Criminals hijack terminals to swipe Chip-and-PIN data

Guilty until proven inocent

Does the fact that it is now clear that a PIN can be compromised mean the banks will stop assuming the card holder is guilty until they can prove they had not negligently revealed their PIN.

Fundamentally Flawed

Until we have a system that uses a one time password for each credit card transaction, then the system will remain open to cloning and replay approaches. Putting data logging into PoS equipment was clearly something the crooks were going to do.

Ideally I'd like a system which would allow a one time password generators to be registered against a number of services or cards (in fact it would be quite nice to be able to use it for online banking and other sensitive systems). It might also be nice (and not to difficult) to have an option to register a mobile phone number to receive an SMS message everytime a transaction authorisation is attempted. At least that way we would notice fraudulent transactions quicker, even if it wouldn;t immediately stop them.

Cards could be enabled for use abroad via an appropriate enabling system for a given time for countries that don't have this sort of infrastructure. Lost OTPs could be dealt with via an exceptional over-the-phone authorisation system.

I'm dreaming of course - I can't imagine that the finance industry will get their act together and come up with a truly robust system.

Twats

the lot of them. Ever heard of encryption ? Even on hardwired systems you should be transmitting bank information via encryption.

What absolute twats the banking industry is - if they need an overpriced consultant to teach their granny how to suck eggs please contact me.

Where's the 'twat' icon ?

Said this would happen

Allow me to add my voice to the crowd of "I Told you this was going to happen!"

How about using a form of biometric security when paying for goods in stores? Just as a rough germ of an idea, you could give someone a pen and paper, and ask them to perform a gesture, unique to them, using the pen in such a way that a record is left (and can be retained). A person ought to be able, with minimal self-training, to reproduce such a gesture with a fair accuracy at will; yet someone who has not become accustomed to that gesture would have difficulties and so reproduce it only either with detectable artefacts in the written record or with some aberrant feature in their behaviour.

Determining the validity or not of such a recorded gesture, by comparing it to a reference sample and observing the behaviour of the individual as they performed it, is the sort of task which probably would require a human being rather than a machine; but since there is already a human being sitting at every till in a supermarket, no additional staff would be required in practice.

should they be satisfied with this?

"compromised Chip-and-PIN terminals have been found in less than 30 retail outlets throughout the UK"

They don't say say how many they actually checked. The implication of the comment is that there are very few - in fact, what the statement means, is that's all they have found so far, and they don't know if there are any more.

"they enjoy excellent protection under The Banking Code, which means that they will not suffer any financial loss."

Not entirely true; in the US the banks have to cover all loss, but in the UK, they can ask you to prove it wasn't you. Having said that, I can't complain; on the 2 occasions that someone tried it on with my card details, they detected it before I knew - it helps that I don't normally buy £800 worth of leather underware across the Internet!

I told you so.

I grumbled about this flaw in the past - it was painfully obvious that this was going to happen. Because of my foresight, I have a Chip & Signature card - and I had to raise hell with the bank in order to get it.

Let me explain. Chip & Pin is undoubtedly more secure than Chip & Signature - even with this new exploit. After all, any fool can nick a card and, with a little practice, forge the signature. Shop staff really don't check that closely. The difference is a legal one.

With Chip & Pin the banks are governed only by a code of practice. They promise to be nice and let you have your money back if fraudulent activity occurs, but they aren't legally obliged to - and you can bet your house that fingers were crossed as the promise was made.

With Chip & Signature (or, indeed, any kind of signature card) the banks are governed by a legally binding contract. The onus isn't on you to prove that fraud has taken place - it's on the bank to prove that it hasn't. In practice, this means that you will always get your money back if someone defrauds you. It also explains why the banks are so reluctant to issue signature cards. Fight for your right.

Personally I'll take a little less security if it means that I get to keep my money. Question is, what are you going to do?

What they really think

Sandra Quinn, director of corporate communications at APACS, said that Chip-and-PIN remains the safest method of payment for goods and services: "In the unlikely event a cardholder is an innocent victim of this or any type of fraud, they enjoy excellent protection under The Banking Code, which means that they will not suffer any financial loss."

