Card readers for online banking are inherently insecure, according to a new study by Cambridge security researchers. Researchers Saar Drimer, Steven J Murdoch and Ross Anderson found a number of serious security shortcomings after reverse engineering the underlying protocol (called the Chip Authentication Programme or CAP) that …
Seriously - have you used these things?
It's a fast way to brute force the PIN (instant yes/no + no call back to home) and then you find that Barclays, RBS, Natwest and probably all the other card readers are 100% identical (you can use a Barclays card reader to authenticate an RBS card)
"flawed implementation in the UK puts customers at risk of fraud, or worse."
I think we need to know more. Is it that this system, flawed as it is, would still be enough for you to be convicted if your card was used for illegal activities? Would the lack of credible deniability (at least to a court's standards) be an issue here?
Well, Operation Ore snagged a lot of people whose cards had been cloned and used to buy child porn.
Yes, I've used one - and just like an ATM or any other card reader, if the PIN is entered incorrectly 3 times, the card is blocked. It's the card that does the blocking, not the reader BTW.
As for readers working from other banks - that's the idea of having a standard... the cards, and the readers, work the same way.
I've read through the report and the vulnerabilities are stupid.
None of them are vulnerabilities with the piece of kit itself, they all rely on having someone hack your machine or trick you into giving them the generated code.
One of the main 'vulnerabilities' it gives is that someone could torture you for your pin number and steal your card. Their reasoning is that because it tells you if a pin number is incorrect, they'll know you're lying. What garbage, even if they didn't have an "incorrect pin" message, they'd certainly get one when they used the online system to access your account (unless you want people to be able to access your information with an incorrect pin).
I still think good old Bruce "Chuck Norris asks me for computer security advice" Scheier had the simplest solution.
The banks are liable for all fraud until they can prove, beyond all reasonable doubt, that you were negligent. And we, the customer, let the likes of him and Ross Andersen define "negligence"
Paris, because Chip&Spin is as secure as her knickers.
Ross Anderson's early work was when a policeman in Cambridge was suspended for fraud when he reported a phantom withdrawal when ATMs were first used. Must be fraud you see because ATMs have a computer and computers never make mistakes.
If your chip+pin card was used to make a purchase 'linked to terrorism'. Well, since we know that chip+pin is perfect and you can't take any risks with terrorism (like presumption of innocence) you are pretty much in for it.
Completely incorrect assertion. You cannot "brute force" the PIN with these devices any more than you can do it with an ATM - which is also a "card reader". After three incorrect entries, the card locks up.
I thought that also but try putting your pin number in wrong 3 times. IT would appear the chip records the amount of incorrect attempts to prevent this kind of brute force attack.
Fortunately, no, never used them. HSBC (thankfully) never issued them.
@ Steven Jones
Deniability? Don't be silly - if your card is used for something illegal the plod don't bother giving you the chance to deny it, they just nick you. Heard of Operation Ore?
No brute force
@Xander: I don't think so - you only get three tries before the card locks its little self and you have to go through the unblocking thing.
I was more frightened by the comments about thugs being able to use one to check the PIN you gave them is valid without dragging you to an ATM...
There are a number of issues with their solution..
I have worked on next generation ebanking for Swiss private banks, and part of what I did was evaluate the market for authentication and authorization devices.
The starting principle is not to expect a client computer to be secure, nor their environment. This means you will need a solution that is observation proof (most solutions have a fixed PIN as first 4 digits of your response), does not depend on the security of the client computer (fairly logical IMHO, keyboard loggers, mad-in-the-browser and man-in-the-middle risks) and is ideally out of band so a hack of the network between bank and client isn't going to be an issue.
A portable solution would be nice too, preferably not depending on OS for install or security (install free is best). Add to that a desire to still have a usable solution that doesn't require a rocket scientist to operate it and the number of remaining solutions becomes very low indeed.
Now, a smart card based solution suffers from OS and install dependency, and a dependency on the system being secure. It also is easy to abuse via targeted theft (I looked at high value transactions where this is a risk), and is not observation proof nor terribly portable. It is, however, still safer than the RS token which only proves that someone has it and its PIN - no challenge response cycle possible..
Anyway, just a few details. It's an interesting field as much is presently changing.
From the card reader FAQ on the Nationwide web site:
"Is the number of PIN tries restricted?
Yes. If you enter your PIN incorrectly three times in a row your card will be locked to prevent anyone guessing your PIN."
Read the paper
Xander, you can't brute force the PIN, as it will lock the card after 3 failed attempts.
However, as the authors of the paper point out, a criminal can use the reader to verify whether a PIN given under duress is genuine or not (without marching the cardholder to an ATM).
Or worse was probably alluding to physical violence (or even murder), as described in more detail in the paper.
My brother has one of those card readers for accessing his Barclays account online (so far I've dodged being sent one for my account) and he's been able to login using previously generated numbers so the system definitely has security issues. Worse still is that the banks consider the system to be secure and can therefore dodge any responsibility for fraud even though they are allowing old numbers at login.
