Industry groups leap to Chip and PIN's defence
Banking industry suppliers have lined up to defend Chip and PIN, following the release of research last week from Cambridge University demonstrating how cybercrooks might be able to bypass security controls on credit and debit card transactions in shops. A four man team from Cambridge University demonstrated how it might be …
With magnetic stripes and signatures, banks and retailers had the burden of proof to show that a disputed transaction was not fraud. Otherwise the cardholder did not pay the disputed transaction.
With chip & pin, by default if the pin verification is supposedly completed, the cardholder is on the hook and the burden of proof on possible fraud rests on him. Which is nice, as individuals do not have the resources to fight such disputes.
I don't really care about the technical details of the system - that's bank's business, they want to prevent losses to them, by all means, do whatever you want. However, if said technology is used to shift the burden of proof to the customer, it has to be absolutely 100% bulletproof. Chip & pin demonstrably is not. Just change the assumption back to magnetic stripe/signature mode - burden of proof lies with the bank and/or the merchant to prove that the cardholder made the disputed purchase (more than just "we have these logs that show you inputted the pin") or the cardholder is not liable and the current system is fine.
The law was changed (from Nov 09) and the burden of proof is almost always on the banks to prove you were at fault.
http://news.bbc.co.uk/1/hi/programmes/moneybox/8347147.stm
For the bank doesn't care as long as they can shift the blame onto someone else (the customer with the least ``clout'' by preference) or their damage account can take the payouts which they'll indubitably book as a tax write-off or something. But on no account can they afford large masses of customers demanding something better. That'd be expensive.
From how I understand the article to be positioned, The research isn't saying that chip and pin is bad and should be eliminated, just the "it's chip and pin so there's no fraud" attitude.
Anyone taking that attidue about any computer system should be shot.
They're missing it in a different way -
What they're really missing is that there's several proven weaknesses in the system; this one, the fact that the pads aren't secure as they're supposed to be, the fact that the encryption isn't very strong at all and that you can copy the cards extremely easy (and a few other glaringly obvious problems).
Thus the system is totally broken because it points to the possibility of there being even more weaknesses.
Think like in encryption, if there's even a hint a cipher is computationally weak you don't go within a 100 miles of using it. The same should be true for chip&pin, in that the system should be gradually replaced by something else - what are the odds that the system is designed to be replaced gradually as it stands and that a replacement is even being discussed?
So, there is yet another way around chip and pin. Ultimately it's pretty similar to
http://www.thisismoney.co.uk/news/article.html?in_article_id=417296&in_page_id=2
and
http://uk.news.yahoo.com/21/20100211/ttc-chip-and-pin-fraud-danger-revealed-e1d36ba.html
and
http://www.thisislondon.co.uk/news/article-23383609-sophisticated-thieves-bugging-chip-and-pin-machines-with-mp3-players.do
and plenty more.
What has been most interesting has been the banks response to these failings - that they have introduced the Verified by Visa scheme which includes a condition that transfers any liability for losses onto the customer. I do wonder what is the point of having regulatory bodies when banks are free to act like that in response to security breaches,
Manufacturers in defence of own product shocker! Well blow me down!
Hardly surprising they are all ganging to together, there must be a very tidy sum to be made punting these little boxes that attach to practically every till in the western world!
Actually the manufacturers of the 'little boxes' merely implement the standards the banks ask them to. Furthermore their 'little boxes' won't need to be replaced to fix this - it'll be possible via software changes. I think you should bark up a different tree!
Of course fraud has gone down since the introduction of chip-and-pin, it's now called 'customer negligence'.
The three way tradeoff that Mr Brunswick mentions is on the mark for new projects. He's missed the extra one relevant to upgrade projects - ease and cost of transition. That's the one which has caused all the headaches (and I must assume many of the design compromises) to date. It's going to complicate any efforts to roll out an improved system too.
For me as a card user I'd like to know what the banks say. If a PIN has been used to carry out a fraudulent transaction, are they going to claim that it was negligence on my part and refuse to compensate me when it has now been proved that criminals don't need to know my PIN?
Over £2000 was taken from my bank a/c a few years ago and my bank compensated me 'no questions asked'. I wonder if it would have been as easy if a PIN had been involved.
Why can't we just skip this whole technical stuff and try simple social engineering.
Change the law so that a bank is responsible for all fraud or theft made on one of their cards until such a time as the customer holding the card is convicted by a jury of their peers of *deliberate* theft or fraud. And by "responsible", I mean "you have to give the complainant their money back the instant they report it".
Then we'll be spared all the banks lies about how chip and pin is secure and force them to implement a security scheme that is good enough to reduce their losses to an acceptable level.
Mine's the one with a wodge of non-sequential notes, a chequebook, an rfid blocker and a signed credit card (and microwaved chip) in the pocket.
Shifting responsibility back to the banks would affect them, but the net effect is that the cost of supplying cards + processing transactions goes up to compensate.
Banks would simply increase the money they extract from customers through higher lending interest rates and lower deposit interest rates, and increase the amount of money they take from each transaction from the retailer. The burden of fraudulent transactions would then be spread nicely over all customers, and items will cost more.
