UK fraudster gang go PIN sniffing
The organised tampering of PIN entry devices to commit credit card fraud, which led to arrests in Birmingham last week, has been linked to a breach in an Asda store on the outskirts of Portsmouth. Cash was withdrawn from ATMs in China and Canada after the cards were used in the Gosport branch of Asda, Register sources confirmed …
Well gobshite is the worst place in the country I reckon.
If they can't come up with a tamperproof case how about a packing it with pe which detonates when opened.
(yep-been there to the value of 800quid - got to say the bank was very quick to put it back into the account)
Well, the moment you involve a worker on the minimum wage, all your security goes out of the window.
I don't blame the poor sods either.
You work for £10 an hour and see how much you care about the idiots you have to serve :P
....Just pay for things the old fashioned way.....you know like in cold hard cash
9000 cards skimmed in 5 terminals in Ireland using similar technique...
http://www.irishtimes.com/newspaper/breaking/2008/0818/breaking84.html
Jacques Erasmus, director of research at Prevx, recommends manufacturing see-through [chip and pin] terminals so that we can identify terminals which have been tampered with (typically involving Bluetooth tapping on doctored devices).
What Jacques fails to realise, is we don't know what the inside of a chip and pin device should look like. Thus we cannot differentiate between a `standard` device and one which has been doctored. Furtermore, there's no such thing as a `standard` device, since they are produced by a handful of manufacturers, each of which will be designed differently.
Paris, because.... I don't know what her internals.... <I'll get my coat...>
"These worries were underlined by research by Cambridge University, published in February 2008, which discovered a lack of encryption in the data exchanged between PIN entry devices and cards during transactions."
WTF, I always assume C&P worked like this:
Card sends it's ID number (X) to reader.
Reader contacts bank gets a one time challenge number from the bank , sends it to the card with the pin number.
Card returns a response number using it's secretkey+pin+challenge number.
Bank ok's the transaction, the card is real, the pin is real, because bank also knows the secretkey.
It sounds like the ID number is the same as the one on the stripe, so the malicious reader has the pin and the id number so a fake card with magnetic stripe plus pin can be made. Encrypting the pin, how would that help if the reader is tampered with. Is that what this weakness is?
Can't you just make the ID on the stripe longer than the id on the chip, or even completely different?
i.e. the Chip&Pin number is 01923845757923 and the stripe number is 01923845757923-928467. So grabbing the chip id and pin number doesn't tell you enough to make a fake magnetic stripe card.
Or chip and pin, when verified by chip, it is 209437575, when verified by stripe it is 63845755234...
Is my understanding of this problem correct? A URL to some details?
The Shell service station on the A3 in Liphook was accused of this fraudulent activity back in March 2008. The Police showed little interest at that time.
The existing Chip & PIN system is fundamentally flawed - no amount of CCTV, network monitoring or see-through-cases is going to fix that.
The Banks need to re-think Chip & PIN - implementing proper end-to-end encryption/security would be a good start instead of the farcical "security" they have foisted on the general public and retailers.
Maybe we should refuse to use Chip & PIN terminals as they can't be trusted? This would force retailers to pull out their backup roll-over imprinting machines which we can sign... if enough people join the campaign and stop using the compromised Chip & PIN system maybe the Banks will be forced to acknowledge what everybody knows: the system is fcked and an upgraded Chip & PIN system is needed - not one designed by bean-counters and amateurs but by security specialists. NXP have learned this lesson to their cost.
What planet are you living on where the minimum wage is £10 an hour???
In the UK it is £5.52 an hour for those aged 22 and above, £4.60 for those aged 18-21, and £3.40 for those aged under 18.
The London Living Wage, as stipulated by the Mayor, is currently £7.45 - but this is merely an aspirational sum and has no legal basis whatsoever.
Many many people would be delighted to earn £10 an hour.
I totally agree with you ... Why these machines are so easy to disassemble is beyond belief!
The technology to ascertain if the case has been opened has been around a while on PC's, so why can't they incorporate something similar that would render the machine inoperative in some fashion should the thing be taken to bits?
minimum wage == 10 quid per hour ? errrr think more like £5.80. Less for younger employees.
"I am astounded at just how easy criminals are able to get access to Chip and PIN machines"
Every shop in the country has at least one, they can't exactly be that hard to get hold of?
A leading chain of stores is currently advertising for a supervisor at 7.50/hr (in London).
A supervisor!!
£10/hr must a highly paid job
agreed, shows that either when it was made they had no interest in making it secure or assumed that their little world was incredibly safe and nobody would ever think of tampering with them.
