Feeds

back to article Chip and PIN security busted

Security researchers have demonstrated a gaping security hole in Chip and PIN credit card authorisations which undermines trust in the technology as a means to verify retail purchases. Cambridge University security researchers have demonstrated how it might be possible to trick the card into thinking it’s doing a chip-and- …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge
FAIL

Typical

Now sit back and watch all the finger-pointing begin, as everyone blames everyone else for the problem and we, the customers, continue to get fleeced by inadequate security.

5
0
Gold badge

Heads in the sand

Banks, finger pointing?

Nope they will stick their heads in teh sand, say it is secure. Say it is impossible to do this in the real world...

0
0
Anonymous Coward

So...

As I only use my card when buying online and use cash in shops i'm perfectly safe?

0
0
Happy

Yep

Unless you get mugged for your card at the cash machine.

0
0
Alert

Dare I say I told you so

I remember making a suggestion a while back that in one of the comments to an article, that there could be an issue, and that people should not automatically assume that "Chip & PIn" or any other technology was unbreakable. Several people chose to sneer at my position.

The reality is that there is no such thing as 100 % security - all anyone can do is say, "we have not been able to crack it, and are not aware that anyone else has".

Too many people suffer with an almost religious zealotry about security - I do X, I use Y, I have Z, so I am totally secure. Anyone that believes that is suffering with delusions of adequacy; and what is worrying is that they continue to believe the fallacy long after it has been demonstrated that it is not true.

But there you go - the problem is not with the hardware or the software, but with the wetware!

5
0
Boffin

A hypothesis

Maybe this (too) is a manifestation of believing something just because it being true would be absfab (and/or the converse too distressing). Other examples of this would be e.g. :

- Safe and effective diet pills (it seems people continue to buy and use these despite them having been debunked countless times: the idea of getting slimmed down without really bothering with anything so very attractive).

- Medicine/doctors can deal with all ailments in an effective way / hardly ever screw up (a very comforting thought, but the reality is different. An important facet of this particular problem is that this fiction is also quite flattering - not to mention profitable - to the practioners.)

- How effective shameless flattery (in general) tends to be ...

0
0
Silver badge
Alert

oh nos!

*goes off to watch Newsnight on iPlayer* here's a link to the start of the report if anyone wants it

http://bbc.co.uk/i/qs5vb/?t=16m20s

0
0
FAIL

Busted, yeah right

This story is doing the rounds on the internet at the moment making very dramatic claims that criminals are going to be using it to grab everyones money.

If you look at the PDF it shows that you need the following to make it work:

A stolen card

A card reader

A laptop

A custom made board with a programmed FPGA on it

Finally a fake card that goes into the reader with wires attached to it

The only people possibly with enough knowledge to attempt this feat will be, well, an Academic doing research into banking security from the University of Cambridge.

I suspect this is more to do with an academic trying to secure further grant funding for this current research than declaring that every criminal on every street corner now has an easy way to empty your bank account.

Interesting, but there are easier ways to get at other peoples money.

So look out for lots of dramatic reporting from the non-tech savvy media like the BBC and the Daily Mail.

2
10

If you look at the PDF ...

You might want to consider reading it, instead of just looking at the pictures, in which case you will find that's already been addressed.

0
0
Silver badge
Stop

Wires

...until someone does or Wireless version.

In which case, how would anyone know?

0
0
Grenade

Chip and Bin?

Chip and PIN has always been a way for the banks to screw you so they don't have to refund you or investigate transactions.......

You: "I've noticed a few weird transactions on my account."

Bank: "Which ones?"

You: "Well theres one for £110 of petrol but I've never been to Birmingham"

Bank: "It was authorised by pin. We can cancel your card and send you a new one but as for a refund..... better luck next time."

7
2

Stop allowing signatures

As long as you're still allowed to verify by signature, the system will remain weak regardless of the tech.

