Feeds

back to article Cambridge boffins: Chip and PIN cards CAN be cloned – here's how

Boffins at Cambridge University have uncovered shortcomings in ATM security that might be abused to create a mechanism to clone chip-and-PIN cards. The security shortcoming might already be known to criminals and creates an explanation for what might have happened in some, otherwise baffling, "phantom" withdrawal cases. Each …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

No surprise there.

They went for the cheap solution.

16
0
Anonymous Coward

Re: No surprise there.

If you think any banking it is cheap, you've got another think coming...

0
3
FAIL

Re: No surprise there.

>>If you think any banking it is cheap, you've got another think coming...

There is a world of difference between "cheap" (as in shoddy) and "inexpensive" (as in low in cost).

7
0
Silver badge
FAIL

Re: No surprise there.

> If you think any banking it is cheap, you've got another think coming...

Like a bailout?

3
0
Anonymous Coward

Re: No surprise there.

I wasn't aware any banking IT was bailed out. Also, the bailouts will make money for the country, even discounting all the other tax banks pay.

0
1
Silver badge
Headmaster

Re: No surprise there.

you've got another think coming

For quite a lot of people, programmers included, it would be beneficial if they had even one think coming.

1
0
Anonymous Coward

'We've never claimed chip-and-PIN is 100 per cent secure'

Maybe not, but the banks as good as did when they introduced it.

Complicated? That's what technology's for.

16
0
Silver badge
Devil

Re: 'We've never claimed chip-and-PIN is 100 per cent secure'

Welcome to "Chip and Spin"!

And, of course, if you're the victim of a fraudulent transaction, we're going to claim (illegally) that it was *your* fault, that *you* were careless with your PIN and *you* have to prove your innocence...

11
1
Anonymous Coward

There was another -hidden- reason for chip-and-PIN - and not in your favour

Personally, I think chip-and-PIN was one of the most successfully executed bait-and-switch operations ever executed by the collective credit card industry.

The switch itself was actually almost(*) immaterial - the real game was about what changed in the contract.

Before the change, the liability of a transaction was wholly placed with the credit provider. If it wasn't your signature, it was not a transaction you authorised and the bank had to cough up. Ergo, a stolen card was entirely the provider's problem.

Hidden in your new, shiny chip-and-PIN contract was the fact that the liability has changed to you. Instead of the bank/credit provider having to prove it was you, you are BY DEFAULT to have authorised a transaction unless you can prove otherwise. In other words, you now have to keep track of your life (and supply details of that on demand) and prove a negative, which is a lot harder. Credit providers still offer refunds because it would be very bad publicity otherwise, but if you have a card cloner or thief who buys something you would have bought near where you usually dwell you may end up with a problem. And it's entirely *your* problem. This little, yet seriously dramatic change in liability has been kept vewwy, vewwy quiet..

As I said, *excellent* execution.

(*) It isn't all bad - there are plenty websites on the Net which demonstrate that practically nobody checked a signature, and a PIN gives at least some, more automated verification. And makes it easier to, umm, "borrow" the card :). But the best anti-theft feature didn't catch on that much - the picture on the card. Shame..

12
1
Silver badge

Re: There was another -hidden- reason for chip-and-PIN - and not in your favour

"Credit providers still offer refunds because it would be very bad publicity otherwise, but if you have a card cloner or thief who buys something you would have bought near where you usually dwell you may end up with a problem."

Err maybe you should do a bit more research anon, it's got nothing to do with publicity, bad or otherwise. What you say may be true for debit cards, but for credit cards the responsibility still lies with the credit issuer to prove it was you that made a purchase. Every single time, regardless of what the transaction was for or how close it occurred to your home.

It's the sole reason I have a credit card. I pay it off in full each month so there are no charges, in fact I get cash back for using the thing.

0
2
Silver badge
FAIL

Re: 'We've never claimed chip-and-PIN is 100 per cent secure'

I've just done a bit more research (i.e. 2 seconds on Google) and it turns out you lot really are just talking nonsense.

