Forgot your password?
typodupeerror
Security Encryption The Almighty Buck IT

European Credit and Debit Card Security Broken 245

Posted by timothy
from the pounding-marks-for-euros dept.
Jack Spine writes "With nearly a billion users dependent on smart banking credit and debit cards, banks have refused liability for losses where an idenification number has been provided. But now, the process behind the majority of European credit and debit card transactions is fundamentally broken, according to researchers from Cambridge University. The researchers have demonstrated a man-in-the-middle attack which fooled a card reader into accepting a number of point-of-sale transactions, even though the cards were not properly authenticated. The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."
This discussion has been archived. No new comments can be posted.

European Credit and Debit Card Security Broken

Comments Filter:
  • by LostCluster (625375) * on Thursday February 11, 2010 @05:52PM (#31105626)

    Seems like the problem with this system is that the problem is that the PIN is stored on the chip... and that's just as stupid as writing it on the card! The attacks are simple... either a card that always agrees the PIN given is correct, or a terminal that tries to authenticate all 10000 PINS and then learns the right one.

    Payment processors have for years been wanting to have an offline secure system, but it just doesn't work. With cheap enough data systems available everywhere, it's not hard for every Wal-Mart most rural gas stations to see a satellite. Get a $20/mo. dial-up account if you have to... there's no reason for anything that does money to be off the grid.

    If the PIN is stored online like traditional ATM cards, then there would be a quick way to be sure there's honest checking of the pin and alarms if somebody fails too many times. The American "contact" systems are actually reasons to not require a signature or a PIN... but those are also designed for small-dollar transactions and keeping the fast food line moving. Sure, they're open to cloning risk, but they're willing to take that downside because there's enough upside to using the system.

    • There are plenty of modern cryptographic systems that could provide offline security, perhaps in the form of a chip.

      Unfortunately, credit and debit card systems are not modern.

      • Re: (Score:3, Informative)

        by LostCluster (625375) *
        Citation needed... how do you verify a pin without trusting the card or having online access?
        • Re: (Score:2, Informative)

          by Anonymous Coward

          Three words: Public Key Encryption.

          • Re: (Score:3, Funny)

            by Cryacin (657549)
            I bet the guy that signed off on the pin being stored on the chip is the same moron who's password is 1,2,3,4,5,6 and has it written on a post it note stuck to his monitor.
          • and what if people clone the card? then they have a card with the same Key...
        • by MobyDisk (75490)

          The reply about public key encryption is right. But to expand on it, I've seen this called the "digital cash problem" and it is also the same thing as the offline verified voting problem. There's a whole series of problems that boil down to offline verification of something unique. It can be done, but it requires a public key infrastructure and good use of encryption. It's not trivial to do, but it could be done. It's just that... no commercial company so far has had any desire to do it.

          • Re: (Score:3, Insightful)

            by LostCluster (625375) *

            I think voting has been more or less "solved" with paper ballots, and a person and machine that will help you mark a paper ballot should you need assistance.

            • by gnud (934243)
              Just like offline money is solved with... well, cash.
            • by cduffy (652)

              Umm. I wouldn't call paper ballots alone a "solution" to the issue of voting security.

              There are means for generating cryptographically secured paper ballots -- see PunchScan, for instance, which allows you to take a (paper) receipt with you which you can use to prove that your vote was correctly recorded, but which can't be used to prove how you voted to others.

              I think there's no question that a paper voting system which incorporates those features is better than one that does not, so claiming that using pa

    • by Spad (470073) <slashdot@sp[ ]co.uk ['ad.' in gap]> on Thursday February 11, 2010 @06:01PM (#31105792) Homepage

      RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.

      So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead.

      TBH I'm rather surprised that any information is allowed to be pulled off the chip without the PIN authenticating the user first; if you had to provide the correct PIN before the card would provide any information it would make it much harder to carry out the fraudulent transaction.

