Typical
Now sit back and watch all the finger-pointing begin, as everyone blames everyone else for the problem and we, the customers, continue to get fleeced by inadequate security.
Chip and PIN security busted
Security researchers have demonstrated a gaping security hole in Chip and PIN credit card authorisations which undermines trust in the technology as a means to verify retail purchases. Cambridge University security researchers have demonstrated how it might be possible to trick the card into thinking it’s doing a chip-and- …
-
Friday 12th February 2010 14:14 GMT Tony S
Dare I say I told you so
I remember making a suggestion a while back that in one of the comments to an article, that there could be an issue, and that people should not automatically assume that "Chip & PIn" or any other technology was unbreakable. Several people chose to sneer at my position.
The reality is that there is no such thing as 100 % security - all anyone can do is say, "we have not been able to crack it, and are not aware that anyone else has".
Too many people suffer with an almost religious zealotry about security - I do X, I use Y, I have Z, so I am totally secure. Anyone that believes that is suffering with delusions of adequacy; and what is worrying is that they continue to believe the fallacy long after it has been demonstrated that it is not true.
But there you go - the problem is not with the hardware or the software, but with the wetware!
-
Sunday 14th February 2010 11:22 GMT Usko Kyykka
A hypothesis
Maybe this (too) is a manifestation of believing something just because it being true would be absfab (and/or the converse too distressing). Other examples of this would be e.g. :
- Safe and effective diet pills (it seems people continue to buy and use these despite them having been debunked countless times: the idea of getting slimmed down without really bothering with anything so very attractive).
- Medicine/doctors can deal with all ailments in an effective way / hardly ever screw up (a very comforting thought, but the reality is different. An important facet of this particular problem is that this fiction is also quite flattering - not to mention profitable - to the practioners.)
- How effective shameless flattery (in general) tends to be ...
-
-
Friday 12th February 2010 14:17 GMT SmallYellowFuzzyDuck, how pweety!
Busted, yeah right
This story is doing the rounds on the internet at the moment making very dramatic claims that criminals are going to be using it to grab everyones money.
If you look at the PDF it shows that you need the following to make it work:
A stolen card
A card reader
A laptop
A custom made board with a programmed FPGA on it
Finally a fake card that goes into the reader with wires attached to it
The only people possibly with enough knowledge to attempt this feat will be, well, an Academic doing research into banking security from the University of Cambridge.
I suspect this is more to do with an academic trying to secure further grant funding for this current research than declaring that every criminal on every street corner now has an easy way to empty your bank account.
Interesting, but there are easier ways to get at other peoples money.
So look out for lots of dramatic reporting from the non-tech savvy media like the BBC and the Daily Mail.
-
Friday 12th February 2010 14:17 GMT Anonymous Coward
Chip and Bin?
Chip and PIN has always been a way for the banks to screw you so they don't have to refund you or investigate transactions.......
You: "I've noticed a few weird transactions on my account."
Bank: "Which ones?"
You: "Well theres one for £110 of petrol but I've never been to Birmingham"
Bank: "It was authorised by pin. We can cancel your card and send you a new one but as for a refund..... better luck next time."
-
-
Friday 12th February 2010 16:40 GMT Bah Humbug
Don't Stop allowing signatures
The system will remain weak as long as there are humans anywhere near the payment chain...
Not everyone has a signature card because they can't remember a 4-digit code - some do it so that the bank can't just turn around and say 'your pin was used, therefore it's your fault' when an unauthorized transaction goes through.
I still use Chip & PIN, though my wife has a signature card - I'm thinking about switching back to signature myself though, because I don't particularly care for the way the banks have pushed liability for unauthorized transactions onto us.
Having said that, Chip and PIN can be useful when out shopping - I can just give my card to my wife, say 'you know my PIN', and she can use it...no messing about with signatures!
-
Friday 12th February 2010 21:25 GMT Peter Fairbrother 1
Signatures are not the problem
The problem with signatures is not verification by signature, but that chips are not used in some countries abroad and the system falls back to magstripe.
In the case of a cloned card the signature on the card will be done by the thief, and will not be the signature of the cardholder.
