Typical
Now sit back and watch all the finger-pointing begin, as everyone blames everyone else for the problem and we, the customers, continue to get fleeced by inadequate security.
Security researchers have demonstrated a gaping security hole in Chip and PIN credit card authorisations which undermines trust in the technology as a means to verify retail purchases. Cambridge University security researchers have demonstrated how it might be possible to trick the card into thinking it’s doing a chip-and- …
I remember making a suggestion a while back that in one of the comments to an article, that there could be an issue, and that people should not automatically assume that "Chip & PIn" or any other technology was unbreakable. Several people chose to sneer at my position.
The reality is that there is no such thing as 100 % security - all anyone can do is say, "we have not been able to crack it, and are not aware that anyone else has".
Too many people suffer with an almost religious zealotry about security - I do X, I use Y, I have Z, so I am totally secure. Anyone that believes that is suffering with delusions of adequacy; and what is worrying is that they continue to believe the fallacy long after it has been demonstrated that it is not true.
But there you go - the problem is not with the hardware or the software, but with the wetware!
Maybe this (too) is a manifestation of believing something just because it being true would be absfab (and/or the converse too distressing). Other examples of this would be e.g. :
- Safe and effective diet pills (it seems people continue to buy and use these despite them having been debunked countless times: the idea of getting slimmed down without really bothering with anything so very attractive).
- Medicine/doctors can deal with all ailments in an effective way / hardly ever screw up (a very comforting thought, but the reality is different. An important facet of this particular problem is that this fiction is also quite flattering - not to mention profitable - to the practioners.)
- How effective shameless flattery (in general) tends to be ...
This story is doing the rounds on the internet at the moment making very dramatic claims that criminals are going to be using it to grab everyones money.
If you look at the PDF it shows that you need the following to make it work:
A stolen card
A card reader
A laptop
A custom made board with a programmed FPGA on it
Finally a fake card that goes into the reader with wires attached to it
The only people possibly with enough knowledge to attempt this feat will be, well, an Academic doing research into banking security from the University of Cambridge.
I suspect this is more to do with an academic trying to secure further grant funding for this current research than declaring that every criminal on every street corner now has an easy way to empty your bank account.
Interesting, but there are easier ways to get at other peoples money.
So look out for lots of dramatic reporting from the non-tech savvy media like the BBC and the Daily Mail.
Chip and PIN has always been a way for the banks to screw you so they don't have to refund you or investigate transactions.......
You: "I've noticed a few weird transactions on my account."
Bank: "Which ones?"
You: "Well theres one for £110 of petrol but I've never been to Birmingham"
Bank: "It was authorised by pin. We can cancel your card and send you a new one but as for a refund..... better luck next time."
The system will remain weak as long as there are humans anywhere near the payment chain...
Not everyone has a signature card because they can't remember a 4-digit code - some do it so that the bank can't just turn around and say 'your pin was used, therefore it's your fault' when an unauthorized transaction goes through.
I still use Chip & PIN, though my wife has a signature card - I'm thinking about switching back to signature myself though, because I don't particularly care for the way the banks have pushed liability for unauthorized transactions onto us.
Having said that, Chip and PIN can be useful when out shopping - I can just give my card to my wife, say 'you know my PIN', and she can use it...no messing about with signatures!
The problem with signatures is not verification by signature, but that chips are not used in some countries abroad and the system falls back to magstripe.
In the case of a cloned card the signature on the card will be done by the thief, and will not be the signature of the cardholder.
This attack is on stolen cards, not cloned cards.
Signature verification when a chip in the card is used is still reasonably secure, assuming the cashier checks the signature properly - the card is verified as being a real card by the chip, and the signature is verified by the cashier as normal.
Though of course nothing is secure, and attacks are still possible - but liability does not fall on the innocent cardholder here, as the signature can be checked, and the receipt can be tested for DNA, the cardhlder's fingerprints, and so on.
For the cardholder, signatures are more secure.
For the banks, they are about as secure if a chip is used to verify a card with a chip, though for a while there was a lot of fraud from cards lost in the post and signed by the thief - however this is fairly easy to defeat and has fallen to very low levels.