The system should be priced around the real cost of secure transactions. I'd rather pay a small transaction fee than run the risk of massive damage to my economy. The only party able to spread the risk is the bank. Also, I can't do a thing to increase the security of the system, it's simply not in my power. Making the banks responsible for every transaction until proven illegal in a court of law is the only way to ensure that they'll keep innovating - if I carry the risk, why should they spend money to reduce fraud?
Sig sig sputnik? Hairball? Tell me I'm not going mad, and that the section headings actually bear no relation whatsoever to their contents. I thought I was reading Viz there for a minute.
We have a banking regulator, for amongst other things, to prevent banks gaining too much power over their customers. The regulator would not stand for banks laying the burden of proof on customers in the way the is being alledged. There is still no evidence of attacks in the wild (I know that doesn't mean there aren't any) but I have yest to see evidence of anyone who has a credible complaint against a chip and pin authorised transaction.
Also as some of the spokes people said, the chip and pin system isn't fixed in stone, it can be changed and it itsn't a panacea, but it has had a marked sucess in reduction of fraud.
The best thing that we could do is go exclusively pin only auth and do away with signatures altogether. After all, how secure is an authorisation system that displays the supposed secret part of the auth on the back of a card?
"The best thing that we could do is go exclusively pin only auth and do away with signatures altogether. After all, how secure is an authorisation system that displays the supposed secret part of the auth on the back of a card?"
And for those who can't use C&P?
Not that I'm particularly convinced that people can't remember a four digit number...
If someone has a real medical reason (artheritis, for instance) fine, they shouldn't have to type their PIN, there is already provision for this. People without a valid (ie: broken) chip shouldn't be able to carry out transactions via magstripe, it's a pain but just the same as if a magstripe corrupts. I have never personally had a chip die on me, but I've lost count of the magstripes that have died.
It is funny though that people never seemed to have medical problems with ATMs, only with chip and pin terminals.
Obviously magstripe will have to remain for people from regions where they only dish out magstripe cards.
What about using biometric data, like finger prints? Surely someone with no fingers has bigger problems than not being able to use the new "chip and finger" system. Hehe... that sounds like something that happens at a chav club.
Fingerprints are worse than signatures, why would you use a method of authentication that you leave on everything that you touch? It is a trivial process to turn a fingerprint left on a beer glass or coffee cup, into a useable copy.
Other biometric technologies are rather flakey (as their being dropped from the UK ID cards testifies.)
“No security system can claim to be completely bulletproof"
Yep that's true...so why were the banking system so adamant that Chip and PIN was *totally* bulletproof when they trumpetted it's 'wonder arrival' all those years ago? OMG could it that they were, <gulp>, lying? =8O
Oh hang on, I forgot that this was never about security and preventing fraud but about being able to shift the blame onto someone else. Complete set of bastards.
To paraphrase the famous Mandy Rice-Davies utterance, "Well - they would say that, wouldn't they?"
Their answer is neither right nor wrong - it's irrelevant and misses the point - quite deliberately I'm sure.
Just shoulder surf in the supermarket, and then lift the wallet/purse from the jacket or handbag. It's too easy, especially when the keypad is put at arms length at the checkout (stupid, stupid), to make sure that ANYBODY in a 3 metre radius can see. If you are feeling clever, remove the card (and the loyalty card to add authenticity), and replace the wallet/purse.
Use the card for high price electrical items in the SAME supermarket, then visit the ATM (but be careful of the cameras), draw the maximum allowed, and discard the card in the nearest bin, or even better, a bottle or clothes bank or a drain (after carefully wiping the fingerprints off the card, of course).
You should be able to do between £500 and £1000 of damage before the card is missed. And even if the card is missed, the first thing most people will do will be to turn out their shopping before reporting the cards lost, especially if they still have their wallet or purse.
The insistence that the Banks have that the PIN is private unless you've told someone is laughable when there is so little attention paid to the location of the keypad. I'm sure that my local Tesco moved it because when it was right next to the customer, it was too easy to break.
I'm not a crook, but I practice observing the PIN number of the person in front of me in the queue. It is really all too easy.
Ok, that wouldn't work for several reasons:
The checkouts have security cameras all over the palce
ATMs have security cameras built into them that take pictures of people using them.
That kind of account activity is going to get the bank suspicious, so they'd be expecting potential fraud.
The person who's card was stolen would usually notice and call the bank, you then go through a bunch of 'have you bought all of this stuff' questions and provided you don't tell them that you've written down your PIN you'll almost certainly be ok.
Case in point - I know two people who have had heir cards stolen or cloned, with the same large uk bank. One had his card skimmed and the PIN sholder surfed, the bank called him and told him, asked him a few questions and he got the stolen cash back. The other had his wallet nicked, he called the bank and for reasons best known to himself answered "yes" when they asked him if he had written down his PIN, he didn't get his money back.
Also PIN pads can usually be removed from their stand and held in your hand.