"I find some of the guidelines to be a bit far fetched" - well you would, it would cost you money rather than protecting the customers. I stand by my original (and slowly repetitive) simple suggestion - do what online banks do. issue an 8 digit number and ask for some of it. Or if they can't change that (it's a big thing) ask for 3 of the current one randomly, at least you'll never get all 4 numbers unless you get asked more than once to type it in. But that's too simple, more cctv is much better.
The system is flawed, so fix the system, don't add more issues to a fundamental problem. Broken windows won't get fixed by watching them, they get fix by being mended.
"APACS maintains that Chip and PIN is the safest method of payment for goods and services. It points out that fraud on the High Street has steadily reduced since Chip and PIN's roll-out in 2005."
Of course fraud has decreased since the introduction of Chip-and-PIN! It was bound to decrease, because **every** transaction involving a correct PIN is presumed non-fraudulent -- even if the card was stolen and the PIN obtained by intimidation.
Bring back signatures; and this time, by way of encouraging people to check them properly, take the money out of the till operator's wages if they let one through that they shouldn't.
"Barclays spokesman Danny Reardon told the Portsmouth News that 20 customers had lost money."
Surely Barclays lost the money, the customers just alerted them to it.
Yonks ago I worked on early ATM machines, and various security measures were being considered. One was to fill devices with epoxy after manufacturing. Any attempt to open them up makes the device inoperable.
This makes repairs impossible, but who repairs anyway? Overheating is a potential problem, but a keypad is almost power-free anyway, so I reckon this could still work.
Wonder if anyone patented the idea ...
Chip and pin was meant to reduce the amount of fraud that the banks have to pay out for, it has achieved this aim.
Before the bank had to prove that I signed for it, if i hadnt signed then the bank refunded my money.
If my pin number is used then then I can be held liable, it will be up to me to prove it was fraud.
The banks have transferred much of the fraud risk from themselves to the consumer.
The Chip & PIN system has failed the Banks entirely - Banks can no longer stand behind this system and claim that Customers are liable for fraudulent transactions when it is the Chip & PIN system that is making it easier for criminals to clone cards. If the Banks try that in future then I'm eagerly awaiting the test case that will be brought against the banks which would without a shadow of a doubt seal the demise of Chip & PIN in the UK. The system is compromised due to poor design of both hardware and software, with woefully inadequate security - the Banks would have a tough time convincing a judge that of anything else.
The old, manual, pre-Chip & PIN systems made it difficult (laborious) but not impossible to collect card details and clone cards, butt now with Chip & PIN the criminals only need to sit outside the retail establishment with a Bluetooth laptop logging card details as transactions are processed, or they could even be anywhere in the world if the compromised PED is dailing up to the internet... The Chip & PIN system allows automated harvesting of card details with little if any risk of being caught and is an absolute godsend for the criminal fraternity - the Banks have'nt shot themselves in the foot with this system, they've blown both bl**dy legs off! I'm sure Chip & PIN has reduced fraud on the high street while fraud abroad has mushroomed, again thanks to Chip & PIN giving up our details.
I'm fairly certain the PIN (or at least an algorithmic derivative thereof) is stored on the card itself; hence even when the terminal can't seem to connect to the bank, it can still return unfeasibly quickly a 'PIN accepted' message.
The problem, "WTF", is that you can modify the reader to capture the PIN. Once you have card details, you make a 'replica' mag stripe, then use that abroad , because that ATM wont use C&P. It reads the mag stripe and asks for the PIN, which the fraudster has captured off the wire between pin pad and internals of the device. The PIN is NOT encrypted between PIN pad and guts of the machine.
The problem, "why?", is not that its difficult to get HOLD of the machines, its that its easy to open them up and tamper with them to tap off the terminal keypad. Some even have holes in the PCB boards which makes it easy to insert wires to tap off the pin pad,and they even have hollows in,w here for example, a memory device can be left logging all card details for hours or even days, and then removed at night or when no one is looking! Had they been tamper proof, so once opened, they cant be reused without factory reset (or perhaps never), it wouldnt matter if shop assistants could actually get one. Anyone can get one, you can buy them on eBay.
There's a dead simple fix for all of this - change the law so that the banks are automatically financially responsible for any loss by fraud under all circumstances.
Then we'll see them setting up proper security and plugging vulnerabilities when they're found.
Mitchell & Webb:
http://www.youtube.com/watch?v=CS9ptA3Ya9E
Security is one mechanism for managing business risk. In this case the banks have managed their business risk by transferring the risk to us as customers and then, because it's not their risk any more, skimping on the implementation of chip&pin. The C&P pads have to be as cheap as possible, since there are so many of them. So it is inevitable that they will be correspondingly nasty. I assume it is the merchants who pay for the C&P pads and that's lost money to them as it's not their risk either.
