitiously stealing the card and then replacing it before you even notice it went missing.
But Chip and PIN was never about security; it was always about shifting liability from the banks and the retailers to the customer. The law says that if the correct PIN was entered, then the transaction is valid and the customer is liable.
@ Brent Gardner
Absolutely, but if you've got NFC on the mobile (or cell for our international commentators) you can use it for far more than just confirming card transactions. Transport for London set up a trial of Barclaycard/Oyster on an NFC Nokia in December to act as an NFC wallet (akin to Paypass et al) as well as for ticketing. I'm not sure how that went, and when I tried to get hold of one of the Nokias to play with the kit last month I couldn't find one.
Anyone else aware of what happened with that?
"How do I get a Chip-and-Signature card?"
Ask your bank. You may have to ask several times.
@ Andrew Churchill
Yes that would work, so in reality the only safeguard is the SSL cert? or is it.
So if the Bank cannot even keep that up to date, what do we do now?
@ er, me
Responding to my own point, but to answer Aimee's query, on SSL, as regular Reg readers will know, even the extended SSL HSBC put out is readily circumvented (http://www.theregister.co.uk/2008/06/25/hsbc_scripting_flaws/).
I've already agreed with Brent Gardner's earlier post that a mobile probably provides the answer. I wrote an article for Fraud Intelligence a few months back arguing that multi-factor was of no use if you have a single channel for confirming transactions as what you know, what you are and what you have get short-circuited to 'what you intercept'. Multi-factor still has to be included but if you combine multi-factor with multi-channel the intercept becomes far far harder.
I got to know some girls over in the Uk from the US doing a semester abroad. Atleast 6 of them got their card details stolen and used. To my knowledge i've never been a victim of card fraud. But it just seemed rediculous...in 1 week it happened 3 times and one of the girls had told her bank that she was in the Uk for the next 3 months and her card was used in las vegas or something
Paris would be better with security through obscurity :p
The PED shouldn't be trusted at all
I think one big weakness here is that the PED is inside the security boundary and therefore has to be trusted.
Regardless of whether the card details are encrypted between the PED and card it is implied that they exist, in plaintext form, in the PED. So, the PED can be attacked to get the card details in this case it's easy - just tap the wires between PED and card. However, If the info going between the PED and card was encrypted they could attack the PED itself - still possible but probably more difficult and expensive.
End-to-end encryption between the card and bank would take the PED outside the security boundary (data would be encrypted from the card right to the bank). OK, the PIN and payment amount would still need to be sent to the card from the PED but that has limited use without the card details. Better still, as someone said above, would be to put the keypad & display on the card so the PED just proxies data between card and bank.
I don't know for sure but I bet the idiots that developed this sh** system traded off security against additional card complexity (and therefore cost). By putting more "intelligence" (& therefore trust) in the PED the card becomes simpler and cheaper.
Chip and Sig
With a chip and signiture card does the liability rest with the retailer/ bank rather than the customer as with chip and pin?
Sorry to blow our horm, but the problem *is* solved..
Could I humbly suggest you look at www.axsionics.ch, a Swiss startup? I'm working on the docs so if you want decent details mention it (once I have this I will send El Reg a token to play with, give me a couple of weeks).
In short, it's a trusted display (graphical OLED), combining more or less all of your above comments. To address question one upfront: no, the use of biometrics does not mean that a "disconnected" finger is of use (or its friendlier equivalent, the copied fingerprint a la Chaos Computer Club). The reader is quite good at rejecting fakes, and you have to "name" your fingers - only you know which finger "g" is, for instance, if you used the word "frog" to name them.
A message for the token is AES128 symmetric dual cert encrypted, so it has to (a) come from a defined source (the token accepts 128 different origin certs) and (b) has to be encoded for that token or it won't be able to decode it. It picks that encrypted message up via a screen animation, and after taking a valid fingerprint it will show it, together with a password if an answer is required. So, "To: BT, A/C Household, Val. GBP 125,23, PIN ABC45F" is quite possible (or "Please call us on +44 1234 4568") - and that PIN is also meaningless to anyone but you and the sending server because it's a One Time Password, generated on the card.
This means that a Man in The Middle Attack won't work, and -VERY- important, that you do NOT need a secure terminal. There is no reason why you can't use one of the card's channels as a payment method, which ends the need for secure terminals altogether. Instead, you just pop up an iframe in the POS display (or an external one), supply the required finger sweep, read the message and enter the PIN (numeric or alphanumeric) if required. Ditto at home - regardless whether your system is virus infested or not.
To give you an idea where I'm coming from, I was consulting private Swiss banks on next generation eBanking, and the basic premise there too is that we have to assume the client PC *is* infected. Yet, you still need to supply secure eBanking.
Expect to hear more from us soon :-).