Seriously, how hard can it be to remember a 4-digit number? If you're incapable of doing that then surely you're not capable of managing your money either!

1
8

Don't Stop allowing signatures

The system will remain weak as long as there are humans anywhere near the payment chain...

Not everyone has a signature card because they can't remember a 4-digit code - some do it so that the bank can't just turn around and say 'your pin was used, therefore it's your fault' when an unauthorized transaction goes through.

I still use Chip & PIN, though my wife has a signature card - I'm thinking about switching back to signature myself though, because I don't particularly care for the way the banks have pushed liability for unauthorized transactions onto us.

Having said that, Chip and PIN can be useful when out shopping - I can just give my card to my wife, say 'you know my PIN', and she can use it...no messing about with signatures!

0
0
FAIL

Managing my money?

As long as the idiot issuers put me in a 4-digit PIN straight-jacket, THEY are not competent to manage my or anybody else's money.

2
0

Signatures are not the problem

The problem with signatures is not verification by signature, but that chips are not used in some countries abroad and the system falls back to magstripe.

In the case of a cloned card the signature on the card will be done by the thief, and will not be the signature of the cardholder.

This attack is on stolen cards, not cloned cards.

Signature verification when a chip in the card is used is still reasonably secure, assuming the cashier checks the signature properly - the card is verified as being a real card by the chip, and the signature is verified by the cashier as normal.

Though of course nothing is secure, and attacks are still possible - but liability does not fall on the innocent cardholder here, as the signature can be checked, and the receipt can be tested for DNA, the cardhlder's fingerprints, and so on.

For the cardholder, signatures are more secure.

For the banks, they are about as secure if a chip is used to verify a card with a chip, though for a while there was a lot of fraud from cards lost in the post and signed by the thief - however this is fairly easy to defeat and has fallen to very low levels.

The Bank's reason for introducing the PIN was twofold: first to improve on the reliability of cashier verification of signatures by replacing them with an automated method, and second to allow unattended automated sales. The former wasn't a great problem, and the latter was scotched -a curious story.

The HO, I think it was mostly, didn't like the idea of unattended automated sales and were going to legislate against it, but the banks convinced the HO that not offering signature verification would contravene the Disability Discrimination Act (somehow!! - but somehow ATM's don't?) and that legislation against unattended payment wasn't needed.

Some petrol stations still use unattended payment (possibly breaking the DDA) but not many, as it's too easy to defraud and the stations are liable when fraud happens.

0
0
Silver badge
Flame

It was never about security

It was only ever about shifting liability back on the customer. That's all.

9
1
Silver badge

Agreed!

If it were about security, the PIN would be more than 4 bloody digits!

6
0
iwi
FAIL

@ Greg J Preece

It's 4 digits because that's all Mrs. Shepherd-Barron could remember ....

http://en.wikipedia.org/wiki/Personal_identification_number

0
0

Passwords(!)

Yeah, we should all use passwords instead(!) <ahem>

4 digits is OK for a PIN - it's not like you can stand at the ATM/checkout and try and brute force it.

an 'easy' way round this problem is to make customers give their cards to the cashier who then inserts the card into the reader. The customer then enters the PIN on a separate keypad and the card is returned at the end of the transaction.

let's face it there's never going to be a secure way of doing this. However at least now banks (should!!) now have to admit that chip & PIN is not secure as they made out and take some of the liability themeselves.

0
0
FAIL

make customers give their cards to the cashier

afaik the cashier is not allowed to touch the card at all. If you recall all the recent cc fraud cases have involved criminal cashiers!

0
0
Bronze badge
Stop

About time too...

This research is welcome news.

It's about time that the banks were pricked into realising that just because some ill qualified spokesperson says that it is "secure" - doesn't necessarily make it so.

It's an absolute crime that so many defrauded people have been treated like criminals themselves by banks that take have taken no real responsibilty for this ill designed system.

Wankers.