What, you're harmlessly taking a hundred quid out the cashy and a chainsaw springs out and takes your legs off at the knees?
Re: About time
>Seriously - have you used these things?
Yes, they are virtually forced upon you so you have no other viable alternative if you wish to use online banking. On a few occasions I've thought the Barclays card read gives the same codes but as I hadn't been noting them down cannot be 100% sure. I think I'll start doing so.
Well what a surprise...
... liability for fraud is being dumped, yet again, on the customer. And if the customer proves fraud, then it's the business that gets screwed.
Obviously there's no chance of the *bank* ever paying out for using crap security...
The biggest flaw of the card readers surely is that they tell you if they PIN entered was right or not. Never mind brute forcing the PIN. How about brute forcing the customer in the basement until they cough up the right PIN in between the blood?
@Xander and @Steven Jones
Reading the actual paper would be of benefit to you, I think.
1) No brute force - the card itself will lock you out after 3 tries, and you have to take it to an ATM and enter the correct PIN there to reset it.
2) The 'or worse' is the threat of serious physical violence from criminals who'd be able to extort the PIN from you and check it using the machine, without having to stand in front of CCTV at an ATM
@Anonymous Coward 26th 20:42
I wish I could have dodged getting one from Barclays... I tried to log on one day and was greeted by a request for an 8 digit number generated by the stupid thing... Not that they had bothered to send me one before locking me out of my own account! I had to phone them up and shout at them before they sent one out.
I find them a complete pain in the arse. If I go away and forget to take it, I'm completely screwed. I understand they want to appear to be more secure, but when their website asked me to create a password it insisted on 6-8 characters, then rejected any numbers, and also got upset about any symbols. Result you can only use a-z... Even then it gets upset it you have one letter repeated too many times, they could have made that more secure just be allowing longer passwords and *insisting* on some numeric characters!
So it's no shock that they're flawed... Banks are in the business of money, and we've all seen what a complete mess they have managed to make of that recently, so what hope was there that they would be able to do some IT with any degree of success!
A little hack I devised... and presented for your amusement...
Everyone's hand-writing is different, and most people have had the experience of being asked whether a particular number you've written down is, say, an 8 or a 9, or a 4 or a 9. You can use that ambiguity to (possibly) add a little extra security to bank cards. Simply pick two digits that you can write in a way that's ambiguous and make up a number of the same length of your PIN that uses those digits. Then write that number (which should be different from your actual PIN, natch) on the back of your card. If you lose the card, with any luck any would-be thief will think that he's hit the jackpot: a card complete with a PIN. After the first try, they might realise that maybe that 8 was a 6 or that 1 was a 7. Even the most stupid person should be able to figure that they've got a better chance of using the card by going through 3 of the 4 possibilities than picking a random number so, again, with a little luck, you can trick them into deactivating the card.
Such a ruse might also help in the case where you're being coerced to give up your card and PIN, but it's not something I'd bet on.
Paris, because there's no mistaking that figure.
You get ripped off, so you report it and since the system is secure you must be trying to pull a fast one so they charge you with fraud.
We don't have chip and pin in Canada yet but it's coming. The latest update to my VISA agreement says I have to prove I didn't give my pin to someone... how the hell do you prove you didn't do something?
Banks and your money
You've gotta laugh ayyy?
chip n pin not bad
not much hassle and more secure than without chip and pin (interesting about old codes working though AC 20:42, is your brother sure? Would be an awesome fuckup!)
I haven't been accused of fraud yet, but have been charged a modest banker's bonus for exceeding my overdraft for a day: I work from 2 offices, Barclays refused to send me a second reader for quite some time, I was in the office without the reader and couldn't transfer from my eSavings account any way other than online. Fuckers. When I have enough parking tickets, duff gas readings and all the rest, I'll take a day out for dealing with all this petty crap that really shouldn't be allowed to stand.
We have a govt policy called 'Information Assurance'. Its a mixture of service quality and infosec. Needless to say, it has not been implemented within govt, so what chance of implementing it for bank transactions? It belongs to Cabinet Office - time to move it out to a Regulator, such as an enlarged remit Information Commissioner. (But beware: the latest incarnation, IA 07, is very woolly, as Ross explained when it was published for comment.)
Nothing is ever totally secure
This Cambridge mob have been trying to show how insecure chip and pin is for the last few years. The most laughable one was one they programmed a chip and pin reader to play Tetris - what they didn't show is the amount of wires that were sticking out of the device and how it was obvious that the device had been hacked to pieces. Anybody who uses such a device to pay for something has to have there head examined.
This latest article shows just what a load of crackpots these guys are. These devices are to try to improve an area of the system where security is extremely poor and it is proven that it is better.
But lets be honest the idea of a totally secure system of any kind is a panacea which is extremely unlikely to ever happen. All people can do is to try to keep one step ahead of the fraudsters - sometimes it will work and sometimes not. But lets stop fooling ourselves.