This attack is on stolen cards, not cloned cards.
Signature verification when a chip in the card is used is still reasonably secure, assuming the cashier checks the signature properly - the card is verified as being a real card by the chip, and the signature is verified by the cashier as normal.
Though of course nothing is secure, and attacks are still possible - but liability does not fall on the innocent cardholder here, as the signature can be checked, and the receipt can be tested for DNA, the cardhlder's fingerprints, and so on.
For the cardholder, signatures are more secure.
For the banks, they are about as secure if a chip is used to verify a card with a chip, though for a while there was a lot of fraud from cards lost in the post and signed by the thief - however this is fairly easy to defeat and has fallen to very low levels.
The Bank's reason for introducing the PIN was twofold: first to improve on the reliability of cashier verification of signatures by replacing them with an automated method, and second to allow unattended automated sales. The former wasn't a great problem, and the latter was scotched -a curious story.
The HO, I think it was mostly, didn't like the idea of unattended automated sales and were going to legislate against it, but the banks convinced the HO that not offering signature verification would contravene the Disability Discrimination Act (somehow!! - but somehow ATM's don't?) and that legislation against unattended payment wasn't needed.
Some petrol stations still use unattended payment (possibly breaking the DDA) but not many, as it's too easy to defraud and the stations are liable when fraud happens.
-
-
-
-
Sunday 14th February 2010 11:26 GMT JonP
Passwords(!)
Yeah, we should all use passwords instead(!) <ahem>
4 digits is OK for a PIN - it's not like you can stand at the ATM/checkout and try and brute force it.
an 'easy' way round this problem is to make customers give their cards to the cashier who then inserts the card into the reader. The customer then enters the PIN on a separate keypad and the card is returned at the end of the transaction.
let's face it there's never going to be a secure way of doing this. However at least now banks (should!!) now have to admit that chip & PIN is not secure as they made out and take some of the liability themeselves.
-
-
Friday 12th February 2010 14:20 GMT Aristotles slow and dimwitted horse
About time too...
This research is welcome news.
It's about time that the banks were pricked into realising that just because some ill qualified spokesperson says that it is "secure" - doesn't necessarily make it so.
It's an absolute crime that so many defrauded people have been treated like criminals themselves by banks that take have taken no real responsibilty for this ill designed system.
Wankers.
-
Friday 12th February 2010 14:20 GMT john loader
Not the only bust bank security
After preventing me renewing my Skype in despite using "Verified by Visa" my bank tells me that it does not consider that system "foolproof" . In fact it says no system is foolproof - funny how banks usually say the opposite .
So Verified by Visa that uses a separate secure site with a passowrd only known to the user is rubbish according to a leading High Street Bank. Thought it was supposed to guarantee secure online transaction
-
Friday 12th February 2010 14:21 GMT Rakkor
Newsnight
Last night's Newsnight revealed how this was done and the response of the issuing banks was "it's not our fault, it's a system failure" which I suppose is valid, if a little worrying. Whereas the FSA's response was to stick their fingers in their ears and say "Naaah Naaaah Naaah Can't hear you" Not good enough for a body that is supposed to oversee this kind of thing.
-
Friday 12th February 2010 14:21 GMT Anonymous Coward
Broken
What with this and the much hated "verified by Visa" scheme, I think what needs to happen is that the whole card security thing should be taken away from the banks, analysed by a bunch of people who know what they are doing, come up with a GOOD solution and then dictate to the banks what they should do.
As it stands, and as has been pointed out many many times previously, the existing security measures have nothing to do with security at all; they are all to do with indemnifying the banks against loss. They do not protect the consumer against fraud, and they do not protect the retailer either; the ONLY people that are protected are the banks. This has to change, and clearly the banks are not the organisations to do it.
-
Friday 12th February 2010 14:32 GMT Anonymous Coward
Chip and Pin...
.....was never about protecting customers, it was all about shifting blame and liability to retailers and customers from the banks."
Customer: "My card has been used fraudulently to purchase something"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
and so on...
-
Friday 12th February 2010 14:35 GMT Ihre Papiere Bitte!!
