Forgot your password?
typodupeerror
Security Puzzle Games (Games) Hardware

Chip & PIN terminal playing Tetris 228

Posted by Hemos
from the the-joy-of-subversion dept.
Fearful Bank Customer writes "When British banks introduced the Chip-and-Pin smartcard-based debit and credit card system three years ago, they assured the public it was impervious to fraud. However, the EMV protocol it's based on requires customers to type their bank account pin number into store terminals in order to make any purchase. Security researchers at the University of Cambridge Computer Laboratory derided the system as insecure at the time, as it gave access to customer's bank account pin numbers to every store they bought from. Despite these objections, the system was deployed, so researchers Steven Murdoch and Saar Drimer recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that this can be reproduced only "in the laboratory" but seem to have missed the point: if customers have to type their bank account pin into every device they see, then the bad guys can capture both critical card information *and* the pin number for the bank account, leaving customers even more vulnerable than they were under the old system."
This discussion has been archived. No new comments can be posted.

Chip & PIN Terminal Playing Tetris

Comments Filter:
  • The real problem (Score:3, Interesting)

    by Generic Guy (678542) on Monday January 08, 2007 @12:20PM (#17509282)

    The real problem I see here is that new technology is presented as "unbreakable" then allows the business interests to ignore victims of fraud. In the U.S. we've already seen this happen with the special chipped keys for new vehicles. The auto makers insisted the technology was unbreakable, and the insurance companies responded in kind by denying theft claims from those victims unfortunate enough to have purchased a vehicle with one of these chipped keys.

    I'm sure the banks are ready to further punish any victims of this broken "unbreakable" bank card system. I'm not British, so I don't know how applicable this is in the UK, but I imagine it is still a problem.

  • The point being... (Score:5, Interesting)

    by Junta (36770) on Monday January 08, 2007 @12:52PM (#17509718)
    That the whole point of this is to demonstrate that if you use the merchant's hardware to enter any personal data, it is *impossible* to be tamper-proof or tamper-evident for sure.

    My vision has always been a smart device with a crypto engine, that provides it's own display and entry. It would plug into POS equipment, and tell the POS equipment at first, only enough to identify itself and tell the POS which financial institution to contact.

    The financial institution would receive from the merchant the account holders ID number and some info about the transaction (i.e. the amount, maybe an interval if a service, maybe a tolerance if a repeating service charge). The financial institute would look up the customer's public encryption key, and use it to encrypt all that data together with a challenge string, and send that back to merchant.

    Merchant relays the encrypted package to the customer smart device. The device then (maybe using a passphrase to decode private key like a pin, but not linked to anything outside the device) uses the private key to decode the data, and display to user what the financial institution thinks the merchant is asking for with a confirmation. If user confirms details, the decrypted challenge is sent to POS and the merchant relays it to Financial institute.

    Financial institute upon receipt of a correctly decoded challenge, authorizes the transaction, and gives the merchant an affirmative response with an authorization code that is *only* valid for that specific transaction.

    Here, the financial institute *only* has the customer private key, so ripping off that database won't give anyone access to the account. The merchant knows they are getting the money, but isn't left with anything they *could* use to get more money than the customer authorizes directly. The only place that has the private key is the customers smart card, which should *never* allow it to be transferred out (probably should be generated by the card and only the public part uploaded when issued). If using a passphrase for storage of the private key, it even has resistance to physical theft.

    For bonus points (actually, I would pretty much demand it), have it somehow able to plug into usb ports for online transactions. Of course, online, the customer and financial institute can talk directly, simplifying some of it, but the model need not be changed much for online stuff). Again, the PC would never get the private key, so you would have to use the device.

    I would *pay* an upfront charge to help cover the cost of the device in exchange for such security. If it's half-assed and uses merchant display/entry, or shares the private key *ever* theoretically, I wouldn't.
  • by Anonymous Coward on Monday January 08, 2007 @01:01PM (#17509888)
    is that the banks have asserted that if there is a problem then it isn't THEIR fault, since the chip and pin system is hack-proof.

    Either the customer or the metchant gets it in the shorts. NOT the bank. Which is why it was implemented, really.

    Now that the system has been shown to be hackable, this line is no longer good enough and the banks must (but probably won't) take responsibility.
  • Re:liability shifty (Score:3, Interesting)

    by kebes (861706) on Monday January 08, 2007 @01:14PM (#17510106) Journal
    As another poster pointed out, this concept is widespread in Canada. It's called INTERAC and it's so widespread that you can almost not even carry cash.

    In my experience the fraud protection has been really good. If your PIN or card details are stolen, any money lost is reimbursed by the bank. Moreover, when they detect that a retailer is stealing card numbers somehow (which they detect using a program to analyze log files and look for inconsistencies, etc.), they immediately cancel the cards of anyone who used that retailer, and contact the customers to let them know a new card is in the mail.

    So actually the fraud protection is quite good. It's better than cash, in any case. If your cash gets stolen: too bad you lost the money. And if you are given counterfeit bills: too bad you can't use them anywhere. However with Interac when you get defrauded you've got some amount of protection.

    Of course this all hinges on the banks doing "the right thing" (and/or the laws being set up to force the banks to do the right thing). In Canada the system seems to work great. Not sure if it's the same elsewhere.
  • by tepples (727027) <tepples@gmaiBLUEl.com minus berry> on Tuesday January 09, 2007 @01:13AM (#17519100) Homepage Journal

    ...will be a modification to Tetris to make that damn straight-line block appear more often.

    Tetris brand games since Tetris Worlds [tetrisconcept.com], including Tetris DS, already have this modification: the I tetromino is guaranteed to appear once in every group of 7 tetrominoes [tetrisconcept.com]. Thus, if you have one group with the I at the start and one with the I at the end, the longest drought you can get is 12. The more even distribution makes it possible to keep your stack low arbitrarily long [tetrisconcept.com].

"Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods." -- Albert Einstein

Working...