New Attack From The Makers Of Chip And PIN Tetris

from the swipe dept

The same researchers who, last month, made a Chip and PIN payment terminal play a game of Tetris are back with a new, more serious claim about the vulnerability of this widespread payment system in the UK. Chip and PIN is a fairly straightforward system that requires a customer to swipe a card (that contains the chip) and then enter in a PIN, to verify that they're the proper holder of the card. The researchers say that if attackers were able to place a phony terminal in a store or restaurant, then they could execute a fraudulent transaction at another location, simultaneously, on a customer's account. From a technical standpoint, it's an impressive attack, but from a practical standpoint, it doesn't seem particularly worrisome. Even if we assume that the attackers would be able to put a phony terminal somewhere, without it being noticed, the attack would be of limited profitability. Because the fraudulent transaction would have to be done simultaneously, while the legitimate shopper is making a purchase, the attacker couldn't make repeat purchases on someone else's card. For it to be successful, the attacker would have to be browsing for a high-value item, like a diamond, and then be prepared to instantly pay for the purchase as soon as they get the signal. This doesn't seem likely at all. Security researchers, in their rhetoric, often say that the key to security is not technical, but in understanding the human element. However, like the concerns about the iPod+Nike unit that was said to be a threat to privacy, this threat seems mainly technical. While the researchers have demonstrated something interesting, that may warrant further investigation into the system's weaknesses, it doesn't look like a major cause for alarm.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Feb 6th, 2007 @ 6:16pm

    Just two points to make.

    1. Chip and pin has been prevalent in many European countries for a very long time now. It is only relatively new to the UK.

    2. The real worry is the fact that a card reading device (known as a card skimmer) can be inserted into many existing ATMs (even the ones with security meaures in place to prevent this type of fraud) which is used in conjunction with a pin hole camera.
    This enables the fraudsters to clone your card and capture your pin.

    They can then sell the cloned card to whoever and use it until the fraudulent transactions are noticed. And by that time it's probably much too late.

    That's why most ATMs in the UK have a little warning telling you to cover the keypad with your hand while you enter your pin and this is exactly what I do, so should everyone else.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    |333173|3|_||3, Feb 6th, 2007 @ 7:05pm

    And people remove the anti-skimming devices

    They think they are skimming devices, and so try to remove them, so the banks staterd publishing dimensions, and so now the skimmers have to be made to match the anti-skimming devices.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Bumbling old fool, Feb 6th, 2007 @ 7:05pm

    Re:

    Wrong, they cannot clone the card just be reading it. The cards never make their key known, they only answer an encrypted question with an excrypted answer.

    That "scam" is indeed prevelant, but only with magnetic strips, it cant be done so simply with chips.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Feb 6th, 2007 @ 8:58pm

    A more complex, but simpler version

    If you had a fake card reader, one which sent the encrypted question once for, say $4000, recrds the answer, sends the error code, and then asks for authourisation for, say, $40. HTe PIN can also be recoreded by te handset, and a modified card written withthe details. HTe man then, a week or a month or whenever walks into a jewelers and spends that much money, or, better still, goes into supermarkets and buys $10 worth of stuff and takes out the limit in cash. HTe only problem would be if the bank recorded cancelled transactions, in whaich case someone might realise what is going on.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Adam, Feb 7th, 2007 @ 12:47am

    The weakness is that cards fall back to an insecur

    Just a couple of points.
    1) You don't swipe the card - you insert it in the machine for the duration of the payment - your PIN is used by the chip for encryption/decryption so it has to be in the machine at the time.

    2) The real weakness here is that you have the SAME PIN for both Chip and non-chip transactions. All transactions outside of the chip-and-pin areas are of the non-chip type and simply rely on the mag stripe. You only need to clone the magstripe of a chip-and-pin card and then use a hacked terminal to capture the PIN. then you make a fake card with the cloned mag strip and us the PIN to do non-chip transactions (e.g. ATM withdrawl from overseas). You don't need to hack or clone the chip at all.

    If you had different PINs then this weakness would be closed.



    Check out Bruce Scheier for a write-up of this weakness Wikipedia for more background.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    fuse5k, Feb 7th, 2007 @ 2:32am

    Last night in the uk Watchdog (consumer TV program)Did the trick in question.

    They had someone buy a load of books, as the victim was paying for coffee elsewhere.

    Chip and pin is a mess, the only reason why banks are putting it in place is to reduce their fraud outgoings.


    When you had to sign for things, if your card was stolen and used, then the bank had to pay you back the money that was taken.

    However if someone uses the pin, you are deemed to have been negligent, and the bank doesnt have to pay out a penny.

    Safer, my arse... The only thing that is safer is the bank's profits...

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Enrico Suarve, Feb 7th, 2007 @ 5:32am

    I can't see much use here

    With the exception of post #4 which I don't fully understand (sorry) and post 5 which is another albeit related issue I can't see the big threat from this one

    Sure it highlights that chip and pin is not perfect but I don't think anyone ever thought it was, overall this hack is not a really workable solution

    To get this to work you have to hand over your card so presumably this would have to be done in a shop and the 'extra' purchase would have to be done at the same time (or near enough)

    Sure I can see this being able to happen but if it happens more than a few times all an investigator has to look for is the retailer numbers involved

    "hmmm every time we get a report of a dodgy transaction there is another transaction going on at Fat Tony's Tools at the same time - go figure...."

    I don't see a massive return on investment here and to utilise the hack would leave an audit trail

    Am I being thick and missing something?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    |333173|3|_||3, Feb 7th, 2007 @ 7:46pm

    Re: I can't see much use here

    To clarify my point in #4
    if a man asked for authorisation for the price of the item that he wanted to buy, and recorded the encrypted response from the card, along with the pin, and then cancelled the transaction (like when a credit card does not read properly) and then gets the proper autorisation for the product the owner of the card is really trying to buy, he could then write onto a blanck card instructions to always return the previously recorded acceptance code. He can then go into a jewelers, using hi fake card, and buy the item, using the pin collected eariler. Simple, and less likely to be caught.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This