      • by LostCluster (625375) * on Thursday February 11, 2010 @06:07PM (#31105914)

        No. The problem is that the terminal isn't validating the PIN against anything it can trust... it's sending the entered PIN to the card and trusting the result returned, which can easily be spoofed. If the PIN was server-side, it could trust a results-only message... but that's not what's happening here.

        • Mod parent up. He actually RTFA and surmised the problem.

          And given the MitM attack, there's no fixing this one easily at all. 2600 ought to have the details shortly.

        • by shentino (1139071)

          Far better would be for the card to not give out the card number without a correct pin.

      • by Spad (470073) <slashdot@sp[ ]co.uk ['ad.' in gap]> on Thursday February 11, 2010 @06:09PM (#31105936) Homepage

        Replying to myself, if you read the PDF it details the process on page 3; the card actually does almost all of the transaction work before the PIN is entered, all the PIN enables is the "Is this transaction allowed? Yes, it's allowed. OK" part of the process.

        • Yep... and the "attack" is that anybody, the chip or anybody else can send the in-the-clear "OK" message and the terminal goes through with the transaction. Essentially, the PIN check is a "feel good" level of security that doesn't protect against much.
          • by spun (1352) <loverevolutionary@@@yahoo...com> on Thursday February 11, 2010 @06:37PM (#31106324) Journal

            It seems this system was designed expressly to limit bank's liability by providing the illusion of security. "Oh, fraudulent charges, are they? But you entered your PIN... Can you prove your PIN was compromised? no? Tough then, pay up."

            • by Anonymous Coward on Thursday February 11, 2010 @07:42PM (#31107270)

              and this actually happens quite a bit, we usually pay out unless

              it matches the customers spending pattern,
              they tell us they kept the pin with the card,
              a family member was doing it.

              • it matches the customers spending pattern

                What does that have to do with it?

                How many of us here on Slashdot save up for a while then periodically buy some pricey electronics gear either offline or from an online store? What do fraudulent purchases look like? Oh hey, it fits your spending pattern!

            • by shentino (1139071)

              And you're stuck with 50 dollars no matter what, thanks to the banks lobbying.

              I will never ever use a debit or credit card again, thanks to what I have found out today.

      • by jonbryce (703250)

        The information isn't being pulled off the chip. That's the point. You have something that simulates a chip saying the PIN was correct, regardless of what you enter.

      • by tg123 (1409503)

        RTFA. The problem isn't that the PIN is "stored on the card", it's that the card doesn't send any unique data to the terminal when the correct PIN is entered, it just sends a "Correct PIN was entered" message instead.

        So, you stick something between the card and the terminal (the laptop) that intercepts the "Wrong PIN was entered" message from the card and forwards a "Correct PIN was entered" message to the terminal instead..............

        Please mod this up this is the point the article is trying to make.

        All that needs to happen is the message Pin Verified or a similar message is sent to the EFTPOS terminal and the transaction goes through.

    • Re: (Score:3, Interesting)

      by mlts (1038732) *

      How about storing the PIN similar to how TrueCrypt validates a hash? One value is a random salt, which is decrypted by the PIN the user types in, and that is compared to the second value. Add in a number of rounds to help deter brute forcing.

      However, what really is needed is for the smart card to either delay access with an exponentially increasing time, or after 3-5 bad guesses, the card blocks access to the PIN, until released by the provider, similar to how GSM SIM cards work.

      Best of all worlds is if t

      • by Rophuine (946411)
        The PIN storage or retry delay is not the issue. Cards ALREADY block access to the PIN after several failed attempts. The problem is that the bank is not able to detect that the card was never presented the PIN in the first place. The terminal thinks the PIN was verified, but it never gets passed on to the card.
    • by shentino (1139071) on Thursday February 11, 2010 @07:44PM (#31107296)

      The problem is that the server storing your account information is trusting the terminal.

      If the terminal can get away with trusting the signal it's getting from the card, then it's actually possible for a counterfeit terminal to rob you without even having the card.