She then added under her breath "good luck proving your innocence though fuckers - all your pins is belong to me - Ha Ha ah ha ha HA!!"

Seriously does anyone imagine for a second that the banks will kindly allow you the consumer access to data, which allows you to say that a high percentage of people who bought something from a particular store were then the victim of card fraud?

Or are they much more likely to blame you for giving your PIN away, assume it's all your fault (whether they are in posession of the facts or not) and refuse to accept any liability?

RE: Said this would happen

"Just as a rough germ of an idea, you could give someone a pen and paper, and ask them to perform a gesture, unique to them, using the pen in such a way that a record is left (and can be retained)"

Oooh, that sounds like a great idea. Lets call it a Symbolic Identification Gesture for Non-Automated Tellers Using Recognition Engines.

@A J Stiles

IIRC, in the past, cards/signatures were frequently not checked.

I've known people who got their cards swapped when paying for a curry, and who didn't realise until a week or so later, when each had made several signature-based transactions - they didn't read the card they were handing over, and none of the vigilant signature-checking humans noticed that the signatures were entirely different.

Once, I signed a newly-arrived credit card rather scrappily with a half-working ballpoint, and when I called the issuer, they simply told me to sign it a second time with a different pen. For the normal life of that card (2-3 years), I think only one retailer ever asked me why I had two signatures on the back.

My signature in general is not very neat or particularly consistent, and I don't think anyone has ever questioned it on a credit card purchase.

I suppose an encoded signature (ie one that a criminal couldn't re-encode onto a cloned card) might work for retail transactions *if* any staff could be bothered to do a comparison between what someone writes and what pops up on a screen.

However, if it's the case that the current frauds tend to target foreign ATMs, then human-based security checking doesn't seem to have much of a place there.

@Adrian

It was the devices that were compromised - modify those so a data logger records the key presses and encryption n transfer to the bank doesn't help one bit in protecting the PIN (and the data connection to the bank is encrypted). The interesting thing is if the encrypted data from the chip in the credit card can be read. Chip & Pin PoS devices don't read the mag strip (they don't need to), and the account information on the card is encrypted. You would need to break that encryption to get the account information. However, there's another possible approach - it might be that the compromised PoS devices have been modified to read the mag strip information which has to be there for use abroad.

Given that these compromised cards were used abroad, then it might not appear to be anything as sophisticated as getting the PINs and cloning the chips. It might be as simple as copying the mag stripe information if the countries where these were used don't have Chip & PIN.

Photograph for identification

In 1987 I joined a voluntary scheme to add my photograph to my debit card. For all purchases at a counter, where we now use chip and pin, the vendor could see it was me unless I had a twin. Presumably nobody stood to make any money from making this idea mandatory so we now have the flawed chip and pin.

@A J Stiles

It's a good idea, and I guess to some degree it would work for blind people too but i wonder if it would work overall - say you bust your hand or people who do not have steady hands, they won't be able to recreate the gesture accurately enough for the system. I know it's not everyone but it's still an issue.

There are two ways this could work and that are much simpler:

a) Taking the idea from several online banking systems, make the pin longer (8 characters) then ask for 3/4 random digits from it in a random order. That way unless you use the same machine several times you shouldn't get the same digits twice in the same order

b) imagery (would take a bit of system upgrade though) - you submit 4 or 5 pictures against your account. When you go to pay, it asks you to match 2/3 of those images, suggesting 3-4 alternatives per picture which are close or random. Then it's down to you to know the image, and it wont be at the same number in the image array each time. This is similar to your gesture idea but is just images to select rather than a gesture to repeat.

Basically, the above have something in common. A non commonly repeated series of images/numbers that can be stolen. random part selection has to be a better deterrant surely? and it beats having to submit any biometric info as the uk.gov seems adamant to do on it's own anyway.

just my 2 cents

@Photograph for identification

Doesn't work - you're assuming they steal the card. if they knick he details and put it on a dummy card which doesn't have your photo that form of id is no longer valid. It may reduce the liklihood of card theft but it's a lot mroe valuable to a criminal that you don't realise your card is stolen for a while than report it stolen instantly, give them time to use it.

