Feeds

back to article Chip and PIN keypads 'easily fooled' with counterfeit cards

Retail Chip and PIN devices might easily be attacked using a specially prepared chip-based credit card, according to security researchers. Researchers from British IT security company MWR InfoSecurity demonstrated the attack at a session during the Black Hat Security Conference in Las Vegas on Wednesday. MWR purchased the …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Holmes

Levels of card fraud are at their lowest since 2000.

Back in the days of signatures, the onus was on the merchant to verify that the cardholder's signature matched the sample on the card. With Chip and PIN, every PIN-backed transaction is deemed non-fraudulent by definition; the onus is on the cardholder to keep the PIN secret. Disclosing the PIN to a third party, even at the point of a knife, is authorising them to perform a transaction.

1
4
Silver badge
WTF?

Re: Levels of card fraud are at their lowest since 2000.

Really?

Giving a PIN at knife point you are authorising them to perform a transaction?

No you are not authorising them, you are being mugged, and any transaction they do is still fraud, they may have your pin but they still do not have your authorisation.

I can think of a few ways of getting pin numbers from people without their knowing...

I would never do it, but while Chip & Pin is inherently more secure than signature (seriously how hard is it to fake a signature), it is still possible to copy a pin then steal a card...

6
0
Silver badge

Re: Levels of card fraud are at their lowest since 2000.

I was intrigued, on holiday in Spain to notice they use CHIP & PIN *and* signatures. Payments made without proof of signature will be covered by the merchant, not the bank. Hence shops are extremely motivated to check ID with cards. Of course it helps they have ID cards.

2
0
Silver badge
Boffin

Re: Levels of card fraud are at their lowest since 2000.

"they may have your pin but they still do not have your authorisation" -- that is not the way the banks see it. What better disincentive against you fraudulently claiming to have been robbed of your card somewhere out of sight of CCTV and forced to reveal your PIN, than having to pay for it yourself?

"Chip & Pin is inherently more secure than signature (seriously how hard is it to fake a signature)"

You have that the wrong way round. Faking a signature is not hard -- if you have time to practise, and you can take your time writing it.

Faking a signature in a manner which convinces the person watching you sign your name that you have been doing it for years, on the other hand, is very hard indeed. Especially given the time window for learning to reproduce it convincingly (basically, just as long as it takes the cardholder to notice the card is not where it should be. Say an hour or two).

Then there are any number of non-intrusive ways of obtaining PINs (Most people cover up their fingers over the keys with their other hand, while leaving their tendons in clear view. And how many PIN pads randomise the key layout before each keystroke?) Two people working as a team (one getting PINs and the other getting cards) could easily accrue a decent enough amount a day.

3
5

Re: Levels of card fraud are at their lowest since 2000.

While you are obviously not legally responsible for fraud done on your card with chip and pin, in practice it may not matter too much.

The bank will work on the assumption that you made the transaction and are lying about it, and will probably do their best to prosecute you. Since they are responsible for covering the fraud rather than the merchant, you won't get the easy "we don't care, here is the money" attitude you get with cardholder not present fraud.

6
1
Anonymous Coward

Re: Levels of card fraud are at their lowest since 2000.

No, it's written into law and has been for a good couple of years that the onus is on the bank to prove that the customer was the source of the fraud.

Use of a PIN to verify is not of itself proof.

2
0
Bronze badge

@A J Stiles Re: Levels of card fraud are at their lowest since 2000.

"Faking a signature in a manner which convinces the person watching you sign your name that you have been doing it for years, on the other hand, is very hard indeed"

Not necessarily. One of the reasons chip & PIN was brought in in the first place was because merchants simply weren't bothering to check signatures. There were tests done, people paying for things and signing "mickey mouse" and other daft names in clearly different handwriting to the signature on the card, and the majority went unchecked. I remember myself being quite taken aback one time, when a checkout girl held up my card next to the receipt I siged to check that the signatures matched. Most simply dumped it in the till and had done with it.

4
0

Re: Levels of card fraud are at their lowest since 2000.

The more I read about Chip & Pin, the more glad I am that I have a Chip & Signature card.

Nowadays, when the till tells them to check the signature, they actually do it quite carefully, because it's out of the norm. I suppose that's the key to this really - chip and pin has become normal, so people get complacent about it. A few years ago, signing was the norm, and people were complacent about that.

