Chip and Pin "Weakness" Exposed By Cambridge Researchers

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

Never trust security through obscurity

[dajjhman]

Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/ [forbes.com]

Presumed secure = blame the user

[muhula]

In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

no liability for banks

[Anonymous Coward]

Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

Re:Wasn't this already covered

[scdeimos]

Maybe you're thinking of this /. story from 2010, which is about a different attack (a MITM that allows the wrong PIN to be verified as correct) from the same Cambridge researchers?

European Credit and Debit Card Security Broken

http://news.slashdot.org/story/10/02/11/2129212/european-credit-and-debit-card-security-broken [slashdot.org]

Re:Never trust security through obscurity

[Anonymous Coward]

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.

It's referring to a credit card & a pin number combination for security.

Re:Never trust security through obscurity

[Anonymous Coward]

credit and debit card too.

Re:Presumed secure = blame the user

[rover42]

muhula writes: The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds ... banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds Ross Anderson heads the Cambridge group that found this attack and the earlier man-in-the-middle attack (a gadget between card & reader that makes all PIN verifications succeed no matter what number you enter). He's been writing about bank vulnerabilities for years. A famous older paper: "Why cryptosystems fail" http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html [cam.ac.uk] Problems with PIN numbers: http://bits.blogs.nytimes.com/2012/02/20/security-of-self-selected-pins-is-lacking/ [nytimes.com]

Re:Never trust security through obscurity

[lxs]

It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.

Its worse - Liability is shifted to the CARDHOLER

[brunes69]

Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.

Re:Never trust security through obscurity

[necro81]

IEEE Spectrum reported last year on new RNG tech from Intel [ieee.org], called Bull Mountain, and implemented in Ivy Bridge processors [wikipedia.org]. It uses a large array of cross-coupled inverters. Thermal noise (a semi-random process) causes them to each inverter pair to latch to 1 or 0 very quickly. The inverters are reset, then allowed to re-latch, many times per second. This isn't particularly new. But they also add circuitry that continuously checks the statistical randomness of the output, and combines multiple number streams to ensure maximum randomness. The result then becomes the seed for a more conventional PRNG. The upshot is the ability to produce billions of demonstrably random numbers per second, all in a low-power peripheral on the microprocessor.