back to article Chip and PIN security busted

Security researchers have demonstrated a gaping security hole in Chip and PIN credit card authorisations which undermines trust in the technology as a means to verify retail purchases. Cambridge University security researchers have demonstrated how it might be possible to trick the card into thinking it’s doing a chip-and- …

COMMENTS

This topic is closed for new posts.

Page:

@Trevor Pott o_O

Don't know what the process is over there, but over the channel you have to activate your card by withdrawing cash at a bank machine. So if you receive your card and never activate it, yet receive charges against that card, you have grounds to oppose them

0
0
Gold badge

@Andy 66

This is true here as well, (for credit cards at least.) Our Chip-and-Pin debit cards require no activation.

That said an inactivated card is useless to me as well. What I want is the ability to specify "this credit card will only ever be used for online transactions, and no transaction will ever exceed $X" If I have an activated card, even if I cut the physical card up...it can be cloned and used anywhere and I am liable for it.

My bank will not offer me the ability to restrict where my card may make purchases. Instead, I am paying $25 a month to them for identity fraud insurance.

Beer, because banks make me angry, and now I need a pint.

0
0
Unhappy

Chip and Pin is definitly faulty

For personal experience, there is a flaw with chip and pin. I used a terminal at my local fish monger. Twice it report that the pin number was invalid, so I paid with another credit card.

I was billed for both failed payment attempts (as well as the payment on the other card).

Barclay's sent me a form which made me basically accuse the shopkeeper of fraud. There was no way to fill it in explaining that Barclay's has stolen money from my account, not the shopkeeper.

Barclay's refused to accept that it was possible to withdraw funds without a valid pin being entered - but it is.

I never received a refund.

0
0
FAIL

I want one of those kits....

...the number of times i've forgotten which 4 digits go with which card is annoying... :)

0
0
Silver badge

How to fix chip and pin

20 seconds on high in the microwave.

0
1
Gold badge

Sorry, but this is wrong...

If your chip and pin card has been cloned and is then used, you are liable for it. You may have destroyed your original card, but you are still liable for all the fraudulent transactions, becuase "chip and pin can't be beat."

The only way to fix chip and pin is NEVER TO GET ONE.

0
0
Anonymous Coward

@Chip and PIN is not to prevent fraud people...

It seems to be said a lot here that the Chip and PIN system wasn't put in place to prevent fraud, rather that is was put in place to shift responsibillity for fraud onto the customer. I really don't buy this there are precious few, if any, reliable/serious people claiming fraud on their cards. In the only time it's gone to court that I am aware of, the person claiming fraudulant use of the card was shown to be a highly unreliable witness.

The main thing that people seem to be overlooking is that there is a banking regulator, one of the main reasons that the regulator is in place is to prevent the banks getting too much power over their customers and imposing unfair conditions. The regulator hasn't performed too well over the last couple of years, with respect to how the banks behave internally wrt trading etc, but this was because they were focusing too much on how customers are treated. If the banks were operating in a way which forced liability onto their customers the regulator would not allow it.

In this case there does seem to be a problem with chip and pin, but chip and pin is not fixed in stone, it can be modified to work around problems. One of Ross Anderson's previous papers (cited in this one) showed how to run a man in the middle/relay attack, this was made unworkable an a matter of weeks with an update to the chip and pin protocol.

1
0
Grenade

You've missed the point

Before C&P came into being, if your card was used fraudulently (excluding CNP fraud) the defrauded person only had to ask for a copy of the signature to prove it wasn't them - Very easy to show it wasn't their signature and bank had to cough up.

Now, as there is no "paper" trail you (a defrauded person) have a mountain to climb to prove it wasn't you. Personally I am now going to ask for a Chip and Signature card from each of my card suppliers.

0
0
Anonymous Coward

Err...

So what you are saying is that with magstripe/signature, if you wanted to defraud a bank all you had to do was mess up your signature and they'd just hand over the cash when you said "fraudulant activity" to them? Do you really believe that is was that simple?

It's just the same now as it was with magstripe and signature, an investigation takes place, sometimes the customer will be required to hand over evidence such as their card etc, the police will probably be involved, CCTV will be acquired if applicable etc. etc. The only change is that there are currently no known frauds that have taken place in chip and pin areas where a customer hasn't in some way handed over their PIN.

0
0

errr. Still missing the point

I am not on about ME committing fraud, I am talking about fraud committed on my card (or cloned card).

Using the old system of Signature it would be easy for the bank to check that the signature does not match mine and thus give me my money back.

With C&P, as long as the crooks used my pin the bank can stick the story that as it was verified by PIN they will not give my money back. Without CCTV or other visible evidence you're gonna have a very hard time proving your case.

You also said "The only change is that there are currently no known frauds that have taken place in chip and pin areas where a customer hasn't in some way handed over their PIN."

I'd say "There have been no court cases whereby C&P fraud was committed and it was proved that the complainant had NOT in some way disclosed their PIN". The bank(s) chose that case very carefully and deliberately. Anybody who followed it from the start could tell the person was an idiot.

In addition just because YOU don't know of any frauds capable of being carried out does not mean they don't exist

0
0
Anonymous Coward

@Chris...

A bank will/would not just automatically refund a signature verified transaction where the signature doesn't match because of the *possibility* that the card owner has fraudulantly used their own card and signed with something that isn't their own signature, furthermore the card has the signature on the back making it much easier to fraudulantly use by clone or theft. Any fraudulant use will be investigated, the same with chip and pin, although with chip and pin your authorsiation method isn't written on the card.

Now as to your assertion that the banks carefully chose the case of the guy who claimed that his card had been fraudulantly used: They don't get to only have one go at this, that's not how the law works, if someone else comes along with a credible case they also get to take them to court. If lots of credible people complain to the regulator, the regulator will investigate.

I was also very careful to not say that because explots aren't known in the wild, doesn't mean to say there are any, however the lack of credible reports does suggest that there aren't.

0
0

@Fraser

I didn't mean to give the impression that a bank would automatically refund my point was more along the burden of proof if it came to a court/civil case. It would be easier to prove that it isn't your signature as opposed to proving you didn't input the PIN if no other visible evidence is available to prove it wasn't you.

Also, I agree that the law doesn't work that way however the banks have only allowed that case to go to court - knowing it was a slam dunk for them. I am fairly sure that there have been a couple or 3 other examples where the card owner has threatened to go to court only for the banks to "refund as a guesture of goodwill without admitting any liability". Unless they are forced to the only case on the books is the idiot one.

A lack of credible reports only means that they haven't been discovered ;-)

0
0

Solution

As indicated in the paper, the card check the PIN result from the terminal with it's internal PIN result and take appropriate action if they do not match (decline or online)

1
0
Happy

The PIN is required, and must contain four digits.

At least Chip and Pin is automatic,and doesn't rely on a human comparing two signatures.

A few years ago presented a new card I'd forgotten to sign.

So I signed it. Luckily both signatures matched and everyone was happy.

1
0

Paper ignores the facts

IAD is specified by EMV - a fact they deny then publish later in the paper.

What they have proven here is nothing more than that there is an issuer somewhere who has not passed Visa and Mastercard Certification who is willing to approve transactions from a terminal that they know is PIN capable that they also know has not verified a pin.

And from that they are concluding that EMV is broken - utter rubbish.

1
0

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2018