Also they use the card on atm's to get cash, as it's harder to track back and retrieve, and can be used immediately. ATM's don't check for photo id...

Hmmm...

Just carry cash. Can't get my card details or my PIN if I'm not using it.

More thoughts on signatures

The problem with signatures not being checked is really one of people not doing their job properly. Since there is an audit trail generated, the operator who allowed the fraudulent transaction can be traced -- and the money taken from their wages. Maybe it will teach them to do their job properly: you know, check that the signature looks like the one on the card and that the person signs with a single, fluid motion, not all stilted and robotic like somebody trying to copy someone else's signature.

It takes at least an hour to learn to forge a signature even to the standard that somebody who didn't see you actually writing it would think it's genuine; and even longer if you want to make it look as if it's your own signature that you dash off several times a day. That gives the real owner of the card a window of time in which to notice and report it missing.

Also, you can't speed up the process of learning to forge a signature by holding a knife to the throat of someone you are robbing. You can, on the other hand, obtain a PIN by the same method -- and keep the knife there while an accomplice makes a test purchase with the card to show the PIN is genuine. If I were truly evil, I would patent such "PINpoint robbery", but from the victim's point of view: as a method for enriching people and safeguarding one's welfare by revealing personal details. That way, any royalties due for the use of this patented method would be owed by the victim (whom you already have), rather than the perpetrator (who is away on their toes).

Re: Photograph for identification

No, it wasn't that there was no money to be made, it was that it was a rubbish idea. If you can clone a regular card and print it good enough that a shop keeper won't notice, you can print your own photo on there as well. And for physically stolen cards, if they don't check the signature, they won't check the photo.

Why don't they just require you to enable your card for overseas use?

I know which countries I'm likely to be in. If a transaction occurs in India or Kazakhstan, it's obviously fraudulent and the card has been cloned. Why do we need cards valid for all countries at all times?

Card-not-present (telephone and mail order) transactions are different, (as my buying something mail order from Outer Mongolia is conceivable if unlikely) but the systems can distinguish between the two cases and, for card-not-present transactions, the issuer shifts the risk to the merchant.

Incidentally in Las Vegas you need a driving license or passport plus your credit card to buy anything. The picture ID gets checked and (often) the details noted. Nobody seems to care about the signature on the credit card any more.

@Adam Foxton

Sorry, but I really don't want my Bank calling me up several times a day - that would be a sure fire way for me to revert to carrying large amounts of cash around with me!

There are better solutions already available to the Banks that don't require them to harass their customers every time they transact more than a few quid, but whether they implement these solutions depends on the Banks doing their job properly and not cutting corners to save themselves a few pennies.

Chip cracked?

I don't believe they've cracked the encryption on the chips - it's just not feasible and if they had they wouldn't need modified terminals, they'd just steal your card and decrypt the pin.

What they can do is read the pin as you type it and log this along with the card details, the card details are easy to read from the terminal in plain text - if Tesco's Till can do it I assure you it's not hard.

What they can't do is make a chip, or anything even like a chip - so they have to take your details (they have you pin now remember) and use it on a cloned card somewhere that still uses magnetic swipe in cash machines.

Alternatively they don't bother with modified terminals to get your pin and just use your details online or mail order.

The truth is until every cash machine and shop in the world could use chip and every online store could use 3d-secure (if they bothered securing the passwords like they do pins) and you'd still get fraud by mail order / telephone sales.

@Neil

>>"Sorry, but I really don't want my Bank calling me up several times a day - that would be a sure fire way for me to revert to carrying large amounts of cash around with me!"

It wouldn't be hard to let someone choose which kinds/sizes of transactions a bank informed them about about afterwards (SMS or email), which kinds/sizes of transactions might result in the bank seeking approval, and which kinds of transactions (like foreign cash withdrawals from some/all countries) were de-authorised by default unless there'd been prior approval.

Who currently takes the hit in fraudulent overseas cash withdrawals - the UK card issuer or the overseas bank?