From the FSA website;

"Your bank must only refuse a refund for an unauthorised transaction if it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card and PIN conclusively proves you authorised a payment"

www.fsa.gov.uk/Pages/consumerinformation/product_news/banking/know_your_rights/solving/index.shtml

0
2
Silver badge

Re: There was another -hidden- reason for chip-and-PIN - and not in your favour

@AC - " there are plenty websites on the Net which demonstrate that practically nobody checked a signature"

I always used to and, in fact, I *still* check the signature strip even now.

I notice that a lot of US citizens who buy with a card in person don't bother to sign the card and automatically hand over another form of ID (eg Driver's Licence) even when it says "Not valid unless signed"!

0
0
Headmaster

@fibbs

"Your bank must only refuse a refund for an unauthorised transaction if it can prove you authorised the transaction – though your bank cannot simply say that use of your password, card and PIN conclusively proves you authorised a payment"

You have forgotten a bit of history. This was introduced BECAUSE of the increasingly large number of disputed ATM transaction where the banks took the universal line of 'chip and PIN is secure so it must be your fault' and refused every claim.

3
1
Anonymous Coward

Re: @fibbs

@Peter45. No, it wasn't, unless you can show otherwise?

0
1
Silver badge

Re: peter 45

This doesn't change the fact that banks no longer do this, haven't done for years and repeating ad nauseam that they do is nothing more than FUD.

0
1

This post has been deleted by its author

Facepalm

Re: peter 45

'no longer......haven't done for years' Do they used to do it then? As in the past tense? As in history?

Past, present. Its so difficult to keep up eh?

1
1
Silver badge
FAIL

Many ATMs and point-of-sale terminals have seriously defective random number generators. These are often just counters, and in fact the EMV specification encourages this by requiring only that four successive values of a terminal’s “unpredictable number” have to be different

WTF !?!? The test for your secure random number generator is to see that you get just FOUR different numbers from it

What on Earth were they drinking/smoking/injecting/whatever when they approved this ?

13
1
Unhappy

Smoking?

don't forget the mirrors

1
0
Gold badge
Facepalm

It's worse than that.

1, 2, 3 and 4 are different numbers. Like the man said, many of 'em are just counters. As it would appear that the secret is in guessing what the next "unpredictable number" will be, guess what it is for the provided example?

Hint: Those that built this have it as the result of 2+2......

3
0
Bronze badge
Alert

random numbers?

http://dilbert.com/strips/comic/2001-10-25/

"That's the problem with randomness. You can never be sure."

5
0
Silver badge

Probably cigars from razor-thin-margin device makers that basically told the credit card companies, "Make it cheap for us to implement or we won't implement...and since the onus falls to you, any Catch-22 would be to YOUR detriment, not ours."

3
0
Happy

I'll see your Dilbert ...

... and raise you an XKCD: http://xkcd.com/221/ (where 4 is the actual number! Spoooookyyyyyy!!!!!!1!)

2
0
Big Brother

RE: Random Number - 4 different numbers?

One would additionally suggest they have a problem with the concept of randomness, in that in a true random system, all 4 numbers could be the same, just an rare (random) event!

Suggest they might want to try running the generator a few million times and check the spread.

1
0
Devil

No its all secure actually.

No they are all wrong, my bank's website tells me:-

"Chip and PIN increases card payment security to help prevent fraud. Card fraud at the point of sale is reduced significantly by ensuring the card is genuine and that the user is the authorised owner of the card"

so the card must be genuine and used by the authorised owner. It ensures it !

10
0

Re: No its all secure actually.

Nothing is 100% secure, and the first part of that sentence is absolutely, 100% correct. Card fraud at the point of sale is reduced significantly by EMV.

It sounds like the device manufacturers need a good kick up the arse.

1
1
Anonymous Coward

Re: No its all secure actually.

If my card got nicked without me noticing (at least for a few hours) under the old system all some scruffy herbert would have to do to access my account was practice duplicating my signature. Under Chip & Pin, he either has to have a good understanding of the underlying technology to clone my card* or guess a 6 digit number correctly within 3 attempts. Chip & Pin may not be perfect but it seems many orders of magnitude more secure to me.