Piece of advise for this Cambridge outfit - find yourselves something to do which is going to be useful and helpful or even better - get a proper job. Rather than coming up with stupid assertions which anybody with an ounce of common sense can conclude.
I call FUD
I had a quick glance through their report, and the vulnerabilities are strecthing it. Sure, a criminal could force you to prove that the PIN you just told them is correct, but they could already do that by taking you to a cash machine.
You could buy a reader from eBay, but would you type your PIN into an untrusted device? And the point about the numbers wearing out eventually - this is true, but their assertion that you're encouraged to carry your reader around with you is ridiculous - you may take it between home and work, but you wouldn't go shopping with it in your bag.
There are possible problems with it, but in the grand scheme of things, I doubt they're likely to affect you.
With Barclays, if you don't have your card reader with you, you can give a few details and a passcode is supplied allowing you to login without it.
How hard is it?
Go to website.
Enter name and some other basic credentials (e.g. memorable name, place, dob, whatever)
Enter few letters from your password (I prefer this to entering the entire thing)
Go to website.
Enter name and some other basic credentials (e.g. memorable name, place, dob, whatever)
Website asks for code.
Insert card into stand-alone-reader (i.e. not connected to PC or network).
Get code that is valid for (say) 1 minute.
Enter code on website.
The website could even do a challenge-response thing with basic codes, and only the reader (with your card) can generate the response. I've used similar VPN-type things and they have been around for years.
I am sure finer minds than mine have thought about this, but I totally fail to see why the problem is so difficult to solve in a cheap and user-compatible way (note: not "user-friendly", security requires end-users to switch their brains on, even if to only "dim").
There have been a lot of posts here commenting on the whole "mugger will torture you for your PIN because of these things" argument. What a load of utter balls. If a mugger asks you for your PIN with menaces - then tell him! Your PIN is meaningless, and so is the card - don't die for a 4-digit random number and a cheap piece of plastic. If a mugger can prove that the PIN is real with a reader there and then - as opposed to kidnapping you and bundling you in the back of a van to take you to an ATM to do the exact same thing - then so much the better. At the end of the day you will get your money back if you are the victim of a crime. The argument used in the Cambridge paper about the two French students was massively and disgracefully out of line. The rest of the report has quite a lot of other spurious arguments as well - overall a poor piece of analysis.
has anyone successfully got their bank to turn their Chip+Pin card into a Chip+Sign card? I know you can do it for some medical reasons, but what about by choice?
It could be done a lot more easily
Personally, I'd go for a simple fake card reader, forget about all this security rubbish. Customer places their card in what looks like a card reader (just hack out the inners of an old one), presses the numbers which are then recorded. "Sorry sir, the machine doesn't seem to be working" and returns a _fake_ card to the customer who leaves. Card and pin disappear. Most people wouldn't even notice. Better still - your card doesn't appear to be working and the bank asked us to call them and now they want to speak to you - do you have your account password?
Human factors - always the weak link.
These are the jokers who showed Watchdog the 'we can remotely use a C&P card to rip off transactions' hack which was blatant crap. It relied upon a ribbon cable being soldered to the back of a card that was to be presented in a shop, somehow without the merchant noticing. It also required a fake transaction to be caried out at exectly the same time. Highly unlikely.
The real reason
I think the opening comment on the research paper say it all “The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud.”
So, nothing about protecting customers from fraud.
Paris, she also has experienced a man in the middle attack
Slightly off topic..
... but after working in retail I would say the biggest risk is "customer not present" charges.
In pubs I have worked in I've seen 16 staff sharing (randomly, due to the fecking things breaking all the time) 3 wireless card readers.
When a transaction is processed the customer recieves a reciept with all of the card number blanked off except for the last 4 digits, however the "retail assistant", "team member" or whatever sickening euphemism they have for minimum wage lackey these days gets a print out with all of your card details.
As the card is returned to you it is a simple matter of looking at the security code on the back of the card as the reciept is passed back to you. Then using the details from the merchant reciept and the 6 digit number process a "customer not present" transaction, place the reciept fpor that payment in the till and remove the cash.
The till balances at the end of the night, a month later you query the transaction on your statement, the bank messes you around for a while then *MAYBE* the police get involved, they come and ask questions all 16 people deny any wrongdoing, it's after 30 days so there is no cctv and usually there is no record of which till the reciept came from.
Just pointing out another flaw!
banks don't care, whistle blowers go to jail, nothing new
3 digit security code...
@Slightly off topic..
By Anonymous Coward
Which is why i remove the 3 digit code off the back of my card...
At least they dont get to see it and seeing as they HAVE to ask me for it, i know exactley whom has the capacity to twiddle with my balance...
- On the matter of shooting down Amazon delivery drones with shotguns
- Review Bring Your Own Disks: The Synology DS214 network storage box
- OHM MY GOD! Move over graphene, here comes '100% PERFECT' stanene
- IT MELTDOWN ruins Cyber Monday for RBS, Natwest customers
- Google's new cloud CRUSHES Amazon in RAM battle