Seems to me that there isn't a reliable answer - people will always get complacent over things they do every day.

2
0
Anonymous Coward

Re: Levels of card fraud are at their lowest since 2000.

"(seriously how hard is it to fake a signature)"

I have personally signed numerous credit card receipts as "Captain N: The Game Master", Batman/Bruce Wayne, and so forth. Nobody cares or even looks at the signatures.

See also http://www.zug.com/pranks/credit_card/

3
0
Silver badge

Re: @A J Stiles Levels of card fraud are at their lowest since 2000.

"One of the reasons chip & PIN was brought in in the first place was because merchants simply weren't bothering to check signatures. There were tests done, people paying for things and signing "mickey mouse" and other daft names in clearly different handwriting to the signature on the card, and the majority went unchecked."

So ..... merchants who weren't doing their jobs properly, ended up paying? Oh no! The horror of it all!

Look, you have the till rolls that tell you which checkout operator mis-processed the transaction. So if you end up having to pay some poor sod back, you know exactly whose wages to stop it out of. And if it makes the difference between them having dinner on the table or not, then they might check the signature more carefully next time.

1
1
Anonymous Coward

Re: @A J Stiles Levels of card fraud are at their lowest since 2000.

Actually, before chip and pin, the merchants used to get away with it, the banks refunded.

0
2
Raz

@AC Posted Friday 27th July 2012 17:08 GMT

You have no idea. If the person is filing for a chargeback, the bank will bill the merchant. The banks don't pay. Period.

2
0
Anonymous Coward

Re: @AC Posted Friday 27th July 2012 17:08 GMT

Yes, for a chargebacks, but what I was actually answering was about fraud carried out because of a wrong / forged signature, which used to be paid for by the banks, but since chip and pin is paid for by the merchant.

Chargebacks are something different, they are where the customer is in dispute with the merchant and have asked the bank to retrieve their money.

Maybe you'd like to read what's actually being said before steaming in with "you have no idea". Just a thought.

4
0
Anonymous Coward

Re: Levels of card fraud are at their lowest since 2000.

"I was intrigued, on holiday in Spain to notice they use CHIP & PIN *and* signatures"

It's either signature + proof of ID (ID card, passport, driving licence, ...) *or* PIN, depending on the particular card / terminal combination. The receipt printed out after a PIN transaction does not have a space for the signature.

What could occasionally happen is that you meet the odd shop assistant who hasn't been told (or refuses to believe) that a signature is not necessary--in which case you either explain the news or sign the receipt anyway and keep them blissfully happy.

"Payments made without proof of signature will be covered by the merchant, not the bank"

It's a bit more complicated than that, but by "proof of signature" it should be read "proof of authorisation".

"Hence shops are extremely motivated to check ID with cards."

In general that is no longer the case if doing a PIN transaction, with some exceptions (some petrol stations in urban areas, for example). When using signatures, that used to be always the case unless you were personally known to the merchant, in order to ensure that the card was indeed yours, as anyone can forge a signature. In case of fraud, the merchant did not have to cover the transaction usually, but it was still a pain in the arse for everyone involved, hence the precautions.

"Of course it helps they have ID cards."

Any official photo document can be used.

0
0
Anonymous Coward

Re: Levels of card fraud are at their lowest since 2000.

"they may have your pin but they still do not have your authorisation" -- that is not the way the banks see it."

Err... actually that is. If you report a transaction as fraudulent, it's up to the bank to prove it wasn't but in the meanwhile they must reimburse you. Talk to your local consumer organisation.

"What better disincentive against you fraudulently claiming to have been robbed of your card somewhere out of sight of CCTV and forced to reveal your PIN, than having to pay for it yourself?"

Bank employees are not stupid. Chatting to my bank manager once he mentioned it's not uncommon for people to either make a few charges which are expensive for them but not of significant value in the grand scheme of things, or pay for "embarrassing" services (brothel) then claim their card was stolen. Often the bank will just absorb the charges even though they know full well the client is lying--it's just part of the cost of doing business to them, and much cheaper than taking legal action.

0
0
Anonymous Coward

Re: Levels of card fraud are at their lowest since 2000.