*Please* give us cash on the PIN card - like Proton etc. in Europe
They're actually rolling that out but it's contactless, go into boots you'll see they already have the readers in (well in quite a lot of their stores).
While we're on the subject of boots' card readers, the new pads are of much better quality, the pin buttons are much better for typing your pin at speed :D
Sure do, they're worse than useless. They don't understand what's going on and they're making it up as they go along; see http://www.fipr.org/080116huntreview.pdf.
Two points:
1) You cite a four year old paper by Ross Anderson, who is hardly non-partisan in such matters.
2) The Financial Onbudsman Service is the onbudsman, the regulator is the FSA.
Had a couple of false internet transactions on my Citicard a couple of years ago. Someone paid a London congestion charge and bought a bike from a Southampton store and had it delivered to Bedford. Citicard, in spite of many phone calls to India, were totally useless -- repudiated the claim because it was more than three months before I discovered it. Bedofrd police weren't interested and refused to do anything, even although they had the address to which the bike had been delivered. However the Regulator demanded repayment of the money and I got an extra £50 for the inconvenience.
Bozo's say "Can't be beat, it's *totally* secure"
Evidience starts to mount
Move to new system.
Bozo's say "Can't be beat, it's *totally* secure"
Repeat as necessary.
Their adamant 'Chip & Pin is Infallible so it must be the customer' attitude is simply another facet of the finance industry's monumental dedication to apportioning costs and blame to anyone but themselves, no matter what the facts may be, and is symbolic of their complete & utter disdain for their customers.
I cite as another example: even when they go tits-up through horrific (criminal?) incompetence and personal greed they can now rest assured that the Gov't will bail them out - and just to add insult to injury, continue to pay them huge bonuses - from their own customer's taxes!
Need I say more?
PS - I'm posting anonymously because the banks have all my money :-(
How many of us use a 4 digit PIN?
Now, how many of us can't change our PIN to anything longer than 4 digits because the bank's ATMs/back-end systems/whatnot don't allow it
This attack is amusing, and yet appears non-trivial to implement. What is trivial to implement (as AC posted previously) is to shoulder surf and to lighten the victims wallet.
So, how about giving us the option of a PIN of any arbitary length; those of you who can't remember more than 4 digits can carry on using a 4 digit PIN, those of us that can use planck's constant.
But how would you type "2 by 4" into a cash machine?
I really don't think that shoulder surfers would have any problem remembering a 9 digit number. Don't forget that it's their job, and the record is something near 1000 digits. If you up the requirements on what they need to do, they'll just get a pack of cards, learn to memorize a random set of digits, and we're back to square one.
The best deterrent for these things is not the interception or prevention of the crime, it's the tracking of the money once they've got it. That's why a WoW account is worth more than a bank account, there's no transaction logging.
How exactly is this supposed to get around a man in the middle attack?
Having just had a look at their web site: it can't, it seems to be a normal chip and PIN card with a dynamic PIN. What it can do is make it a bit harder to shoulder surf a PIN (or the personal pattern). However it wouldn't make it that much harder to shoulder surf a PIN (and therefore get the pattern) because to comply with the DDA the display showing the grid, from which to make up the PIN, would have to be pretty large and very clear. This would likely not be able to be contained within a small PED (PIN entry device) and would have to be external and therefore viewable by anyone else nearby - even if low viewable angle screens were used. Bear in mind that we're not talking about ATMs here, rather supermarket checkouts etc, where it would be very hard to install a screen that only one person at a time can see.
The basic GrIDsure method is no more resistant to 'man in the middle' attacks than any other authentication system, but can easily be developed into a transaction-specific out of band solution that is highly resistant, whilst also offering all the other benefits of the GrIDsure method: a one time pass-code solution that is easily adopted by end-users and much more cost-effective than traditional password-based systems.
[quote]I .....And just as the fraudsters continue to innovate so too does the payment industry, which invests vast sums of money in continuous improvements to card payment security", Wokes said[/quote]
How about this then for continuous improvement and shoot me down for being too innovative....why not stop placing the pie just out of reach, which is essentially what your doing and hide the pie completely.
Fraudsters have lots of money and they use it for one purpose, obtaining more money. No sooner than banks offer a more secure method of transactions the fraudsters no doubt are hot on the heels.
Just because you have no evidence of this proof of concept being used DOES NOT mean its not being used.
If companies took the moral initiative and helds their hands high and said, you know what, we are mistaken, we are gonna fix it for real" they would get so much more respect and custom than by simply saying
"I've not lost my arm, t'is merely a flesh wound"
arses.
Burden of proof switched to banks last year. Epic fact fail comentards.
I'm not sure about this case, but a large number of weaknesses with chip and pin stem from the presence of the magnetic strip.
Why can't I request a card from my bank that does not have a magnetic strip and will ONLY work in chip and pin, plus up to date UK ATM machines?
I'd be willing to accept the loss of ease of use for the gain in security!!
An easy way to defeat "shoulder surfing" would be to have a touchscreen device for PIN entry, with the "keys" in a randomised layout.
It's still not secure against a knife held to the throat, though.
Sign up, sign up for The Register's weekly IT security newsletter - click here