2
0

Not the only bust bank security

After preventing me renewing my Skype in despite using "Verified by Visa" my bank tells me that it does not consider that system "foolproof" . In fact it says no system is foolproof - funny how banks usually say the opposite .

So Verified by Visa that uses a separate secure site with a passowrd only known to the user is rubbish according to a leading High Street Bank. Thought it was supposed to guarantee secure online transaction

0
0
FAIL

Newsnight

Last night's Newsnight revealed how this was done and the response of the issuing banks was "it's not our fault, it's a system failure" which I suppose is valid, if a little worrying. Whereas the FSA's response was to stick their fingers in their ears and say "Naaah Naaaah Naaah Can't hear you" Not good enough for a body that is supposed to oversee this kind of thing.

2
0
Happy

Broken

What with this and the much hated "verified by Visa" scheme, I think what needs to happen is that the whole card security thing should be taken away from the banks, analysed by a bunch of people who know what they are doing, come up with a GOOD solution and then dictate to the banks what they should do.

As it stands, and as has been pointed out many many times previously, the existing security measures have nothing to do with security at all; they are all to do with indemnifying the banks against loss. They do not protect the consumer against fraud, and they do not protect the retailer either; the ONLY people that are protected are the banks. This has to change, and clearly the banks are not the organisations to do it.

8
0

This was on the BBC... yesterday

Also, on the Newsnight programme was BBC Science reporter, Susan Watt's debit card details including sort code and account number!

1
0

The title is required, and must contain letters and/or digits.

A bit careless perhaps, but no more information than you give someone when paying by guaranteed cheque in a shop (if you can find a shop which accepts them anymore, which is a whole different rant!)

0
0

Hmmm.

Spend tens of millions rolling out a fix or wriggle out of paying claims by blaming the customer. Which strategy do you think the banks will go for?

1
0
FAIL

Chip and Pin...

.....was never about protecting customers, it was all about shifting blame and liability to retailers and customers from the banks."

Customer: "My card has been used fraudulently to purchase something"

Bank: "Our systems indicate that your PIN number was used, nothing we can do"

Customer: "But it wasn't me"

Bank: "Our systems indicate that your PIN number was used, nothing we can do"

Customer: "But it wasn't me"

Bank: "Our systems indicate that your PIN number was used, nothing we can do"

Customer: "But it wasn't me"

Bank: "Our systems indicate that your PIN number was used, nothing we can do"

Customer: "But it wasn't me"

Bank: "Our systems indicate that your PIN number was used, nothing we can do"

and so on...

1
0
Thumb Up

On the news last night

They showed BBC journos actually doing this for real at the Cambridge Uni canteen - getting cashback as well as paying for goods. Unless the cashier was paying attention (and how often does THAT happen?) it's unlikely that they would notice anything amiss. Let's face it, they're very rarely looking at the card when inserted (as is right and proper - I don't want them watching whilst I enter my PIN), so with a little discretion, they wouldn't notice the gear or that the user was punching 0000 for the PIN entry.

It was interesting viewing, and with some refinement (eg to the equipment used for discretion) could be a significant problem.

The banks immediately came back saying that they can detect these transactions after the fact, but, as the journos stated, none of their "test transactions" were picked up by their banks, all went through without a problem. "Chip and PIN is a secure system" was the quote, I believe...

Kudos to Cambridge uni for showing up the shortcomings here. Added to their blasting of the Verified by Visa / MasterCard SecureCode (or whatever they're called) last week (?), they're on a roll to let people know that the best way to buy anything offline is with paper money, and not to trust the banks to look after our money (like we need extra evidence to that effect!!)

7
0
Unhappy

It was only a matter of time

As any fule kno, no system is 100% foolproof and someone was always going to find a way round chip & pin. What's questionable is the card issuers' stance on this - even if it is conclusively proven that their system has holes, will they still refuse to protect their customers who get defrauded in this way?

1
0
Boffin

foolproof?

You mean "fuleprufe" don't you?

