New Attack From The Makers Of Chip And PIN Tetris
from the swipe dept
The same researchers who, last month, made a Chip and PIN payment terminal play a game of Tetris are back with a new, more serious claim about the vulnerability of this widespread payment system in the UK. Chip and PIN is a fairly straightforward system that requires a customer to swipe a card (that contains the chip) and then enter in a PIN, to verify that they're the proper holder of the card. The researchers say that if attackers were able to place a phony terminal in a store or restaurant, then they could execute a fraudulent transaction at another location, simultaneously, on a customer's account. From a technical standpoint, it's an impressive attack, but from a practical standpoint, it doesn't seem particularly worrisome. Even if we assume that the attackers would be able to put a phony terminal somewhere, without it being noticed, the attack would be of limited profitability. Because the fraudulent transaction would have to be done simultaneously, while the legitimate shopper is making a purchase, the attacker couldn't make repeat purchases on someone else's card. For it to be successful, the attacker would have to be browsing for a high-value item, like a diamond, and then be prepared to instantly pay for the purchase as soon as they get the signal. This doesn't seem likely at all. Security researchers, in their rhetoric, often say that the key to security is not technical, but in understanding the human element. However, like the concerns about the iPod+Nike unit that was said to be a threat to privacy, this threat seems mainly technical. While the researchers have demonstrated something interesting, that may warrant further investigation into the system's weaknesses, it doesn't look like a major cause for alarm.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
1. Chip and pin has been prevalent in many European countries for a very long time now. It is only relatively new to the UK.
2. The real worry is the fact that a card reading device (known as a card skimmer) can be inserted into many existing ATMs (even the ones with security meaures in place to prevent this type of fraud) which is used in conjunction with a pin hole camera.
This enables the fraudsters to clone your card and capture your pin.
They can then sell the cloned card to whoever and use it until the fraudulent transactions are noticed. And by that time it's probably much too late.
That's why most ATMs in the UK have a little warning telling you to cover the keypad with your hand while you enter your pin and this is exactly what I do, so should everyone else.
[ link to this | view in chronology ]
Re:
That "scam" is indeed prevelant, but only with magnetic strips, it cant be done so simply with chips.
[ link to this | view in chronology ]
And people remove the anti-skimming devices
[ link to this | view in chronology ]
A more complex, but simpler version
[ link to this | view in chronology ]
The weakness is that cards fall back to an insecur
1) You don't swipe the card - you insert it in the machine for the duration of the payment - your PIN is used by the chip for encryption/decryption so it has to be in the machine at the time.
2) The real weakness here is that you have the SAME PIN for both Chip and non-chip transactions. All transactions outside of the chip-and-pin areas are of the non-chip type and simply rely on the mag stripe. You only need to clone the magstripe of a chip-and-pin card and then use a hacked terminal to capture the PIN. then you make a fake card with the cloned mag strip and us the PIN to do non-chip transactions (e.g. ATM withdrawl from overseas). You don't need to hack or clone the chip at all.
If you had different PINs then this weakness would be closed.
Check out Bruce Scheier for a write-up of this weakness Wikipedia for more background.
[ link to this | view in chronology ]
They had someone buy a load of books, as the victim was paying for coffee elsewhere.
Chip and pin is a mess, the only reason why banks are putting it in place is to reduce their fraud outgoings.
When you had to sign for things, if your card was stolen and used, then the bank had to pay you back the money that was taken.
However if someone uses the pin, you are deemed to have been negligent, and the bank doesnt have to pay out a penny.
Safer, my arse... The only thing that is safer is the bank's profits...
[ link to this | view in chronology ]
I can't see much use here
Sure it highlights that chip and pin is not perfect but I don't think anyone ever thought it was, overall this hack is not a really workable solution
To get this to work you have to hand over your card so presumably this would have to be done in a shop and the 'extra' purchase would have to be done at the same time (or near enough)
Sure I can see this being able to happen but if it happens more than a few times all an investigator has to look for is the retailer numbers involved
"hmmm every time we get a report of a dodgy transaction there is another transaction going on at Fat Tony's Tools at the same time - go figure...."
I don't see a massive return on investment here and to utilise the hack would leave an audit trail
Am I being thick and missing something?
[ link to this | view in chronology ]
Re: I can't see much use here
if a man asked for authorisation for the price of the item that he wanted to buy, and recorded the encrypted response from the card, along with the pin, and then cancelled the transaction (like when a credit card does not read properly) and then gets the proper autorisation for the product the owner of the card is really trying to buy, he could then write onto a blanck card instructions to always return the previously recorded acceptance code. He can then go into a jewelers, using hi fake card, and buy the item, using the pin collected eariler. Simple, and less likely to be caught.
[ link to this | view in chronology ]