This leads me to a reverse scam idea; dress up in a hoody wearing clothes unlike your own, take a quick trip to another town - the further away the better - and mozy on up to a cash point, enter your card and pin, withdraw as much as you can, and go home.
Then a week later, phone up your bank, and claim it wasn't you! With the security of chip and pin looking a little shakier as time goes on, they'll have to take these serious!
AC, for obvious reasons.
What a whole load of bullocks!
I would say one has to to be really stupid not to see how insecure C&P is!
Anyone can memorize a four digit pin, but even though it is quite easy, it is significantly more difficult to fake a signature.
The only reasonable safe method (albeit not perfect) method would be to have a one time pin creator (something like an RSA token or a BACS-safe for those of you running a BACS-Bureau) on the card, which works together with a PIN. This would make the PIN abuse close to impossible (I know, I know....yada yada yada)
But I suspect that would make way too much sense and not enough people could make money out of it!
Bu I have had my share of experience with APACS, BACS, &Co. who are in the end just a bunch of brainless ^&£$^%£$^&&*$%^"£$^$%&£$^.
I could continue to rant, but I know it's know use.
I have seen the insade of pretty much every major banks data-center and it is shocking!
It comes to me to no surprise that criminals are so far ahead, since the simplest common-sense security measures are often not adhered to.
Or an example with BACS-IP:
for dial-up BACS-gateways, they assign private IP addresses, that could potentially collide with company networks (yes I know, one can double NAT, but if it is the same subnet, it really starts to turn into little nightmare) and when asked what solution they have: you have to change your network addresses.
Or expired SSL certificates dont's seem to be much of a problem for BACS either.... "after all it's only a financial transaction system and the line is secure"
nuff said....
"The problem, "WTF", is that you can modify the reader to capture the PIN. Once you have card details, you make a 'replica' mag stripe, then use that abroad , because that ATM wont use C&P. It reads the mag stripe and asks for the PIN, which the fraudster has captured off the wire between pin pad and internals of the device. The PIN is NOT encrypted between PIN pad and guts of the machine."
I don't see how encrypting the pin would help, since they'd just move the mod from the card connector to a keypad connector and record the keys as they're pressed instead.
I'm also not sure how you could encrypt that link in a way that couldn't be broken.
The fix for me I reckon, is still to have *different* card details for the stripe and for the Chip and Pin. So intercepting the chip and pin detail wouldn't give you the (insecure) mag strip detail.
Of course if the bank got a transaction request with the *Chip and Pin* id number for a *mag* stripe verification alarms would go off then.
Or issue two pins, one for Chip and Pin one for mag stripe payments and ask users to keep them separate because of this security problem.
But IMHO having two different account ids on the card would be the least problematic for users.
I bet they took an interest in the hot dogs they do there - Yummmm!
But IMHO having two different account ids on the card would be the least problematic for users
Don't make me laugh mate..... most people have issues remembering their own postal codes and phone numbers nevermind 2 PIN codes.
Johnny cash that is.
Paris, because nobody tampers with her slot and gets away unnoticed.
Not a great method for protecting anything from the dedicated hacker:
http://kevtris.org/Projects/votraxpss/unpot.html
"Barclays spokesman Danny Reardon told the Portsmouth News that 20 customers had lost money."
The money was never lost - it was stolen from accounts protected by Barclays - Barclays failed here - (I doubt if the shopkeeper approached Barclays with a reader-gizmo and asked them to connect to it to the bank accounts)
Sounds like the Mifare security "problem" is only the tip of the iceberg
Paris. cos it's Thursday and that's one of my seven Paris days .
Come off it. Filling the machines with plastic explosive? You've just made it much easier to commit armed robbery. No need to take a sawn-off shotgun with you, just a screwdriver to have the back off the PIN pad!
Magstripe and PIN was secure enough **for HITW machines** because the environment was carefully controlled: the person making the withdrawal was on the CCTV of the bank whose money was being dispensed, and they knew full well that they would never get it back from the cardholder's bank if they didn't co-operate fully in investigating any misdeeds. It isn't secure enough for transactions in shops because the environment isn't sufficiently well controlled.
Chip and PIN is only as secure as it is (which is not very. Hand over your card or I'll stab you! Good. Now tell me your PIN or I'll stab you!) because the villains haven't worked out **yet** how to clone the chips on cards. Lest anyone forget, back in 1992, CD-ROMs were touted as "unpiratable"! It's certainly not mathematically impossible to clone the chips, because they are deterministic state machines. You can bet somebody's working on it even right now.