4
0
Pirate

Not quite

The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. The issuer host may then decide to decline the transaction and raise appropriate alerts if need be.

In my opinion - close - but no cigar!

2
1
Stop

RE: Not quite

Close but... just a little too close.

It worked and even when the banks were called, they stated that there had been no dodgy transactions.

0
0

Points arising

@BruceWayne: The TVR does not contain the method by which the card was verified by the reader (unless verification fails). See the paper for details. If it did it would mean a cheap fix was possible, but I don't think there is one.

The Banks will probably have to replace all the cards and terminals, though they might get away with just replacing the cards and putting something in the IAD, which would however be a less-than-satisfactory solution

@Zerofool2005: Yes, it's not a new attack, but it was demonstrated well and for the first time in public here. I think Steven Murdoch, one of the authors, also did some of the earlier theoretical development.

I do agree that others (Chris Mitchell?) should have been mentioned for previously pointing out the possibility of the attack, but that's maybe because I pointed out the relay attack long before the Cambridge group did their paper on it.

However I wasn't going to demonstrate the relay attack, and hadn't published a paper on it, just posted it to a crypto mailing list.

In their papers cryptologists often take the attitude that it doesn't exist until it's published, which has some merit. But a mention in the footnotes or references would be nice. Otherwise it makes them seem to claim to have invented something when they haven't.

@Homard: TVR stands for terminal verification results, but that doesn't mean much unless you know the context. The paper contains the clearest description of the very complex chip and pin protocol I have ever seen, so if you want to know what a TVR and CVR really are I can only suggest you read it.

0
0

Get a Chip-and-signature card instead

I refuse to use Chip-and-PIN - there have been too many verified attacks on the system over the years.

If you press your credit card company, they can issue you with a Chip-and-signature card (also sometimes called a "PIN suppressed" card). Although the card has a chip, every face-to-face transaction is verified by a signature, leaving a permanent paper record which can be inspected later (by the courts if necessary) if the transaction is disputed.

I've had a C&S card for 4 years, and never have any trouble using it. Many cashiers tell me they think it's "more secure" and a "good idea". If you have a C&P card, I recommend calling your credit card company and asking them to send you a C&S card instead.

1
0
Silver badge
FAIL

Chip and Pin always was broken...

... since it was really all about shifting liability away from the Card Companies rather than actually making transactions secure.

3
0
Flame

Only a matter of time...

The whole point of the Chip&PIN system from the outset was not to provide security - anyone with two brain cells connected knew it was only a matter of time. This is just the latest exploit - others have existed for ages. It's over a year since my own card was compromised by a dodgy reader in a supermarket.

The point of the system is to shift responsibility for card security, and any resultant blame and costs, to the customer and leave the banks - who don't know half as much as they think about digital security (and don't much want to know) - to sidestep the problem and concentrate on making profits.

My latest card can be read inches away - I didn't ask for the feature, didn't want it, and am currently trying to arrange a card without it. In the meantime, how long before someone compromises my card while it's still in my pocket?

0
0
Silver badge
Pirate

It's about reducing Banks' liability not about stopping Fraud :(

I've always said that Chip & PIN was always about reducing the Bank's liability to Fraud. Not actually really more secure or reducing Fraud. With a signature you can prove it's not you and get the money back, with Chip & PIN you can't. Thus Bank "Fraud" drops.

Of course RFID for credit/cash cards or Passports is even more stupid. A technology designed to replace Barcodes (which can be photocopied) and RFID is not inherently a technology designed for Secure applications. Because RFID is unique "fingerprint" even if you don't decode it, an RFID "reader" at each location that your "mark" might use lets you track where the RFID is. If the "mark" realises, you could of course be tracking someone else that had the "tag" dumped on them.

0
0
Silver badge

SmallYellowFuzzyDuck, how pweety! Busted, yeah right #

You'll be able to get a kit on eBay or someplace.