      • No, the whole protocol is designed such that the important information is exchanged in authenticated packets between the chip on the card and the issuer's servers, with the terminal acting as a dumb relay. The terminal could not perform any transactions without a genuine card if there had not been the 2010 mishap: That caused the mag-stripe authentication to be reactivated. Once that problem is solved and the non-chip authentication methods are finally disabled, a transaction will require a genuine card, no

    • by tomtomtom (580791)

      Given that it's trivial for people to shoulder-surf your PIN anyway (especially for people with "inside" access like security camera operators), the system is fundamentally broken.

      The more interesting question is how hard it is to duplicate a Chip and PIN card; without this, criminals would need to physically steal the card (which of course can and does also happen, often without the victim realising for a few hours). At the moment, (at least from my understanding), the most common form of fraud involves th

  • They finally figured out how to bail themselves out
    • Re: (Score:3, Insightful)

      by LostCluster (625375) *

      They finally figured out how to get someone to bail them out

      There... fixed that for you.

  • by Anonymusing (1450747) on Thursday February 11, 2010 @05:56PM (#31105696)

    FTA: "The central problem with the EMV protocol is that it allows the card and the terminal to generate ambiguous data about the verification process, which the bank will accept as valid... while a PIN must be entered, any PIN code would be accepted by the terminal."

    That's a serious flaw. You've got to insist on data being valid if you are going to record it as valid.

    It's a good thing that we don't rely on ambiguous data in any other part of life.

    • by Atryn (528846)

      It's a good thing that we don't rely on ambiguous data in any other part of life.

      You aren't married, are you? Atryn

  • by kclittle (625128) on Thursday February 11, 2010 @05:58PM (#31105736)
    ... blame Python! :)
    • Re: (Score:3, Funny)

      by FooAtWFU (699187)

      You know, they say a lot of things about Python, but at least it doesn't name two of the most basic and important language operations after the contents of address register and contents of decrement register like some (otherwise-spiffy (if you overlook the (numerous) parentheses)) languages out there.

      (Just the contents of cash register, apparently.)

  • by OglinTatas (710589) on Thursday February 11, 2010 @06:01PM (#31105806)

    The researchers used off-the-shelf components (PDF), and a laptop running a Python script...

    It is long past time for governments to criminalize the use of Python.

  • by davebert (98040) on Thursday February 11, 2010 @06:02PM (#31105808)

    Chip & Pin has never been about minimising fraud - it's about pushing the responsibility from the banks onto the customers. And they're doing the same thing with the ridiculous Verified By Visa programme which just trains people to fall for phishing scams.

    • Like I said elsewhere, this is from the branch of security known as "false sense of". If you're constantly troubled for a PIN it means you'll feel safer... but when that PIN isn't needed by the fraudster we're back to the same point we were with "dumb" cards.

    • Verified By Visa came up here recently.

      The critical passage from the PDF is this one:

      One goal of EMV was to externalise the costs of dispute from the issuing bank, in that if a disputed transaction has been authorised by a manuscript signature, it would be charged to the merchant, while if it had been authorised by a PIN then it would be charged to the customer. The net effect is that the banking industry, which was responsible for the design of the system, carries less liability for the fraud. The industry describes this as a 'liability shift'.

      Security economics teaches us that such arrangements create "moral hazard," by insulating banks from the risk of their poor system design, so it is no surprise when such plans go awry.

      The main security fraud taking place here is duping the customers (and the courts) into thinking there's any security associated with the PIN protocol in the first place.

      Let's make this clear to the court, in terms they might be able to comprehend.

      Let's say you have a band of tax evading Massachusetts patriots concerned with the migratory cycle of lobsterbacks. They approach a fellow named Paul and tell him that they have

  • Not News (Score:4, Informative)

    by sexconker (1179573) on Thursday February 11, 2010 @06:03PM (#31105838)

    This is not news.
    This is the way the system was designed.

