Chip-and-Pin Vulnerable To Subtle Trickery 64
An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."
'Watchdog' tonight (Score:5, Insightful)
As I understand it, the point of this research is that the banks have been claiming that chip-and-pin terminals are completely tamper-proof. In fact, they may be tamper-proof from the banks' point of view (preventing fraudulent transactions by destroying encryption keys if the case is tampered with), they're not from the customers' point of view - a dodgy establishment or criminal employee could clone your card with a terminal that looks legit.
So, ripping out the innards and putting a machine playing Tetris inside looks silly, but demonstrates that the devices aren't inherently trustworthy. And this is the next step: showing that a card can be cloned and the details used to make a fraudulent transaction using modified hardware.
Re:'Watchdog' tonight (Score:2, Insightful)
Re:Yes, BUT (Score:3, Insightful)
Chip and pin is a massive improvement over the insane system we have in the US. It may have been sane back when computers were rare or expensive, but there's no excuse for it now. But chip and pin still has serious vulnerabilities, especially when used over the internet. Even with a card reader on your computer, the fact that operating systems like Windows and Linux will never be seriously secure, means that you can't trust what you see on the screen is what's going on over the wires. It's just a matter of time before the banks finally realize that the only solution is a device you carry with its own small display and keypad. Such a device would have a simple enough operating system and software that it might achieve a fairly strong level of security.
The other trend I see for the future is many more hackers learning to probe the dies of security chips. With the rapid increase in the number of devices relying on secret keys hidden in security chips, such as credit cards, motherboards, sattelite and cable tv, Blueray, and more, there will be greatly increasing demand for the ability to extract those keys. Electron microscopes or any other equipment to get into these chips can be bought, borrowed, or even built in one's garage. I'm sure that any chip can be defeated if the hacker has enough samples to work with. I don't know if the difficulty will make it impractical though.
Re:'Watchdog' tonight (Score:1, Insightful)
There's a demonstration of one thing (man-in-the-middle attack on Chip and PIN user) which is either very rare or non-existent in the wild (it's hard to be certain partly because banks are so secretive). That's Slashdot-worthy, but it shouldn't be a surprise to anyone who has used Chip and PIN and thought about it, and the real solution (every user owns their own tamper-resistant terminal) is too costly to consider in the near future.
To make this demo seem "relevant" to their show though, Watchdog wheels out a completely
Similarly, if you're found at home, asleep, covered in blood, with a knife clasped to your chest and the similarly bloody corpse of a teenage girl on your sofa, you'll be unlikely to satisfy a civil court that you were framed by an unidentified third party. You might cast enough doubt to keep yourself out of prison on a criminal charge, but the
Re:The Tetris hack was a fake (Score:3, Insightful)
Do it at a petrol station or somewhere where the price varies a lot, add £1 onto the transaction (screening out the 'obvious' figures to avoid people who put exactly £20 of petrol in for example noticing the error), and have the 'real' transaction come from the 'real' retailer and you'd get away with it for quite a while.
Petrol station employees are paid minimum wage and not security checked & have an incentive to get involved in this too.
Don't stay in one place for too long, move around, and with a bit of luck and a following wind you'd be quite rich at the end of it.