@Neil

"Sorry, but I really don't want my Bank calling me up several times a day - that would be a sure fire way for me to revert to carrying large amounts of cash around with me!"

Well I don't want a system that requires me to authenticate every transaction - after all, I might not have my mobile with me, the battery could be flat, you could be in an area of poor reception, I could be abroad and it could be embarrassing to find that out at the checkout in Tescos not to mention the time delays and people muttering in queues. Just possibly there is a need for mobile phone authentication for very large transactions. However, a notification system by SMS for every attempted transaction authentication would hardly be difficult to deal with - looking at my card records then that would only amount to about 40 messages per month.

Having twice had my card compromised in less than 6 months, then I'd value it.

Simple Solution

Just have 1 PIN for Chip+PIN Transactions, and 1 PIN for cash withdrawls.

But, Oh no, we can't do that, some granny would forget one, so now we are all vulnerable to this simple trick and the burden of proof is on us.

Trash your mag strip today folks! It's the simplest way to defeat this. Every time you are going on holiday, order a new card, then trash the mag strip again when you get back.

Payment Terminal security

If these terminals are the same as the ones used in D, NL, BE etc. then this means that they have also access / cracked the HSM.

In the terminals the entire PIN entry + transaction amount display and approval is performed within the keyboard / display component and this also stores and manages the keys (changed at least daily). Any attempt to get to the keyboard / display results in the component being destroyed (it is a mini HSM). The component is actually part of the keyboard.

If the keyboard and display are not so constructed, then PIN use is intrinsically flawed. Is this really the case?

Its broken

A chip and pin nightmare.

It's the first of the month, and time to pay some bills. First up, my main credit card. I go to pay and there is an issue. I double check the details. I triple check the details. Payment still refused. OK, so let's call the Bank and get the low down. I ring in, and they put me through the 20 question wringer. We go over a couple of things, and they put me through to the fraud department. Turns out, on the 25th, 27th and 28th, illicit payments were spotted. The first couple were to Touch Tone, for £5.00 each. The last is an attempt to take £14.00 from a cash machine in Pakistan.

Before I go to town on the subject, I will firstly thank my bank, their watchful eye I have little doubt saved me from a painful situation. So, I'm in the situation where my debit card is nerfed. I've also had a strange kind of month for me. During that whole month, virtually the only activity I have had, besides standing orders, and direct debits is shopping. Shopping in one, and only one store. Now, just in case the lawyers are around, for now, I'm going to avoid naming the store in question. I'll refer to it as 'The Store' in the rest of this. Now, what is also unfunny, but I accept the universe likes a sense of humour, is my wife's card got cloned only days ago. And she also does most shopping at 'The Store'. When she went to the bank, they told her there was a serious problem locally going on at the moment.

So, I call up 'the store's' head office and have a chat with the customer care people. The bank were interested in knowing I'd only been shopping there in the previous 30 odd days, and assured me they would follow it up. Would the store do the same? The nice lady on the line was indeed very friendly. At this stage, it became clear that the store knew of problems, but would not discuss the details, or locations, but did offer to send me a letter.

It becomes clear that I'm not going to get very far with the nice lady, though she offered her condolences and expressed frustration at identity theft in a general and arranges for me to get a letter from them sent out. At this stage, I decide that a little chat at the store is in order. After all, they see me each day, least they can tell me what is going on. So I arrive at the store and request to speak to the manager. Of which there are many. Now at that point normally I'd expect blank looks and a sob story, or I figured I'd be fobbed off.

The manager takes your's trully to a quiet corner, and I explain in some detail what has happened, and in fact I get the whole story. What happened was in fact, one of the chip and pin machines got swiped. Now, call me crazy, but I was somewhat taken aback. The manager said she had lost £120 herself, and most of the other staff, who naturally at the end of the long day's the serve there, get their shopping there as well, had lost money. Unless there is something I am missing here, this would indicate that there are two serious problems. Both I'll cover in a moment. But I did thank the shop manager for not bothering to let their customers know. Perhaps in truth shop managers do not realise the problem until later. They got bitten harder than I did.