How many people bought card readers (as cheap as £10) to edit ITV digital Cards?

How many people do Card Sharing on Satellite receivers.

Same ISO reader will talk to card.

0
0
Thumb Up

But at least you Brits can check it

Here in the US the research would have got them arrested. DCMA "protects" us from anyone proving that crap security is just that.

1
0
FAIL

I was under the impression

that the DCMA didn't stop academic research?

Plus for this they haven't reverse engineered anything so I am unsure as to which bit of DMCA they would be in breach of.

(I am not an american so do not profess to be an expert on DMCA!)

FAIL = DMCA

1
0
Gold badge
Happy

@BruceWayne

"The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. "

Well that's excellent and clearly there's nothing to worry about.

Hang on. Did I spot an "if" in that paragraph? I think I did. I'd say that at least in this banks case they do *not* run such a comparison.

After all it will no doubt lower their card processing volume.

0
0
Gold badge
Dead Vulture

PIN NUMBER

AUUUUUUUUUUUUUUUUUUUUUUUUUUUUGH *bang*

0
0
FAIL

Old News...

Ive seen this been talked about before. These Cambridge researchers seem to always latch onto something that is like 6 months old.

Ive even disucssed with my business partner about the systems used "if pin.verified==TRUE { process.transaction }

Force pin.verified to be TRUE spoofing etc. process.transaction will occur.

0
0
Gold badge

@Chris007

Don't know if you are being sarcastic, but DMCA has absolutely been used to suppress research. There's several incidents THAT I KNOW OF (how many that I don't know of, I don't know...) where someone either started research, or had completed research and was ready to present it at a conference, when some heavies show up and are like "if you proceed you will be sued under the DMCA". One of them had the balls to tell them to piss off and just presented the research anyway, but the fact is that people due use it as a threat to stifle research.

Anyway, i don't know if we even have chip and pin in the states. but I have avoided a debit card for the same reason -- credit cards, the credit laws are pretty strict, the credit card company assumes liability for any fraudulent transactions. You call them, they take the transactions off your bill and either get the money back or eat it. Debit card? The money's already out of my bank account, and although most banks will put the money back for faudulent transactions they are not required to.

1
0
FAIL

Nope - not being sarcastic

Maybe I should have worded it "that the DCMA should not be used stop academic research and that anybody invoking DCMA should be taking to court for wasting time and money"

It is certainly clear what the DMCA is actually for rather than what it was sold to the public on - but those of us who saw it's rise to become law (even in the motherland) could see that.

FAIL: American govt for continuing to cow-tow to big business

0
0
Joke

Since the taxpayer seems to own most of the banks these days

Why don't we get the government to design a secure card system that all the banks can use? I'm sure it can't cost that much to set up a little IT contract or three and a few, err, databases and, um, maybe get some biometric scanners, and ...

0
0
Law
Paris Hilton

lucky me!

I had a replacement barclaycard this week... without me asking for it, my card now supports wireless payments!! Yey me... I'm sure being wireless it will never be a subject of any security concerns...

*begins lining wallet with tinfoil*

0
0
Grenade

@brucewain

WTF ????

CVR is what ? TVR = ?

I guess you work in a bank as you can't talk straight.

As to chip and bin, if you use a credit card you are surely protected by the consumer credit act ?

So when they claim they are not liable, you claim you did not receive the goods. It then becomes the problem of the useless wanktards at your bank to recover the monies.

merchant bankers !

0
0
Gold badge

@Homard

People far better versed in the law than either you or I have spent billions (literally) of dollars *ensuring* that when they make the claim "we are not liable," they are correct.

They did this not by ensuring the security was good, but by ensuring their law was.

I guarantee you, if you use own a chip + pin card, even if you cut it up the day you receive it, and a charge appears on your account that is "verified by pin," you are liable, case closed.

Why the fnord do you think they came out with the thing to begin with?

1
0

Page:

This topic is closed for new posts.