    It was designed to be shitty and insecure so fraud could continue.
    It was sold as being highly secure in order to get them into widespread use and to get the laws set up to remove all liability from the banks as long as the system says the card is good.

    The banks profit off of fraud.

    This is all intentional, and it has been going on in criminal circles with these cards before day one. The only difference now is that some group has publicly revealed the sordid details.

  • Figures... (Score:5, Funny)

    by DoofusOfDeath (636671) on Thursday February 11, 2010 @06:05PM (#31105864)

    Leave it to an English university to focus on phish and chips...

  • well done Steven J. Murdoch, Saar Drimer, Ross Anderson, Mike Bond

    please dont sell out now !

    make sure that they publish and do so in a Open and transparent their new system !

    regards

    John Jones
    http://www.johnjones.me.uk

    p.s. i wonder what they 'purchased'

  • Agree that these "security systems" are about dodging liability rather than providing good security. Of course, another big benefit to the bank is that it makes it much harder to transfer money over small amounts, say $1000, if you can't go to the office physically or don't use their "verification card". Money that the banks won't give back easily.
  • Canada too? (Score:2, Informative)

    According to http://www.visa.ca/chip/cardholders/emvstandard/index.jsp [www.visa.ca], the EMV Chip & PIN standard is also used in Canada, not just Europe.
    • by TheSpoom (715771)

      VISA et al seem to be trying to break into the Canadian market, which is fundamentally dominated by Interac [interac.ca], another PIN-based debit system run by a coalition of banks. Almost every merchant in Canada (or at least Ontario) have Interac POS readers. It should also be noted that most Canadian bank cards aren't backed by VISA / MasterCard (like they are in the United States), they're simply debit cards, linked directly to bank accounts.

      • by TheSpoom (715771)

        (Note that this applies only to bank cards; credit cards are still run by VISA and MasterCard primarily.)

      • Visa and MasterCard debit cards in the United States are also basically directly linked to bank accounts. The logo basically just means your transaction will work as a fake "credit" transaction at Visa/MasterCard merchants who don't have debit support, or when you don't feel like entering your PIN. Or so I understand.

    • by DotNM (737979)
      Yes, this is in effect in Canada too. I have a BMO Bank of Montreal MasterCard and BMO Bank of Montreal debit card, and both are chip and PIN enabled. There's even a website with a bunch of information and FAQs on chip and PIN: http://www4.bmo.com/chip/questions.html [bmo.com] Full disclosure: I am a Bank of Montreal employee, but from my understanding, all major Canadian banks will be following suit if they haven't started already.
  • by segedunum (883035) on Thursday February 11, 2010 @06:26PM (#31106172)
    This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

    What have we heard about this in the mainstream press and media? Nothing. People, and those with a vested interest, obviously just want to deny that it can happen.
    • by spun (1352)

      You know what helps you sound informed and intelligent? Reading the article. You know what makes you sound, well, silly? Not reading the article. Here's a clue to spark your interest: it isn't the card readers that are performing the man in the middle, it is the person in possession of the card performing the attack against a standard card reader.

    • Re: (Score:3, Interesting)

      This doesn't seem like the average attack we see in the United States, where a false card reader and camera copy a victim's credit card stripe and PIN respectively. I'm by no means an expert in Chip and PIN, but Wikipedia indicates that the smart card chip is much more difficult to copy than the US's magnetic stripes:

      http://en.wikipedia.org/wiki/Chip_and_pin [wikipedia.org]

      From the text:

      "Once the card has been verified as authentic, the customer enters a 4-digit PIN..."

      It doesn't say whether all the credit card informa

      • by spinkham (56603)

        Chip and pin is definitely better then card swipe, or card swipe and pin.

        The only problem is the banks are treating the increase in security as absolute security, and refusing to handle any fraud concerning a chip and pin transaction.

        • by russotto (537200) on Thursday February 11, 2010 @07:24PM (#31106986) Journal

          Chip and pin is definitely better then card swipe, or card swipe and pin.