*Unlikely to happen in the few hours between losing the card and getting it cancelled.

0
1
Anonymous Coward

'We've never claimed chip-and-PIN is 100 per cent secure'

Yep, but if you're the unlucky customer to have a fraudulent transaction appear on your account and the bank checks it and discovered it was a Chip+PIN transaction then they'll just dump the responsibility onto you to prove you didn't make the transaction.

It's okay these guys saying they don't claim Chip+PIN to be 100% secure, but the banks sure as hell act as if it is.

8
1
Anonymous Coward

Re: 'We've never claimed chip-and-PIN is 100 per cent secure'

Like they said in the statement, that would be illegal and has been so for several years.

1
1
Vic
Silver badge

Re: 'We've never claimed chip-and-PIN is 100 per cent secure'

> that would be illegal and has been so for several years.

Do you expect that to stop them?

Vic.

2
1
Anonymous Coward

Just wait ...

until they find a similar thing with "pay by wave". You'll have you credit cards cloned as you walk down the street.

1
1
Silver badge

Re: Just wait ...

I got my new waft-card yesterday (unsolicited). It now resides in a nice aluminium foil insert in my wallet until I can find a reliable way to kill NFID chip without messing up the card entirely (and/or I get my act together and change bank before RBS becomes Santander).

0
0
Silver badge

Randum numbers

four successive values of a terminal’s “unpredictable number” have to be different for it to pass conformance testing.

Which means that they have no idea of how random numbers work as a truly random number generator could quite happily generate the same number 4 times on the trot.

1
0
Silver badge

Re: Randum numbers

says unpredictable not random

9
1
Silver badge

Re: Randum numbers

Who the hell down voted your correction? +1 to counter balance it.

3
0
Anonymous Coward

Not convinced

If you read the full paper, the researchers haven't actually managed to predict the sequence of numbers, despite buying a load of old ATMs and trying to reverse-engineer them. The attack also involves inserting a specially made cloned card (which requests a delay from the ATM until the "right" random number comes up) into an ATM to the nearest second.

It's useful that flaws in the protocol have been identified but if the Spanish crims are actually using this method then they are (a) cleverer than the best minds Cambridge can throw at it and (b) either desperate or stupid, since there are far easier ways to rip off an ATM with a chip card. Remember, this is a one-card-at-a-time attack and the gains just don't justify the effort. They might as well use a Lebanese loop, or shoulder-surf and pickpocket the card later, both of which happen every hour of every day.

2
1
Anonymous Coward

Re: Not convinced

The guys at Cambridge do some important work, but boy do they talk up the significance of what they do...

2
1
Anonymous Coward

So...

A bad random number generator in an ATM is a software issue, this is easily patchable, if indeed it is as significant as they say it is. Rather like their man in the middle attack which allegedly demonstrated that chip and pin was totally broken was actually made utterly impractical by just reducing a timeout value.

3
0
WTF?

> In a statement, the UK's Financial Fraud Action told El Reg:

> We've never claimed that chip and PIN is 100 per cent secure....

Whoever the "UK's Financial Fraud Action" are... Maybe they didn't but the banking industry have absolutely claimed that chip and pin is 100% secure.

http://news.bbc.co.uk/1/hi/business/8287783.stm

http://www.thisismoney.co.uk/money/saving/article-1614734/Flaw-at-heart-of-fraud-proof-chip-and-Pin.html

Or just google for yourself: https://www.google.co.uk/search?q=%22chip+and+PIN+is+secure%22+-%22never+claimed+that+chip+and+pin+is%22

3
0

Might not work with the majority of EMV cards.

I look at the article and I beleive the attack is only possible with older static data (SDA) type cards.

The problem with Cambridge is that some of their research is based on old tech standards, but there are are still some SDA cards in circulation (because they are cheap). I have not had a chance to check yet but to correctly guess the cryptogram on a DDA (dynamic data authentication) card is impossible as the chip generates its own random number so seeing two transasctions with the same ICC random number would highlight a cloned card.