The first is the chip and pin machines. These tend to be around the counter in most shops, and seem to have merely a wired connection. Not a great deal to stop someone determined armed with Scissors or better. They need better security. The second, and this is a bit more technical, would be that the machines seem to store card information, including the pin (Erm... Why?, that data should not be there). Now, my understanding is that in the chip and pin install in the UK, the banks did not do things right.

Link- http://www.telegraph.co.uk/news/uknews/1579995/Credit-card-crooks-'foil-chip-and-pin-security'.html

Link-

Of absolute prime concern here, is the statement from APACS, the UK payments association which is responsible for tackling credit card fraud, said: "The report does not identify any threats or vulnerabilities of which the industry is not already aware. In our view, the types of attack on PIN entry devices (chip and pin machines) detailed in this report are difficult to undertake and not currently economically viable for a fraudster to carry out.

Well, on the first score, difficult to undertake is meaningless. Once found and documented, its not difficult any more. The bad guys are not put off by difficult. These devices need to be fixed NOW. And the obscure method of arcane thinking along the lines of 'Its not economically viable' to steal money. All I can say is the APACS bunch seem to be rather too muppet like for my liking. If the case is how they claim, how have we reached the stage where chip and pin boxes are being swiped and everyone who ever entered their card info and pin seems up for being a victim. Now, being a layman, I can say that I don't know how much data these chip and pin machines hold. Perhaps it’s a month, a year, 10 years. But in the one at 'the store' I can say that I expect hundreds per day. Cracking that box would seem to be financially viable *now*, I know, because I've been right on the pointy end. But from where I am sitting, 'the store' and its like are prime targets. They have hundreds, maybe thousands of consumers per day going through them, and are protected by not a very great deal.

Lastly, I'm guessing, but I suspect the banks fully know about this. I very much doubt that they would have nominally stopped two £5 and one £14 transaction under normal circumstances. Which means I just got lucky. Had I been an early victim, I am guessing my entire account could have gone. On the other hand, I should be very angry, and so should you. Banks dropped the ball on the implementation, and place my data and information, and your's, where crime can be committed against me and you. At the very least now, its messing with my account for 7 days waiting for a new card. As will the hundreds, maybe thousands in the area affected on mass by this. I'll get my new card, but chip and pin will still be broken. Which means that soon enough, I'll face the same prospect, again and again, unless its fixed. Right now, the supposed security 'chip and pin' was supposed to bring us, has been replaced, with a fearsome new level of ID theft, and a serious threat to everyone's financial health.

@Steven Jones/David Wilson

I wouldn't object if my bank offered me a web based system that allowed me to specify the countries where my card can be used, and even the types of transactions that should be authorised (or perhaps more easily, the types of transactions that should NOT be authorised, eg. cash advances). If I do go on vacation to Malaysia then I can add that country before I go and remove when I return, and if I forget to add it before I leave I can always give Egg a quick call (or I could use an internet cafe, but that has security implications of it's own!) As my Egg credit card is managed entirely online this would be an easy addition for them.

Take this further and we can specify the transaction amounts above which the automatic notification SMS message should be sent, or the level at which transactions should be flagged as suspicious (but not necessarily fraudulent, eg. above £500).

Of course non of the above would be necessary if Chip & PIN wasn't so insecure in the first place.

@Clive Galway

"Trash your mag strip today folks! It's the simplest way to defeat this. Every time you are going on holiday, order a new card, then trash the mag strip again when you get back."

Clive that won't solve the problem - your card can have it's details copied from a Chip & PIN machine in the UK, and those details can then sent abroad where a cloned card is created with your card details written to the magnetic strip whereupon your account is fraudulently debited by vendors that still process cards with magnetic strips. Your card doesn't have to leave the UK for this to happen, nor does it even have to have a magnetic strip for a cloned card with magnetic strip to be created overseas...!

The best option would be to instruct your bank to refuse to authorise ALL magnetic strip transactions on your account, with the option to allow transaction for a short period if/when you do go abroad. But as far as I know this isn't possible - if it were I'd sign up for it.