Forgot your password?
typodupeerror
Security The Almighty Buck News

Chip and Pin "Weakness" Exposed By Cambridge Researchers 133

Posted by samzenpus
from the get-them-where-they're-weak dept.
another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"
This discussion has been archived. No new comments can be posted.

Chip and Pin "Weakness" Exposed By Cambridge Researchers

Comments Filter:
  • by dajjhman (2537730) on Wednesday September 12, 2012 @11:02PM (#41319927) Homepage
    Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/ [forbes.com]
    • by swillden (191260)
      Full specifications [emvco.com] are available. There is no security through obscurity here.
      • by swillden (191260)

        Full specifications [emvco.com] are available. There is no security through obscurity here.

        Doh, managed to delete the rest of my post before submitting. I guess I should actually look at the preview.

        Anyway, the problem here isn't obscurity, it's just implementation errors. Granted that the systems should have been audited.

      • by dajjhman (2537730)

        Full specifications [emvco.com] are available. There is no security through obscurity here.

        Actually, it is obscurity. The specification you linked to was NOT followed by the device manufacturer, they just assumed since they didn't tell anyone they violated a proper practice that no one would notice. The specifications listed by you requires devices to adhere to the random number generating requirements outlined in ISO 18031, which the machines did not. This standard mandates a unpredictable entropy source be used as the seed for any random number generating function. The devices were implementing

  • by jenningsthecat (1525947) on Wednesday September 12, 2012 @11:06PM (#41319949)

    All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.

    The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.

    And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

    • by Solandri (704621) on Thursday September 13, 2012 @01:17AM (#41320539)

      And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

      If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

      The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

      • Re: (Score:3, Insightful)

        by drinkypoo (153816)

        Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

        Or the government could quit sucking corporate cock, permitting more players into the game to provide some actual competition.

        • by mcgrew (92797) *

          WTF, moderators? I don't care that drinkypoo is on my freaks list, that was in no way flamebait. He should be modded insightful, not flamebait.

          Please, slashdot, bring back the old style metamoderation! He's right, the CC companies need better regulatulation (in this case, more regulation) and more competetion.

      • by tlhIngan (30335)

        If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After

    • With something as crucial as the nation's payment infrastructure, one might think engineers or computer scientists would have a thing or two to say about it.

      Perhaps they should have a professional body to ensure some level of quality and system review.

      Perhaps they should be regulated like the FDA approves drugs.

      Or perhaps the system works as is and the costs shifted and paid around.

  • by muhula (621678) on Wednesday September 12, 2012 @11:27PM (#41320021)
    In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."
    • Re: (Score:3, Informative)

      by rover42 (2606651)
      muhula writes: The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds ... banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds Ross Anderson heads the Cambridge group that found this attack and the earlier man-in-the-middle attack (a gadget between card & reader that makes all PIN verifications succeed no matter what number you enter). He's been wri
    • by Formalin (1945560)

      Hah, yep. I noticed my "agreement of the services" with visa states that if chip authentication is used, it's assumed I authorized it - i.e. there are no fraudulent transactions that use the chip, I'm liable.

      Makes you want to rip the contacts off the card...

      • by pipedwho (1174327)

        This might be true if 'you' used the chip authentication. However, if someone else has cloned your card (however they managed to do it), then 'you' haven't agreed to that transaction, and thus 'you' never used any kind of authentication, let alone "chip and pin".

        • by Anonymous Coward

          lmfao, good fuckin luck getting your card company to buy into that one. Chip & pin is a scam designed solely to remove *ALL* liability of fraud from the card company, after all, its *your* fault you let your chip get cloned ; )

      • by drinkypoo (153816)

        Makes you want to rip the contacts off the card...

        buy a UV-curing clear coat repair pen, $3 or so, the rest is obvious

      • by mcgrew (92797) *

        That's why I no longer use a debit card, or indeed, any kind of card. Someone watched me enter my PIN, stole the card and some checks, cashed forged checks and withdrew money with the card. I was reimbursed by the bank for the fraudulent checks, but the card cost me hundreds of dollars -- if you have the card and PIN, then you have the right to use it, even if you've stolen both. Worse, it made a check for a downpayment on a car bounce and I almost was liable for a felony. REAL pain in the ass, that cost hu

  • by Anonymous Coward

    Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

    • by alexo (9335)

      Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

      Citation please.

  • by nemesisrocks (1464705) on Wednesday September 12, 2012 @11:32PM (#41320059) Homepage

    The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

    With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

    • by DeBaas (470886)

      The way I understood it is that the liability shift does not work that way. The least secure is liable. See http://en.wikipedia.org/wiki/EMV [wikipedia.org]

      The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.[2]

      If a merchant does not support chip and the issuer (your bank) and the acquirer (bank of the merchant do), the merchant is liable.
      If the acquirer does not support EMV (aka Chip and pin), that bank is liable. Etc.

      So only when the merchant keeps an old terminal that only supports magswipe despite his bank and the bank (/card issuer) of the customer supporting EMV and the

    • by mattsday (909414) on Thursday September 13, 2012 @04:15AM (#41321221)

      I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.

      Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.

      From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).

      • by Mithent (2515236)
        If this story [zug.com] is to be believed, you can get away with signing pretty much anything and it's highly unlikely that anyone will even look at your signature.

