Chip & PIN terminal playing Tetris

Fearful Bank Customer writes "When British banks introduced the Chip-and-Pin smartcard-based debit and credit card system three years ago, they assured the public it was impervious to fraud. However, the EMV protocol it's based on requires customers to type their bank account pin number into store terminals in order to make any purchase. Security researchers at the University of Cambridge Computer Laboratory derided the system as insecure at the time, as it gave access to customer's bank account pin numbers to every store they bought from. Despite these objections, the system was deployed, so researchers Steven Murdoch and Saar Drimer recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that this can be reproduced only "in the laboratory" but seem to have missed the point: if customers have to type their bank account pin into every device they see, then the bad guys can capture both critical card information *and* the pin number for the bank account, leaving customers even more vulnerable than they were under the old system."

Hold on a sec here...

[Shoten]

They got it to play tetris by replacing the majority of the electronics inside it. It's not exactly like they got the actual terminal to play tetris...it's more like "They put a tetris game console inside the empty terminal shell, and used the terminal's keypad and screen for control and display." It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"

Re:Hold on a sec here...

[crossword.bob]

But if someone can put custom electronics in what is supposed to be a tamper-proof shell, people will blindly insert their cards and type their PINs. The issue is not one of terminal software security, but of hardware integrity.

Re:Hold on a sec here...

[Anonymous Coward]

Actually, chip & pin credit cards have been in use in various countries for something like 20 years or so (give or take 5), with very very few stories of security issues. And yes, they are far more secure than signing a piece of paper.

liability shifty

[apodyopsis]

What annoyed me was the shift in liability. The old fashioned "swipe and sign" cards, if they were compromised and somebody nicked your cash then the banks could be held liable and some remittance sought. However - with the new system there is an automatic assumption that you have given your PIN away and hence its your fault and you can he held liable. So if somebody stands behind you, watches you type in your PIN and then follows you outside, mugs you and steals your card - then you can be held liable for not taking care of your PIN number. Also the system seems quite unreliable even now.

Re:Hold on a sec here...

[pdawson]

The point is if they can do that, bypassing the 'tamperproof' systems, they can open a unit in the field and piggyback a chip in to record account# and pins with the with the user being none the wiser.

Re:Hold on a sec here...

[jimicus]

Tell you what. Why don't you go away and build me a 100% tamper proof Chip & PIN which cannot be easily replicated (eg. with casting resin and alginate), doesn't cost a small fortune to produce and provides some easy, immediately visible means of differentiating it from any possible fakes? Then persuade Tescos (and anyone else with similar systems) to use that rather than their existing system (which is "all cards, regardless of type, are swiped through the card reader on the checkout"), because if you don't, people won't be at all fazed by having to hand their card to the person at the counter.

Bear in mind that Tesco is large enough that if they say "No", you're a bit stuck. It's estimated that £1 in every £4 earned in the UK is spent there.

Re:They replaced all the innards!

[Anonymous Coward]

Instead of putting something in there that played Tetris, what if you put something in there that looked and felt like a normal C&P terminal, except instead of communicating to the bank, it just kept a copy of your card details and PIN for later extraction? That's the problem this demonstrates.

My idea....

[shaneh0]

While your idea seems very well thought out, it still wouldn't gaurantee it couldn't be a dummy terminal that's designed to collect swipe data and pin codes.

My thoughts are that after you swipe your card, the terminal should give YOU a PIN number that should match a PIN that the bank sends you with your card. At this point, once you verify that it is indeed legit, you provide your counterpart PIN.

And since it doesn't have to be entered, it could be a word, or with LCDs, even an image.

Hell, for that matter, even an image of YOU would work (in fact, this would also have a good usage to prevent fraud in cases of CREDIT transaction (as opposed to the debit transactions that we're talking about)

In other words: Chip and Pin is a scam!

[Anonymous Coward]

However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level.

I assume you were doing your best to avoid saying it outright?

Re:Debit Cards

[Anonymous Coward]

I can see the value of debit cards for some people (e.g., can't get credit, or need it as a way to enforce budget discipline), but for me they are an abomination.

I pay off my credit card balance every month, from a checking account that earns a modest interest rate (currently in the range 3.0-3.5% annually). So the 30 days of float I get means in effect that the bank is paying me roughly a 0.25% bonus for everything I charge.

With a debit card, the money is siphoned out of the account immediately at the point-of-sale. The attractiveness of this from the bank's point of view is obvious. It would also not surprise me if the Visa people ding merchants at a lower rate for debit than they do for credit.

A second major flaw is the fraud angle. If fraudulent charges show up on my credit card, I call my bank and refuse to pay the charges until the matter is settled. With a debit card, the money is gone, and I have to convince someone to give it back to me. Having the first sign of fraud be the fact that my checking account has been cleaned out is not a good feature, IMO.

Debit cards also lose out to ATM cards for the same reason. With an ATM card, there's a one-day limit of something like $300-$500. So if my pin or card gets compromised, there are limits to how much damage they can do. (Of course liability limits are much lower, and you should *eventually* get all of your money back, but again I don't want to start from the position of having my checking account cleaned out, and then trying to recover.)

Re:I wrote Tesco's system you should all listen to

[jandrese]

If that's the case, then isn't the PIN alone rather useless to a crooked merchant? From what I understand, the chip on the card is supposed to be difficult or impossible to duplicate (especially in a tiny form factor card reader device). So even if you have the PIN, it's of no use to you unless you either mug the person for their card or hope they've used it elsewhere.