On the news last night
They showed BBC journos actually doing this for real at the Cambridge Uni canteen - getting cashback as well as paying for goods. Unless the cashier was paying attention (and how often does THAT happen?) it's unlikely that they would notice anything amiss. Let's face it, they're very rarely looking at the card when inserted (as is right and proper - I don't want them watching whilst I enter my PIN), so with a little discretion, they wouldn't notice the gear or that the user was punching 0000 for the PIN entry.
It was interesting viewing, and with some refinement (eg to the equipment used for discretion) could be a significant problem.
The banks immediately came back saying that they can detect these transactions after the fact, but, as the journos stated, none of their "test transactions" were picked up by their banks, all went through without a problem. "Chip and PIN is a secure system" was the quote, I believe...
Kudos to Cambridge uni for showing up the shortcomings here. Added to their blasting of the Verified by Visa / MasterCard SecureCode (or whatever they're called) last week (?), they're on a roll to let people know that the best way to buy anything offline is with paper money, and not to trust the banks to look after our money (like we need extra evidence to that effect!!)
-
Friday 12th February 2010 14:35 GMT Anonymous Coward
It was only a matter of time
As any fule kno, no system is 100% foolproof and someone was always going to find a way round chip & pin. What's questionable is the card issuers' stance on this - even if it is conclusively proven that their system has holes, will they still refuse to protect their customers who get defrauded in this way?
-
Friday 12th February 2010 14:44 GMT BruceWayne
Not quite
The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. The issuer host may then decide to decline the transaction and raise appropriate alerts if need be.
In my opinion - close - but no cigar!
-
Sunday 14th February 2010 11:13 GMT Peter Fairbrother 1
Points arising
@BruceWayne: The TVR does not contain the method by which the card was verified by the reader (unless verification fails). See the paper for details. If it did it would mean a cheap fix was possible, but I don't think there is one.
The Banks will probably have to replace all the cards and terminals, though they might get away with just replacing the cards and putting something in the IAD, which would however be a less-than-satisfactory solution
@Zerofool2005: Yes, it's not a new attack, but it was demonstrated well and for the first time in public here. I think Steven Murdoch, one of the authors, also did some of the earlier theoretical development.
I do agree that others (Chris Mitchell?) should have been mentioned for previously pointing out the possibility of the attack, but that's maybe because I pointed out the relay attack long before the Cambridge group did their paper on it.
However I wasn't going to demonstrate the relay attack, and hadn't published a paper on it, just posted it to a crypto mailing list.
In their papers cryptologists often take the attitude that it doesn't exist until it's published, which has some merit. But a mention in the footnotes or references would be nice. Otherwise it makes them seem to claim to have invented something when they haven't.
@Homard: TVR stands for terminal verification results, but that doesn't mean much unless you know the context. The paper contains the clearest description of the very complex chip and pin protocol I have ever seen, so if you want to know what a TVR and CVR really are I can only suggest you read it.
-
Friday 12th February 2010 14:44 GMT Andrew Watson
Get a Chip-and-signature card instead
I refuse to use Chip-and-PIN - there have been too many verified attacks on the system over the years.
If you press your credit card company, they can issue you with a Chip-and-signature card (also sometimes called a "PIN suppressed" card). Although the card has a chip, every face-to-face transaction is verified by a signature, leaving a permanent paper record which can be inspected later (by the courts if necessary) if the transaction is disputed.
I've had a C&S card for 4 years, and never have any trouble using it. Many cashiers tell me they think it's "more secure" and a "good idea". If you have a C&P card, I recommend calling your credit card company and asking them to send you a C&S card instead.
-
Friday 12th February 2010 14:58 GMT Anonymous Coward
Only a matter of time...
The whole point of the Chip&PIN system from the outset was not to provide security - anyone with two brain cells connected knew it was only a matter of time. This is just the latest exploit - others have existed for ages. It's over a year since my own card was compromised by a dodgy reader in a supermarket.
The point of the system is to shift responsibility for card security, and any resultant blame and costs, to the customer and leave the banks - who don't know half as much as they think about digital security (and don't much want to know) - to sidestep the problem and concentrate on making profits.