        Chip and PIN might not be perfect, but at least it makes it more than entirely trivial to use a card that you've just found somewhere in a store.
      • Don't some of the major processor's merchant agreements forbid ID verification? They don't check your ID because they aren't allowed. A few of my friends think they are smart and put "See ID" in the signature box of their card... right next to where it says "this card not valid unless signed"!
      • my card is almost never checked

        That's because signing the receipt is not for authentication. Read the receipt: you're signing a contract to pay the bank back for the stuff you're buying.

    • by brunes69 (86786) <slashdot@nOsPAm.keirstead.org> on Thursday September 13, 2012 @05:46AM (#41321529) Homepage

      Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

      By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

      I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.

      • by Anonymous Coward

        The main problem with chip-and-pin, from the consumer's perspective, is that it shifts the liability onto the CARDHOLDER, not the merchant. The issuers insist that merchants bear the liability for old magstripe transactions, but for chip-and-pin transactions it is presumed that you, the CARDHOLDER, are responsible unless you can *prove* otherwise. That's why the merchants were all so eager to get the chip-and-pin hardware deployed... it reduces their fraud costs (shifting them onto the victim cardholders

    • by DarenN (411219)

      The flip side of this is that the processing fees for Chip & PIN cards are significantly lower. The fact is that fraud is vastly reduced by using Chip & PIN, so the fees charged can account for that.

    • by noc007 (633443)

      As one who worked for a processing gateway in the US, the liability was on the merchant first. When a chargeback is initiated by the cardholder, the funds are taken from the merchant's account and credited to the cardholder's account. If the merchant doesn't have the funds (gateways or processors are pretty strict on them having the funds incase of chargebacks and will hold funds or institute a rolling reserve if the merchant doesn't have the funds or is has a higher risk of potential chargebacks), it is on

  • We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

    Yeah, they pass it along to sellers like me. Almost all fraud gets taken straight out of the pockets of the business owner but hey, we've got money, right? Total bullshit. Well guess what I'm refusing to accept ever under any circumstances.

    • by Rockoon (1252108)
      Fraud is overhead that needs to be paid for regardless of who is left holding the empty bag at the end, and that overhead will always end up being reflected in the retail prices.

      So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?
      • by pipedwho (1174327)

        So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?

        The answer to that question is: The party that has control over the implementation of the financial transaction system.

        Anything less and there's no incentive for the financial institutions to improve security and reduce overall losses in the system. There is no way a merchant or a consumer has any control over this. The most they can do is refuse to accept 'plastic', but due to the ubiquitous nature of credit based transactions, that would be akin to closing the door on a large portion of their income.

  • by rebelwarlock (1319465) on Wednesday September 12, 2012 @11:51PM (#41320147)
    I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

    BBC is a "news" provider.
    • by Anonymous Coward

      The BBC "always" puts lots of "quotes" around "words" in their titles. I don't know why; it "doesn't" change the meaning "of" the words, it's like the heavy-metal umlaut:.. http://en.wikipedia.org/wiki/Metal_umlaut

      • The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.

        If you read the full article of any headline t

      • Somehow I usually interpret it as sarcasm, or a euphemism.
        For example: She had some huge "eyes".
        It usually doesn't work, but it causes enough hilarity not to change it.
    • by Anonymous Coward

      I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

      BBC is a "news" provider.

      It simply means the BBC is reporting but not necessarily endorsing the claim. Journalistic integrity many other more sensationalist outlets could learn from!

    • They're called quotation marks. They're quoting the researchers saying that this is a "weakness" in the security of chip and pin cards, in that the researchers used the word "weakness" to describe the vulnerability.
  • And, in fact, the pdf paper that the article links to even mentions it as one of the references.

    This appears to be something new, however

    • That's right, this is at least the second independent way Chip & Pin has been found to be broken. The banks claim to have multiple layers of security, but what they actually have are multiple breaches of security.
  • Folks, I read the paper by Omar and Co in a fair amount of detail. Here is the gist. Some ATMs do not have a true RNG (Random Number Generator), something like FIPS 140.2 compliant. With such defective systems in a particular country, at a particular time and for a particular amount and a system which can do a transaction at mS granularity accuracy an attack is possible. And the card has to be in the system (which is recording) for a longer time than it is for a typical transaction. That is a very NARROW
    • Bhaktha says:

      ...So the title here, in the BBC website and some of the comments are way off.

      I think your analysis makes some valid points but is somewhat complacent. Firstly, I am not convinced that the concept of a corner case is valid in security matters; attackers do not randomly stumble upon vulnerabilities, they assiduously seek them out, and a great many exploits are based on 'corner cases'. If you were ripped off to the extent of your credit limit, would you dismiss it as just a corner case?

      The fact that 'card-not-present' fraud went up is hardly surprising, and not much of

  • I know it happened 12 years ago, but come on, the chip cards with pin have been cracked and crackable for a long time. In 2000, Serge Humpich, a french hacker found a flaw in the chip design and used Japanese algorithm to factorize the prime used in the chip card.

    In French:
    https://fr.wikipedia.org/wiki/Serge_Humpich [wikipedia.org]
    http://www.bibmath.net/crypto/moderne/cb.php3 [bibmath.net]

    In English:
    http://www.theregister.co.uk/2000/02/26/french_credit_card_hacker_convicted/ [theregister.co.uk]
    http://www.amazon.com/Serge-Humpich/e/B001K7H3DE [amazon.com]

    I remember my r

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...