back to article Cambridge boffins: Chip and PIN cards CAN be cloned – here's how

Boffins at Cambridge University have uncovered shortcomings in ATM security that might be abused to create a mechanism to clone chip-and-PIN cards. The security shortcoming might already be known to criminals and creates an explanation for what might have happened in some, otherwise baffling, "phantom" withdrawal cases. Each …

COMMENTS

This topic is closed for new posts.

Page:

    1. John Smith 19 Gold badge
      Coat

      Re: We never claimed...

      "Wasn't there a time when bankers were supposed to be upright, respectable, descent, example-setting members of society?"

      Yes, but that flaw in the hiring policy has since been fixed.

      Mine will be the one with a copy of Joe Orton's "Loot" on DVD.

    2. Anonymous Coward
      Headmaster

      Re: Descent?

      Looks like I used the right word, instead of the wrong one, decent.

  1. MarkSitkowski

    There might be a better way...

    What would be really good, would be some kind of telepathic password, which you could communicate to your bank, each time you needed to access your account online, and it would be really handy, if your mind could also transmit this password to the ATM.

    Well, that’s obviously not going to happen so, how about a compromise, where you transmit to your bank, information about your telepathic password, which only your bank understands?

    Yes, but the camera, and the malware, would record what you typed, and use it to get into your account. Okay, then, how about, if what you typed only worked once. Then, using the same keystrokes a second time would be useless. That would work, but how does the bank know that, what you typed the second time, represented the same telepathic password? Also, you certainly wouldn’t want to contact your bank every day, to get a new method of transmitting your telepathic password.

    How about this, then? Each time you want to access your account, a popup shows you an alphabet, with a number under each letter, and you type the numbers, instead of the letters?

    Okay, that’s obviously bad because the camera would pick up the numbers but, what if the numbers were all scrambled? That’s better, but the camera would still get you, and the malware would still send them back to the sociopath who, after a few months, would be able to guess your password, from the patterns of the numbers.

    What about, if there were only two numbers and, what if there were two alphabets, in upper and lower case? Then your telepathic password would be represented by a selection from 52 letters, each letter identified by one of two random digits. If the pattern of the digits changed randomly, with each access, then your telepathic password of “gobbledeygook” would be “1000110011001” the first time but, the second time, it would be “1110010001101”.

    Now we’re getting somewhere. The camera sees you entering a pattern of 1’s and 0’s, each of which could correspond to any one of 20 or 30 letters, the network snooper sees the numbers, but not the letters, and the malware sees both, but doesn’t know what they mean. Luckily, you took maths in college, and spend a lot of time in the casino, so you know how to calculate odds, and you can see they’re now in your favour, but you still want them to be better, because you work with classified documents, and really need to have tight security. What if you had two passwords, and added them together? What if you added or subtracted ‘1’ from every other letter What if...? You’re tempted to call this ‘Uncrackable Authentication’

    Aha! I hear you cry. How do I get my telepathic password, in the first place? The malware is watching my browser and my email, and will pick up the keystrokes when I type it into any form I fill in. How am I going to enter my password? Well, it might ne good, if I had a set of alphabets but, this time, the letters were pictures of letters, and they, themselves, were scrambled, and referenced by a set of numbers. Then, the malware would pick up the mouse strokes, but would only know that they corresponded to a selection of pictures, with random names. Let’s be realistic, however. If there’s a spy camera, watching you do this, it will pick up what you enter. On the bright side, you’ll be doing this at home, probably only once a year, or so, with only the malware to contend with – unless you’ve fallen foul of the CIA, or your wife has her suspicions about you...

    One day, quite by chance, you stumble upon a site at www.designsim.com.au recommended by your friend at the FBI (he got it from some guy in military intelligence), and you say to yourself, Hey, they stole my idea”, and you're right, the algorithm described there is identical.

    1. Justicesays

      Re: There might be a better way...

      Uh huh,

      And then, if someones card was used you could absolutely prove it was them because no-one else could possibly have the magic password?

      Except you seem to have made a big assumption, that your bank is trustworthy.

      Past cases of where Cards and/or PINs were delivered and use fraudulently were eventually (after court cases and so on, as banks refused to admit it) proven to be only plausible if committed by corrupt bank employees, often two working in collusion to bypass internal protections (guy who can make a change working with guy who can delete the logs of the change for instance)

      http://www.lightbluetouchpaper.org/2010/05/25/an-old-scam-still-works/

Page:

This topic is closed for new posts.