My latest card can be read inches away - I didn't ask for the feature, didn't want it, and am currently trying to arrange a card without it. In the meantime, how long before someone compromises my card while it's still in my pocket?
-
Friday 12th February 2010 15:44 GMT Mage
It's about reducing Banks' liability not about stopping Fraud :(
I've always said that Chip & PIN was always about reducing the Bank's liability to Fraud. Not actually really more secure or reducing Fraud. With a signature you can prove it's not you and get the money back, with Chip & PIN you can't. Thus Bank "Fraud" drops.
Of course RFID for credit/cash cards or Passports is even more stupid. A technology designed to replace Barcodes (which can be photocopied) and RFID is not inherently a technology designed for Secure applications. Because RFID is unique "fingerprint" even if you don't decode it, an RFID "reader" at each location that your "mark" might use lets you track where the RFID is. If the "mark" realises, you could of course be tracking someone else that had the "tag" dumped on them.
-
Friday 12th February 2010 16:42 GMT John Smith 19
@BruceWayne
"The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. "
Well that's excellent and clearly there's nothing to worry about.
Hang on. Did I spot an "if" in that paragraph? I think I did. I'd say that at least in this banks case they do *not* run such a comparison.
After all it will no doubt lower their card processing volume.
-
Saturday 13th February 2010 00:42 GMT Anonymous Coward
Old News...
Ive seen this been talked about before. These Cambridge researchers seem to always latch onto something that is like 6 months old.
Ive even disucssed with my business partner about the systems used "if pin.verified==TRUE { process.transaction }
Force pin.verified to be TRUE spoofing etc. process.transaction will occur.
-
Saturday 13th February 2010 00:43 GMT Henry Wertz 1
@Chris007
Don't know if you are being sarcastic, but DMCA has absolutely been used to suppress research. There's several incidents THAT I KNOW OF (how many that I don't know of, I don't know...) where someone either started research, or had completed research and was ready to present it at a conference, when some heavies show up and are like "if you proceed you will be sued under the DMCA". One of them had the balls to tell them to piss off and just presented the research anyway, but the fact is that people due use it as a threat to stifle research.
Anyway, i don't know if we even have chip and pin in the states. but I have avoided a debit card for the same reason -- credit cards, the credit laws are pretty strict, the credit card company assumes liability for any fraudulent transactions. You call them, they take the transactions off your bill and either get the money back or eat it. Debit card? The money's already out of my bank account, and although most banks will put the money back for faudulent transactions they are not required to.
-
Monday 15th February 2010 11:29 GMT Chris007
Nope - not being sarcastic
Maybe I should have worded it "that the DCMA should not be used stop academic research and that anybody invoking DCMA should be taking to court for wasting time and money"
It is certainly clear what the DMCA is actually for rather than what it was sold to the public on - but those of us who saw it's rise to become law (even in the motherland) could see that.
FAIL: American govt for continuing to cow-tow to big business
-
-
Saturday 13th February 2010 00:44 GMT Werner McGoole
Since the taxpayer seems to own most of the banks these days
Why don't we get the government to design a secure card system that all the banks can use? I'm sure it can't cost that much to set up a little IT contract or three and a few, err, databases and, um, maybe get some biometric scanners, and ...
-
Saturday 13th February 2010 00:46 GMT Homard
@brucewain
WTF ????
CVR is what ? TVR = ?
I guess you work in a bank as you can't talk straight.
As to chip and bin, if you use a credit card you are surely protected by the consumer credit act ?
So when they claim they are not liable, you claim you did not receive the goods. It then becomes the problem of the useless wanktards at your bank to recover the monies.
merchant bankers !
-
Saturday 13th February 2010 17:19 GMT Trevor Pott o_O
@Homard
People far better versed in the law than either you or I have spent billions (literally) of dollars *ensuring* that when they make the claim "we are not liable," they are correct.
They did this not by ensuring the security was good, but by ensuring their law was.
I guarantee you, if you use own a chip + pin card, even if you cut it up the day you receive it, and a charge appears on your account that is "verified by pin," you are liable, case closed.
Why the fnord do you think they came out with the thing to begin with?
-
This topic is closed for new posts.
Biting the hand that feeds IT