Mike, your assumptions are incorrect.

"The bank will work on the assumption that you made the transaction and are lying about it"

As I've just mentioned elsewhere, yes, usually they know when someone is lying (at least banks that know their customers).

"and will probably do their best to prosecute you"

Actually no, they won't unless the sums are significant. My bank will just say OK, so your card was stolen, we'll refund that tank of petrol that someone paid for with your card at the garage which coincidentally is on your way to work, then we'll cancel your "stolen" card and no, sorry, we're not issuing a new one.

Believe it or not, theory and practice do not always match.

0
0
Silver badge

Re: Levels of card fraud are at their lowest since 2000.

"The bank will work on the assumption that you made the transaction and are lying about it, and will probably do their best to prosecute you. Since they are responsible for covering the fraud rather than the merchant, you won't get the easy "we don't care, here is the money" attitude you get with cardholder not present fraud."

Not in Australia. The banks make the merchants responsible. They take the money from the merchant's account and put it back in the card holder's. The back doesn't care who the victim is as long as it's not them.

0
0
Silver badge
Joke

Re: Levels of card fraud are at their lowest since 2000.

> I was intrigued, on holiday in Spain..

I'm intrigued to here that anyone in Spain still has money left to spend or that the banks still care enough to want to stop fraud.

0
0
Go

Re: @A J Stiles Levels of card fraud are at their lowest since 2000.

I can remeber going about three years without even having a signiture on my card and nobody ever said a thing when i was paying for stuff

0
0
Anonymous Coward

There will always be fraud, what we need is police and CC companies to actually track down and convict the fraudsters....

I once had about £800 taken on my card that I never spent, the CC didn't even bother investigating...

The key thing is to always check your statements and alert the CC company that fraud has occurred so they can refund it.

As long as you take basic precautions, like never using a DD card online, (it may cost 2-5% more, but really for the extra protection its worth it..), and keeping to a reputable bank, you should never be out of pocket

2
0
Anonymous Coward

Is it so hard

to create a system whereby every transaction generates an SMS (or email) to a nominated person.

Recently, my lads XBOX live got hacked[1], and fraudsters managed to go through nearly £1K in 3 days. The first I knew of it was when my card was declined, because it was over limit. Now if every use of the card had triggered an email, I would have had the jump on them in the first few seconds.

[1]Yes, I've since learned. All monies refunded by MS, as they logged it was a different console the purchases were made from.

3
0
Bronze badge

Re: Is it so hard

A lot of European banks do this. My girlfriend gets a SMS from her bank every time she uses her Italian credit card, for instance.

Simple, cheap, effective. Almost makes you wonder why the banks over here (even the SAME banks) choose not to deploy it. Obviously they are making FAR TOO MUCH money to care about it and/or their "Chip-&-Pin pushes responsibility for fraud to the retailer" policy is really too profitable for them.

4
0
Thumb Up

Re: Is it so hard

Most brazilian banks do this also. They charge a small fee though, but it is very worth it.

0
0
Anonymous Coward

H..

We do operate in the outrageous position where the banks are the main funders of the cheque and plastic fraud unit of the Met, I'd be mightily narked if I had to fund the "my house just got burgled" department of my local cop shop.

0
1
Silver badge
WTF?

QUOTE: "and keeping to a reputable bank"

Where do you find a reputable bank?

The HSBC has been accused of fiddling the Euribor AND it is (was) the drug cartels favourite laundry.

2
0
Anonymous Coward

Re: QUOTE: "and keeping to a reputable bank"

The Co-op. Next question.

1
0

"There will always be fraud, what we need is police and CC companies to actually track down and convict the fraudsters...."

I recall reading a magazine article some while back that talked about how banks see chargebacks as a revenue stream. When a customer initiates a chargeback, the banks deduct the money from the merchant's account, and then ADDITIONALLY deduct a "chargeback fee" from the merchant. (Here in the US, chargeback fees typically run anywhere from $35 to $90 or more.)

So the banks have a balancing act to do. On the one hand, they do not want to be so lax about fraud that customers lose faith in their cards. On the other hand, they don't want to be so aggressive about pursuing fraud that they cut into the lucrative revenue stream of chargeback fees. So they do as little as they can to keep fraud from getting to the point where people stop using their cards, but not so much as to deprive themselves of all the profit generated from chargeback fees.