The Bank's reason for introducing the PIN was twofold: first to improve on the reliability of cashier verification of signatures by replacing them with an automated method, and second to allow unattended automated sales. The former wasn't a great problem, and the latter was scotched -a curious story.
The HO, I think it was mostly, didn't like the idea of unattended automated sales and were going to legislate against it, but the banks convinced the HO that not offering signature verification would contravene the Disability Discrimination Act (somehow!! - but somehow ATM's don't?) and that legislation against unattended payment wasn't needed.
Some petrol stations still use unattended payment (possibly breaking the DDA) but not many, as it's too easy to defraud and the stations are liable when fraud happens.
Yeah, we should all use passwords instead(!) <ahem>
4 digits is OK for a PIN - it's not like you can stand at the ATM/checkout and try and brute force it.
an 'easy' way round this problem is to make customers give their cards to the cashier who then inserts the card into the reader. The customer then enters the PIN on a separate keypad and the card is returned at the end of the transaction.
let's face it there's never going to be a secure way of doing this. However at least now banks (should!!) now have to admit that chip & PIN is not secure as they made out and take some of the liability themeselves.
This research is welcome news.
It's about time that the banks were pricked into realising that just because some ill qualified spokesperson says that it is "secure" - doesn't necessarily make it so.
It's an absolute crime that so many defrauded people have been treated like criminals themselves by banks that take have taken no real responsibilty for this ill designed system.
Wankers.
After preventing me renewing my Skype in despite using "Verified by Visa" my bank tells me that it does not consider that system "foolproof" . In fact it says no system is foolproof - funny how banks usually say the opposite .
So Verified by Visa that uses a separate secure site with a passowrd only known to the user is rubbish according to a leading High Street Bank. Thought it was supposed to guarantee secure online transaction
Last night's Newsnight revealed how this was done and the response of the issuing banks was "it's not our fault, it's a system failure" which I suppose is valid, if a little worrying. Whereas the FSA's response was to stick their fingers in their ears and say "Naaah Naaaah Naaah Can't hear you" Not good enough for a body that is supposed to oversee this kind of thing.
What with this and the much hated "verified by Visa" scheme, I think what needs to happen is that the whole card security thing should be taken away from the banks, analysed by a bunch of people who know what they are doing, come up with a GOOD solution and then dictate to the banks what they should do.
As it stands, and as has been pointed out many many times previously, the existing security measures have nothing to do with security at all; they are all to do with indemnifying the banks against loss. They do not protect the consumer against fraud, and they do not protect the retailer either; the ONLY people that are protected are the banks. This has to change, and clearly the banks are not the organisations to do it.
.....was never about protecting customers, it was all about shifting blame and liability to retailers and customers from the banks."
Customer: "My card has been used fraudulently to purchase something"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
Customer: "But it wasn't me"
Bank: "Our systems indicate that your PIN number was used, nothing we can do"
and so on...
They showed BBC journos actually doing this for real at the Cambridge Uni canteen - getting cashback as well as paying for goods. Unless the cashier was paying attention (and how often does THAT happen?) it's unlikely that they would notice anything amiss. Let's face it, they're very rarely looking at the card when inserted (as is right and proper - I don't want them watching whilst I enter my PIN), so with a little discretion, they wouldn't notice the gear or that the user was punching 0000 for the PIN entry.
It was interesting viewing, and with some refinement (eg to the equipment used for discretion) could be a significant problem.
The banks immediately came back saying that they can detect these transactions after the fact, but, as the journos stated, none of their "test transactions" were picked up by their banks, all went through without a problem. "Chip and PIN is a secure system" was the quote, I believe...
Kudos to Cambridge uni for showing up the shortcomings here. Added to their blasting of the Verified by Visa / MasterCard SecureCode (or whatever they're called) last week (?), they're on a roll to let people know that the best way to buy anything offline is with paper money, and not to trust the banks to look after our money (like we need extra evidence to that effect!!)
As any fule kno, no system is 100% foolproof and someone was always going to find a way round chip & pin. What's questionable is the card issuers' stance on this - even if it is conclusively proven that their system has holes, will they still refuse to protect their customers who get defrauded in this way?