          Card swipe and PIN appears to be better. While I can easily copy a card, there's no way I can manufacture a card which will work with any PIN.

          The only problem is the banks are treating the increase in security as absolute security, and refusing to handle any fraud concerning a chip and pin transaction.

          This is one of the areas where the US is actually ahead of the game. For credit cards, there's $50 liability maximum for the cardholder. For ATM/debit cards, it's also $50 if you notify them within 2 days, but $500 if you notify them within 60 days, of finding out about it. They can't just say "Impossible" and have you jailed for having the temerity to claim a charge was fraudulent (as has happened in the UK).

          • Re: (Score:3, Informative)

            by cdrguru (88047)

            I have encountered credit card fraud quite a few times - maybe 7-10 times in the last 10 years or so. Everything from having a card stolen to the number being used fraudulently by someone online.

            I have never experienced, nor has anyone I have ever encountered, any penalty at all. The $50 limit is an upper limit, apparently if the credit card issuer seems to think you are somehow complicit in the fraud. I've never had anything happen other than simply having the charges removed from the account. And gett

            • Re: (Score:3, Interesting)

              by russotto (537200)

              This combination of cardholders not being penalized and large merchants having insurance is why the current rampant fraud situation and stolen credit card number market is how it is. You can make hundreds of dollars by selling credit card numbers and other information, and plenty of folks do just that. It's extra money. You didn't really think the waitress was getting by on just tips, did you?

              Penalizing the cardholder doesn't help at all. How can I, as a cardholder, prevent a crooked waitress from swiping

    • by T Murphy (1054674)
      I see the importance of this not to be what kind of attack they used (other than being relatively simple), but the fact that they are proving these cards aren't as secure as they're claimed to be. It's the difference between knowing Capone did it and finally getting evidence that will stick.
    • by Peter H.S. (38077) on Thursday February 11, 2010 @08:20PM (#31107722) Homepage

      This has been known for years. The machines and man-in-the-middle attacks are obvious, simply because you cannot verify the authenticity of any machine that you stick your card into and type your PIN. You have no clue that any one of them is doing what you think it should be doing. ATM machines are bad enough, but at least there is some sort of trust over the fact they are at a fixed point and there is some form of physical security around them. With chip and pin machines all you have is utterly blind faith that you have no choice but to accept, and then you get blamed for being insecure by the banks when the inevitable happens.

      Please note that while this is a MIM attack, neither the ATM nor its communication links are compromised. The MIM part is in the _card_, that gives out an "This is a valid transaction PIN code" no matter what. So attach a fake card to some wires running up your sleeve into a laptop and FPGA in a back pack, and and you can draw money from the account to the maximum limit with a fake card and without entering a correct PIN code.

      The sad thing is that the banks are in total denial about this, claiming that since no such attacks have been discovered, the problem doesn't exist.

      --
      Regards

      • by JackHoffman (1033824) on Thursday February 11, 2010 @10:13PM (#31108676)

        Doesn't anybody read the paper?

        You can not use a fake card. You need a genuine card. The MITM is between the genuine card and the terminal. The transaction goes through because "chip and PIN" isn't the only acceptable protocol. The card can also be used in combination with a signature instead of the PIN. The trick is to make the terminal think that the card is using PIN authentication while the card actually performs the (authenticated!) chip and signature protocol.

        The bank usually gets the information that no PIN was sent to the card, but this information is not relayed back to the terminal in way which is both standardized and authenticated. The "PIN-OK" message from the card to the terminal is not authenticated and the authenticated transaction request/accept messages between the card and the bank (through the terminal) only contain the information in an unstandardized format. That's the flaw.

        • by Peter H.S. (38077)

          You can not use a fake card. You need a genuine card

          I read the article, to quote it:
          "Once the fake card was inserted, the Python script running on the laptop relayed the transaction, suppressed the verify PIN command issued by the terminal, and responded with the 0x9000 code."