0
0
Anonymous Coward

Fixing ALL the fraud only costs about $10M, so why don't they?

It is actually not even complex to improve credit card security - the tools and technology already exist and it's easy to implement.

If I only had £10M I'd have this up in less than a year, and I'd make *real* profit, not virtual like Facebook (at the Facebook P/E ratio I could flog this for £50b in 4 years). Sigh.

0
0
Anonymous Coward

Re: Fixing ALL the fraud only costs about $10M, so why don't they?

If you know how to fix it, please tell us all....

0
0
Bronze badge

Re: Fixing ALL the fraud only costs about $10M, so why don't they?

I'm not the AC above but:

- Get a free automated text whenever you make a card transaction, detailing the transaction. Most European banks do this.

- Allow longer PIN's. Most European banks do this.

- Disallow any and all forms of NFC on cards.

- Remove all information from the magstripe of the card and disallow any transaction *ANYWHERE* not performed through a C&P terminal. This stops lots of the "let's send these numbers to Russia and take out the money there because they don't have C&P"-style fraud, which is still very common. Also, homogenise international card networks so I'm NEVER required to ONLY sign for a transaction just because I'm in a different country even though I have a C&P card.

- Have the card terminal, when queried for a transaction, provide you with a image of the cardholder's face from the bank's central computers. Fake the card/number and there's no way to get around this - you get the picture that the BANK has stored as the cardholder's face. If it's a different person, the retailer is contractually obliged to refuse/report the transaction (e.g. even if they are in league with the customer, if the CCTV shows someone else used the card, the bank doesn't pay out).

- Have the user be presented with an image of their own choosing when they use their card, with instructions to reject any transactions that don't show them their image (as a pseudo-effective-measure against fake "proxy" terminals - when was the last time you saw where the card-reader cables actually went or were allowed to audit the shop's security procedures to see you weren't just typing your pin on something an intern knocked up from Maplin's bits?)

Just off the top of my head. Not saying that fraud will go down to zero, but the bank's really aren't even trying and in some cases aren't even as secure in one country as they are in another!

11
0
Anonymous Coward

Re: Fixing ALL the fraud only costs about $10M, so why don't they?

If you know how to fix it, please tell us all....

Of course - got £10M you want to turn into +£1B in 4 years (a P/E of about 1:18)? You have to be quick, I'll be having discussions in August about it. A proof of concept is already live..

0
0
Anonymous Coward

Re: Fixing ALL the fraud only costs about $10M, so why don't they?

Lee - Texts, good idea, already in place in some banks, certainly some non-uk banks.

Longer PINs are forgotten far more often, you'd be surprised, and when PINs are longer, they are much more likely to be written down.

Magstripe will be removed eventually, but until all countries stop using it, it must stay.

The display of an image from a back end source is impractical, particularly as it would require the terminals to have far higher quality screens, have much more bandwidth, be always connected (or at least be able to dial up) it would require a large amount of storage, inter-bank bandwidth and infrastructure. It would require all banks internationally to agree to replace all their existing PEDs. Maybe some time in the future, but I doubt it.

1
0
Ru
Silver badge
WTF?

"specially prepared card containing malware can be used to infect a PIN entry device"

How on earth is this even possible? I am virtually incoherent with rage that this sort of utterly irresponsible and amateur engineering is actually permitted to participate in any sort of transaction, especially not when chip'n'pin is used as a way to place blame upon a cardholder if fraud occurs.

There are so many different ways in which this is stupid and wrong I cannot even begin to enumerate them all.

What the hell.

6
1

Re: "specially prepared card containing malware can be used to infect a PIN entry device"

I felt the same sort of incredulity with this as when I found there was a JPG file filter exploit - you write something whose only function is to process data - if the data is invalid, out of range, out of spec.. then don't process it. It's not rocket science.

1
1
Silver badge
Mushroom

Little Bobby Tables and his sister, Little Pinny Chipcard!!

The mind boggles, indeed.

Some sort of injection attack? Does the terminal create SQL queries based on unsanitized strings sucked off the card's chip? Does it look for a .jar or a .dll file and thinks it would be a good idea to call up the main entry point with max privileges (considering the error messages one sometimes sees, the Windows Administrative User)??

