Chip-and-Pin Vulnerable To Subtle Trickery

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

'Watchdog' tonight

[shrykk]

This is due to be on 'Watchdog' (a popular consumers'-rights show) in about 45 minutes.

As I understand it, the point of this research is that the banks have been claiming that chip-and-pin terminals are completely tamper-proof. In fact, they may be tamper-proof from the banks' point of view (preventing fraudulent transactions by destroying encryption keys if the case is tampered with), they're not from the customers' point of view - a dodgy establishment or criminal employee could clone your card with a terminal that looks legit.

So, ripping out the innards and putting a machine playing Tetris inside looks silly, but demonstrates that the devices aren't inherently trustworthy. And this is the next step: showing that a card can be cloned and the details used to make a fraudulent transaction using modified hardware.

Re:'Watchdog' tonight

[ds_job]

The standard response from the Banks is:

"Our technology is infallible. You *must* have compromised your card / PIN. You will get no refund nor compensation."

What this does is point out that the first sentence is not correct and that the second does not automatically follow. I am not particularly protective of or abusive towards Chip-And-Pin but the "Nothing to do with me mate. You'll have to prove it." attitude of the banks is kind of annoying. I'm much more happy paying my taxes to find this kind of issue rather than modding the housing to play Tetris.

Re:Yes, BUT

[mrcaseyj]

AC wrote:

..if it came to it then at least an expert should be able to spot a forgery in the event of a dispute.

That won't do you any good because clerks can't distinguish from a legitimate signature and a forged one. Therefore if the owner of a card wants to cheat the bank, they can just sign their own signature with their left hand or something and then deny the charge. If the bank doesn't believe you when you say it was fraudulent then you'll be stuck with the charge (or the store will because they didn't check your ID). The fact that the signatures don't match does you no good.

Chip and pin is a massive improvement over the insane system we have in the US. It may have been sane back when computers were rare or expensive, but there's no excuse for it now. But chip and pin still has serious vulnerabilities, especially when used over the internet. Even with a card reader on your computer, the fact that operating systems like Windows and Linux will never be seriously secure, means that you can't trust what you see on the screen is what's going on over the wires. It's just a matter of time before the banks finally realize that the only solution is a device you carry with its own small display and keypad. Such a device would have a simple enough operating system and software that it might achieve a fairly strong level of security.

The other trend I see for the future is many more hackers learning to probe the dies of security chips. With the rapid increase in the number of devices relying on secret keys hidden in security chips, such as credit cards, motherboards, sattelite and cable tv, Blueray, and more, there will be greatly increasing demand for the ability to extract those keys. Electron microscopes or any other equipment to get into these chips can be bought, borrowed, or even built in one's garage. I'm sure that any chip can be defeated if the hacker has enough samples to work with. I don't know if the difficulty will make it impractical though.

Re:'Watchdog' tonight

[Anonymous Coward]

The Watchdog piece was very misleading.

There's a demonstration of one thing (man-in-the-middle attack on Chip and PIN user) which is either very rare or non-existent in the wild (it's hard to be certain partly because banks are so secretive). That's Slashdot-worthy, but it shouldn't be a surprise to anyone who has used Chip and PIN and thought about it, and the real solution (every user owns their own tamper-resistant terminal) is too costly to consider in the near future.

To make this demo seem "relevant" to their show though, Watchdog wheels out a completely /different/ thing. A lot of people who definitely did not suffer this attack. Instead they are victims, supposedly, of "phantom withdrawal" in which the user can prove that they were elsewhere, but can't show that they had the card (iirc one of the women interviewed admits she'd lost it) nor that they properly protected their PIN. This "phantom withdrawal" has been a problem for banks for decades and is unrelated to Chip and PIN. There's often no way to tell the difference between trivial fraud by the customer and an accomplice, versus sophisticated fraud by a third party. Banks have taken the position that they do enough to prevent the latter already and courts have tended to agree.

Similarly, if you're found at home, asleep, covered in blood, with a knife clasped to your chest and the similarly bloody corpse of a teenage girl on your sofa, you'll be unlikely to satisfy a civil court that you were framed by an unidentified third party. You might cast enough doubt to keep yourself out of prison on a criminal charge, but the /balance/ of evidence is against you.

Re:The Tetris hack was a fake

[Tony Hoyle]

Of course if you do £20 - £2000 then you get noticed real quick.

Do it at a petrol station or somewhere where the price varies a lot, add £1 onto the transaction (screening out the 'obvious' figures to avoid people who put exactly £20 of petrol in for example noticing the error), and have the 'real' transaction come from the 'real' retailer and you'd get away with it for quite a while.

Petrol station employees are paid minimum wage and not security checked & have an incentive to get involved in this too.

Don't stay in one place for too long, move around, and with a bit of luck and a following wind you'd be quite rich at the end of it.