The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. The issuer host may then decide to decline the transaction and raise appropriate alerts if need be.
In my opinion - close - but no cigar!
@BruceWayne: The TVR does not contain the method by which the card was verified by the reader (unless verification fails). See the paper for details. If it did it would mean a cheap fix was possible, but I don't think there is one.
The Banks will probably have to replace all the cards and terminals, though they might get away with just replacing the cards and putting something in the IAD, which would however be a less-than-satisfactory solution
@Zerofool2005: Yes, it's not a new attack, but it was demonstrated well and for the first time in public here. I think Steven Murdoch, one of the authors, also did some of the earlier theoretical development.
I do agree that others (Chris Mitchell?) should have been mentioned for previously pointing out the possibility of the attack, but that's maybe because I pointed out the relay attack long before the Cambridge group did their paper on it.
However I wasn't going to demonstrate the relay attack, and hadn't published a paper on it, just posted it to a crypto mailing list.
In their papers cryptologists often take the attitude that it doesn't exist until it's published, which has some merit. But a mention in the footnotes or references would be nice. Otherwise it makes them seem to claim to have invented something when they haven't.
@Homard: TVR stands for terminal verification results, but that doesn't mean much unless you know the context. The paper contains the clearest description of the very complex chip and pin protocol I have ever seen, so if you want to know what a TVR and CVR really are I can only suggest you read it.
I refuse to use Chip-and-PIN - there have been too many verified attacks on the system over the years.
If you press your credit card company, they can issue you with a Chip-and-signature card (also sometimes called a "PIN suppressed" card). Although the card has a chip, every face-to-face transaction is verified by a signature, leaving a permanent paper record which can be inspected later (by the courts if necessary) if the transaction is disputed.
I've had a C&S card for 4 years, and never have any trouble using it. Many cashiers tell me they think it's "more secure" and a "good idea". If you have a C&P card, I recommend calling your credit card company and asking them to send you a C&S card instead.
The whole point of the Chip&PIN system from the outset was not to provide security - anyone with two brain cells connected knew it was only a matter of time. This is just the latest exploit - others have existed for ages. It's over a year since my own card was compromised by a dodgy reader in a supermarket.
The point of the system is to shift responsibility for card security, and any resultant blame and costs, to the customer and leave the banks - who don't know half as much as they think about digital security (and don't much want to know) - to sidestep the problem and concentrate on making profits.
My latest card can be read inches away - I didn't ask for the feature, didn't want it, and am currently trying to arrange a card without it. In the meantime, how long before someone compromises my card while it's still in my pocket?
I've always said that Chip & PIN was always about reducing the Bank's liability to Fraud. Not actually really more secure or reducing Fraud. With a signature you can prove it's not you and get the money back, with Chip & PIN you can't. Thus Bank "Fraud" drops.
Of course RFID for credit/cash cards or Passports is even more stupid. A technology designed to replace Barcodes (which can be photocopied) and RFID is not inherently a technology designed for Secure applications. Because RFID is unique "fingerprint" even if you don't decode it, an RFID "reader" at each location that your "mark" might use lets you track where the RFID is. If the "mark" realises, you could of course be tracking someone else that had the "tag" dumped on them.
"The card also retains a 'history' of what happened during a transaction - the CVR. This will indicate that the PIN has not been verified. The CVR is sent to the issuer host via the acquirer network and thus if the issuer system is setup to crosscheck the TVR with the CVR (to ensure consistency in what the card and the terminal are reporting in terms of cardholder verification) - this will 'inconsistency' will be picked up. "
Well that's excellent and clearly there's nothing to worry about.
Hang on. Did I spot an "if" in that paragraph? I think I did. I'd say that at least in this banks case they do *not* run such a comparison.
After all it will no doubt lower their card processing volume.
Ive seen this been talked about before. These Cambridge researchers seem to always latch onto something that is like 6 months old.
Ive even disucssed with my business partner about the systems used "if pin.verified==TRUE { process.transaction }
Force pin.verified to be TRUE spoofing etc. process.transaction will occur.