          You also need a genuine card, but the one you insert in the ATM is a fake as I wrote. Obtaining genuine ATM chip cards has never been a problem for criminals, but using them has. This flaw allows criminals to withdraw money from a gen

  • chip and pin fail (Score:2, Interesting)

    by Carus (1707262)
    http://www.youtube.com/watch?v=U1QAnb-wnTs [youtube.com] ohhhhhhhhhhhhhhh CHIP AND PIN FAIL
  • Simple Solution (Score:2, Redundant)

    by bill_mcgonigle (4333) *

    and a laptop running a Python script

    So, classify Python as a criminal tool, problem solved.

    (the rule that you have to mention Python at every possibility cuts both ways).

  • by Animaether (411575) on Thursday February 11, 2010 @08:28PM (#31107816) Journal

    I'm just curious as the article summary and article don't mention (I guess the PDF might, but from the article's description, it isn't clear)...

    Do they still need the card?

    The article seems to describe the attack as a man-in-the-middle attack.. i.e. card -> their device -> the card reader/writer. So the card instigates all the important bits (which back account number, etc.), and then their device sends back an 'OK' to the card reader/writer, happily ignoring the PIN part.

    But does that mean they do still need to have a card? Or could they easily make their own card with the details of whoever (let's say they grab the bank account # off of some business registry website), and then go ahead and perform transactions with it + their device?

    • Yes, they still need the card. The card performs a "chip and signature" protocol with the bank. In the "chip and signature" protocol as well as in the "chip and PIN" protocol, the chip on the card uses a secret symmetric key to create a transaction-specific message authentication code. The bank will not accept the transaction without that code. The attack is to have the card perform "chip and signature" while the terminal performs "chip and PIN". The protocol flaw is that the terminal cannot tell that the c

  • Slightly wrong (Score:3, Interesting)

    by Anonymous Coward on Thursday February 11, 2010 @09:15PM (#31108264)

    The article states that the banks dont accept liability for a transaction performed with PIN. This is true however the liability isn't pushed to the consumer, it is accepted by the card issuer instead (i.e. mastercard, visa etc.).

    I also disagree with their assertion that chip and pin is fundamentally broken. EMV requires the card to generate a cryptogram at the end of the transaction. The card can simply refuse to generate this data if it hasn't received the correct PIN. I am a little suprised that the cards they tried don't do this already.

    Some people here have suggested that the PIN be authenticated online. The EMV standard actually supports online authentication of PIN, its just that some banks choose to issue cards that use a PIN that is verified by the card instead because they don't have the systems in place to support online verification. Many banks

    For all the people saying that the designers of the system dont know what they are doing i suggest they read the specifications (freely available on the emvco website). They are actually quite good and do support pretty much all of the improvements people here have suggested (and more). The problem is they need to be practical as well, something that most comments here don't consider. There is no point designing a foolproof system that no-one can use.

    This hole can be removed and it most certainly will be if criminals start to exploit it.

  • Credits cards have always had this problem.

    The reason this works with credit cards is little or no checking is done at the place of purchase. It is expected that the customer will check there monthly statement and notify the bank / credit company of any issues.

  • "The researchers used off-the-shelf components (PDF), and a laptop running a Python script, to undermine the two-factor authentication process on European credit and debit cards, which is called Chip and PIN."

    Oh some Americans already have a similar system. It's called Ball and Chain. Courtesy of this system there's little fraud because all transactions are wife approved.

  • by dugeen (1224138) on Friday February 12, 2010 @06:40AM (#31111068) Journal
    The idea of forcing people to enter PINs into any machine controlled by a retailer was ridiculous from day one - the supposed extra security of Chip & Fraud was merely a way for the banks to transfer liability for fraud to the customer. (Happily the FSA has now forbidden them to do this unless they have actual genuine proof that the customer gave away their PIN - well done guys, springing into action after only 4 years of complaints).

If you had better tools, you could more effectively demonstrate your total incompetence.

Working...