Urrrm, why not just have a holographic tamper strip to seal the unit. Or even better one that changed colour if broken that is visible top and bottom of the unit.
If its too hard to stop, just make it easier to the customer and employee to detect a tampered unit. Low tech and reasonably cheap.
Wouldn't be too hard or costly to build permissive access links into the silicon surely? Could check for unauthorised case dismantling or check the software being run on bootup against a hardwired/coded checksum, anything amiss and it burns some links in the IC and game over.
I thought they'd already built interconnecting links between the PCB and terminal casing of the newer terminals such that if they were dismantled the thing would never work again but I guess that didn't take them to long to figure out a way round.
This still wouldn't help in all cases, as a lot of readers (e.g. the ones Shell petrol stations use) read the magstripe at the same time as the chip, so it would be trivial to modify one of those to read the stripe and get the pin, at which point the attacker's sorted.
Having two pins wouldn't work, as it's hard enough convincing people to remember one without writing it down, for two the number of people who'd either write it down, or keep getting their card locked etc would be ridiculous...
Also, to Dex - personally I don't like carrying around £60-£70 for a full tank of petrol, as if I get mugged or lose my wallet, that's a lot of money to have lost!
Personally, I'm in favour of chip and pin vs signatures, as it makes it far quicker at the till, however, I'm not in favour of the liability shift that's happened as part of it. If it really is reducing fraud as APACS clame, why should it mean that the banks become less liable...
I do know something about the use pf pinpads in financial terminals. The PIN should never EVER be revealed in the clear. The pinpad should contain an encrypting unit sealed to the keypad and be tamperproof. Any effort to penetrate the module results in the deactivation of the unit and erasure of all memory. In addition, the encrypting keys in the unit must be changed frequently. These measures make it really difficult to compromise the pinpad. (One way is to hide a camera nearby and watch the user type in the PIN.) Pinpads like this are expensive but well worth it.
"I am astounded at just how easy criminals are able to get access to Chip and PIN machines..."
It isn't difficult - try ebay - Business, Office & Industrial> Retail & Shop Fitting> Point of Sale (POS) Equipment> Credit Card Terminals
Several of these devices are up for sale there now.
It's pretty obvious that if a shop goes bust, they (or the baliffs) will sell EVERYTHING, including the POS kit.
My credit card is linked to my online banking, so why can't I login and choose the countries where I want to use my credit card? For the few weeks a year that I'm abroad all I have to do is login and tick a checkbox and remember to uncheck it when I get back. The rest of the time the thieving gits can't get my money abroad even if they do compromise my card + PIN.
DIY ATM's. You can pay with Paypal or Western Union.
http://71.65.126.126/Default.asp?Redirected=Y
Whilst they wonder why....
Another reason these are prime targets for crims, is that not only are the staff paid peanuts, but they are held PERSONALLY liable for no-pay drive offs.
Where do I sign up? I'm making a lot less than that at my non-minimum wage job.
/:
Heck, I'll even move to the UK for that chance!
There are two Asdas one down in Gosport, one north towards Fareham, neither of which would make sense to visit from Portsmouth which also has an Asda. It's also a 15 mile drive from Portsmouth to Gosport.
The point of Chip and PIN was never to cut fraud, but to reduce card issuer payouts by shifting blame. The system was always hackable - it was hacked in Holland before the cards were introduced to UK - BY STUDENTS. So now the issuers claim fraud has fallen - whereas they are simply refusing payouts for frauds, because they changed the terms of card issue. Thats why in much of Europe, where unlike UK they never did buy the "safe as Chips" nonsense, they still ask for a passport and or a signature.
Just have a different PIN for ATM and C&P transactions.
I don't think so. Ask the good folk of Lincoln many of who had their bank accounts cleaned out after using a local petrol station. A criminal gang 'persuaded' a cashier to turn a blind eye while they installed CCTV above the card reader. Bingo!
You're forgetting that The Register is based in London.
According to the typical Londoner's grasp of geography, the world is divided into: North of the River, South of the River, The North, Outside the M25 but not The North, The Mediterranean, The USA and an unmapped void marked "Here Be Dragons".
Since Gosport and Portsmouth are both outside the M25 but not in the North, as far as a Londoner is concerned, they are the same place.
It just shows how much these muppets understand, physical security can NEVER work. It is the legacy of mag stripes and PINs that should go, along with the very weak CHIP system. All encryption can be broken if its worth enough to do it, it may take a lot of effort but once its gone, the system must be replaced completely.
Sign up, sign up for The Register's weekly IT security newsletter - click here
