Chip-and-Pin Vulnerable To Subtle Trickery

An anonymous reader writes "Cambridge University researchers, in an investigation for BBC Television's Watchdog programme, have demonstrated a man-in-the-middle attack for the chip-and-pin credit card security system used throughout the UK and Europe. In the attack, the card is inserted into a card-reader that has been tampered with, and the information transmitted in real-time to an accomplice who uses a specially modified card to make a higher-value purchase elsewhere. The modified card-reader shows only the expected amount, but the larger amount is deducted from the victim's bank account. It would not be easy to use this method in practice because the two transactions must be made simultaneously. The same team recently demonstrated a hacked chip-and-pin terminal playing Tetris."

attack easly detected

[Technician]

Someone with a close eye on their account will notice the missing money and pull up recent transactions online. Armed with reciepts and a printout of the impossible to make dual purchases with one card in two locations, the compromised machine can be shut down (de-authorised) and legal proceedings started. This attack has a name attached to the business using the terminal.

The attack is proof of concept, but it leaves too much of a trail.

nothing new here

[mgb]

So this along with the tetris hack basically says if you are a retailer and have access to a terminal or other means of getting hold of a persons credit or debit card then you can potentially do lots of dodgy stuff. Who knew!!!

Re:The Tetris hack was a fake

[iangoldby]

I wonder if you have misunderstood what is going on here.

The there is no connection between the bank and the card-reader that has been tampered with. As far as the bank is able to see, there has been a legitimate transaction for £2000. As far as the victim sees, the transaction is for only £20 (until he receives his statement one month later).

The point is: the actual transaction is £2000. The trickery is making the victim believe he is authorising a transaction of only £20 by presenting him with a fake terminal.

I believe also that this hack does not allow the card to be copied. My guess is that there is a one-time transaction code that the researchers cannot (yet) reproduce - remember this is a man-in-the-middle attack. That's why the victim's apparent authorisation of the £20 has to coincide with the real authorisation of the £2000.

I don't get it

[giminy]

This is neat, but it's not exciting. I've written a smartcard proxy service that could also be used for evil. It works by capturing the client certificate request from a tls handshake, and sends the signed response to the server (some older web apps don't know how to use pkcs#11 libraries, which is what this is used for..it strips the client cert request out of the handshake so the client is none the wiser). I could rewrite my proxy to sign all kinds of data with the smartcard once the user gives the proxy his/her PIN...I could logon to banking sites and transfer money to me, buy stuff, essentially anything that the computer could do, and not inform the user.

I think Bruce Schneier's paper [schneier.com] said it best. Sure the card is trustworthy, but when you're using any kind of smartcard, the card isn't the trust boundary. The card plus the computer (or pinpad in this case) that you're using it on is your trusted device conglomerate.

I think the real demonstration of this attack is that pinpads have vulnerabilities. Even that isn't earth-shattering. So does everything else where physical access is granted.

Which isn't to say that it isn't newsworthy (people should definitely be careful where they stick their card), but it does feed into idea #4 on the six dumbest ideas in computer security [ranum.com].