There are also other technologies such as the ATC count so again cloning is made difficult if the card hasn't been stolen.

As with all tech, someone will eventually break it but as long as it isn't cheap/quick then its still worth employing.

Paywave and Passpass incorporate even more complex cryptogram generation CDA which makes the duplication even more very difficult.

But dont let the above get in the way of a good story and worry mongering :o)

3
1
Silver badge

The real reason

Is to reduce the ***Liability of the Bank*** for card fraud. It's a PIN, so you gave the card & PIN to someone else or took the money yourself. A Signature makes it easier for the customer to prove it WASN'T them (thusly the bank has to pay).

2
1

Re: The real reason

ahahahahahahahahaha, really?

So two factor authenticion is less secure than one factor? That's what you've said. The reasoning behind chip & pin was to add another factor. It's something you have + something you know, rather than just something you have.

Signatures are massively insecure, because there's no way of verifying them at the point of sale.

In 2010, the United States generated about 27 percent of payment-card purchases yet accounted for 47 percent of global payment-card fraud. In the US alone, fraud accounted for $3.56 billion in 2010. Fraud is lower in countries using Chip and Pin, there are facts and figures there. The only reason that it hasn't happened in the US yet is because the cost of replacing all the ATMs and POS devices was massive. It is being done incrementally instead, and is only now approaching a point where it can be put into general circulation.

1
1
Anonymous Coward

Re: The real reason

I've lost count of the amount of times I've said this, but once again: The burden of proof is on the bank to prove the customer wasn't the victim of fraud, not the other way round. Simply relying on a pin authd transaction isn't enough. This has been written into law for several years.

2
0
Anonymous Coward

Chip+PIN / ATMs

Most ATMs do not actually use Chip+PIN (EMV).

They just read the magnetic stripe.

You enter your PIN which is authenticated with the bank's systems over a network.

0
0

Re: Chip+PIN / ATMs

Hello America and your backward magstripe technology :o)

You are wrong though. EMV is used in ATM transactions, the difference is the PIN is authenticated at the issuer/processor. The US uses magstripe but only becuase they have such a fragmented market and no one to drive the changes other than the schemes (which will eventually happen between 2013-2015).

If I had the option I would do away with the magstripe on my EMV card but there are still some terminals that use it (before reverting to the chip).

2
0
Anonymous Coward

Re: Chip+PIN / ATMs

In the UK the vast majority of ATMs use chip and pin many can fallback to magstripe, but tend not to if the card is chipped.

1
0
Anonymous Coward

Re: Chip+PIN / ATMs

Visa and MasterCard now mandate that chip based cards cannot fallback to mag stripe at chip enabled devices (either ATMs or POS devices). So if your bank is issuing Visa or MasterCard branded cards, no fallback is allowed.

0
0
Silver badge
FAIL

You mean to say the HSBC lied to it's customers?

'We've never claimed chip-and-PIN is 100 per cent secure is not the line of patter that a suit at my HSBC branch said

And now we have the (drum-roll) SecureKey which is garbage, doesn't work and has people changing accounts. You can't even read the squinty characters if you wear glasses and they even catch fire (doubles as a one time cigarette lighter).

1
1
Gold badge
Unhappy

Oh Christ not again.

<rant>

</profanity filter>

"Bond realised that the numbers shared 17 bits in common while the remaining 15 digits appeared to be some sort of counter, rather than a random number."

Fixed fields and *counters*.

Seriously is a shift register *that* much more expensive to implement? Has 8 *decades* of computer generation of pseudo random numbers been a total fucking wast of time?

The recurring stench of "security by obscurity" makes me want to vomit.

<profanity filter>

</rant>

2
0
Anonymous Coward

We never claimed...

Wasn't there a time when bankers were supposed to be upright, respectable, descent, example-setting members of society?

Or was it always a sham?

1
0

Page:

This topic is closed for new posts.