Is this some kind of backdoor for State Security, The Terminal Maintenance Team and/or crooked Developers?

I suppose this must be terminals of the "bold" nature. ANYTHING might happen. You could be maimed by an exploding keyboard. What's been the status on their voting machines lately, btw?

1
1

"...meaning they will not suffer any financial loss as a result."

Not remotely true. I used a card once and once only on a recent trip, and signed rather than entered a number. The card's PIN never left the inside of my head. Suspicious of the actions of the clerk, I called the card company within minutes who told me that there had indeed been another (fraudulent) transaction, which I was completely on the hook for as it had been verified with Chip n' Pin. It's simply a way for the card company to wash their hands of responsibility.

On the plus side, I shredded the card instantly (along with the replacement Bank of America sent out) and will never get a BoA card again.

3
1
Anonymous Coward

Re: "...meaning they will not suffer any financial loss as a result."

I wasn't aware that BoA supplied Chip and PIN, let alone that it was actually used in the US.

0
0

Re: "...meaning they will not suffer any financial loss as a result."

I live in the UK and this happened in a foreign country that wasn't the U.S.

Despite having the word "America" in their name, Bank of America are actually something of an international company.

0
0
Silver badge
Devil

Re: "...meaning they will not suffer any financial loss as a result."

> 2012

> Not considering that ANYTHING with America in its name is international in nature

Bonus points if it has "Freedom" in its name.

2
0

re: Levels of card fraud are at their lowest since 2000.

Chip and Pin was rolled out in the UK in 2004 so that statement is saying that fraud levels have now reached the same low level that they were at in 2000 which of course is _before_ chip and pin was introduced

4
0
Anonymous Coward

PTS doesn't cover it

Anon - as I'm in the industry.

From what I know about the PTS lab testing process, this goes into some detail, side channel attacks are look at, even heat sensitive bitflipping operations. I don't think anyone has ever tried to run malware on a smartcard for the purposes of compromising a pin pad. Credit to the guys here as this should now be incorporated in the PTS approval process for these devices. It is a bit of a worry though that embedded devices like this are blindly trusting the input from the ICC though...

5
0
Gold badge

Re: PTS doesn't cover it

The whole credit card process was shot the moment we moved to "card not present" - the whole model was shot when telesales started, and zip has been done to address the real issues.

PCI compliance is partly security theatre - it doesn't address the root problems.

0
1

Might ?

Seems a like of "might and maybe" in the article.

Why no specific details on how this type of attack would work ? There are lots of different terminal implementations and lots of different versions of software.

So until they can demonstrate going into a retail shop and buying something then i am afraid that it all sounds a bit like scare mongering and the desire to make a name for yourself (or your consulting company wink wink).

0
5
Thumb Up

Re: Might ?

Exactly - it is one thing to set up a demo where you have transaction information and copy that into the card, very different to do it live.

0
0
Anonymous Coward

Chip N Pen

Use both

0
0
FAIL

Absence of evidence not equal to evidence of absence

"Importantly, we have no evidence of this type of attack occurring, either in the UK or anywhere else in the world where chip & PIN is in use."

FAIL: What they meant to say was:

We have no way of determining if this type of attack is occurring ....

See, I corrected your English for free

6
0
Anonymous Coward

Re: Absence of evidence not equal to evidence of absence

Yet you don't question the amount of times the word "might" was used in the article.

0
0

Re: Absence of evidence not equal to evidence of absence

But they do have a way.

If this was a problem then merchants and acquirers would be seeing a significant number of chargebacks where no authorisation had taken place.

(I am guessing that this "attack" makes the terminal believe that a transaction has authorised the transacton offline). There are also floor limits in place so that even if a chip card authorises a transaction offline the merchant must send it online for authorisation (or else take the hit for the chargeback).

Also sounds like its aimed at a very specific terminal or acquirer (with specific software).

The issuer (and cardholder) of the card is covered in this instance because the merchant/acquirer wont have obtained authorisation and the chip card itself wont have issued a genuine transaction certificate.

0
0

This post has been deleted by its author

well,

If it's the 'merchants' that are more at risk from this one than the consumers, then maybe there'll be more pressure to sort all this shitfest out.

0
0

Page:

This topic is closed for new posts.