Don't know if you are being sarcastic, but DMCA has absolutely been used to suppress research. There's several incidents THAT I KNOW OF (how many that I don't know of, I don't know...) where someone either started research, or had completed research and was ready to present it at a conference, when some heavies show up and are like "if you proceed you will be sued under the DMCA". One of them had the balls to tell them to piss off and just presented the research anyway, but the fact is that people due use it as a threat to stifle research.
Anyway, i don't know if we even have chip and pin in the states. but I have avoided a debit card for the same reason -- credit cards, the credit laws are pretty strict, the credit card company assumes liability for any fraudulent transactions. You call them, they take the transactions off your bill and either get the money back or eat it. Debit card? The money's already out of my bank account, and although most banks will put the money back for faudulent transactions they are not required to.
Maybe I should have worded it "that the DCMA should not be used stop academic research and that anybody invoking DCMA should be taking to court for wasting time and money"
It is certainly clear what the DMCA is actually for rather than what it was sold to the public on - but those of us who saw it's rise to become law (even in the motherland) could see that.
FAIL: American govt for continuing to cow-tow to big business
Why don't we get the government to design a secure card system that all the banks can use? I'm sure it can't cost that much to set up a little IT contract or three and a few, err, databases and, um, maybe get some biometric scanners, and ...
WTF ????
CVR is what ? TVR = ?
I guess you work in a bank as you can't talk straight.
As to chip and bin, if you use a credit card you are surely protected by the consumer credit act ?
So when they claim they are not liable, you claim you did not receive the goods. It then becomes the problem of the useless wanktards at your bank to recover the monies.
merchant bankers !
People far better versed in the law than either you or I have spent billions (literally) of dollars *ensuring* that when they make the claim "we are not liable," they are correct.
They did this not by ensuring the security was good, but by ensuring their law was.
I guarantee you, if you use own a chip + pin card, even if you cut it up the day you receive it, and a charge appears on your account that is "verified by pin," you are liable, case closed.
Why the fnord do you think they came out with the thing to begin with?
This is true here as well, (for credit cards at least.) Our Chip-and-Pin debit cards require no activation.
That said an inactivated card is useless to me as well. What I want is the ability to specify "this credit card will only ever be used for online transactions, and no transaction will ever exceed $X" If I have an activated card, even if I cut the physical card up...it can be cloned and used anywhere and I am liable for it.
My bank will not offer me the ability to restrict where my card may make purchases. Instead, I am paying $25 a month to them for identity fraud insurance.
Beer, because banks make me angry, and now I need a pint.
For personal experience, there is a flaw with chip and pin. I used a terminal at my local fish monger. Twice it report that the pin number was invalid, so I paid with another credit card.
I was billed for both failed payment attempts (as well as the payment on the other card).
Barclay's sent me a form which made me basically accuse the shopkeeper of fraud. There was no way to fill it in explaining that Barclay's has stolen money from my account, not the shopkeeper.
Barclay's refused to accept that it was possible to withdraw funds without a valid pin being entered - but it is.
I never received a refund.
If your chip and pin card has been cloned and is then used, you are liable for it. You may have destroyed your original card, but you are still liable for all the fraudulent transactions, becuase "chip and pin can't be beat."
The only way to fix chip and pin is NEVER TO GET ONE.
It seems to be said a lot here that the Chip and PIN system wasn't put in place to prevent fraud, rather that is was put in place to shift responsibillity for fraud onto the customer. I really don't buy this there are precious few, if any, reliable/serious people claiming fraud on their cards. In the only time it's gone to court that I am aware of, the person claiming fraudulant use of the card was shown to be a highly unreliable witness.
The main thing that people seem to be overlooking is that there is a banking regulator, one of the main reasons that the regulator is in place is to prevent the banks getting too much power over their customers and imposing unfair conditions. The regulator hasn't performed too well over the last couple of years, with respect to how the banks behave internally wrt trading etc, but this was because they were focusing too much on how customers are treated. If the banks were operating in a way which forced liability onto their customers the regulator would not allow it.
In this case there does seem to be a problem with chip and pin, but chip and pin is not fixed in stone, it can be modified to work around problems. One of Ross Anderson's previous papers (cited in this one) showed how to run a man in the middle/relay attack, this was made unworkable an a matter of weeks with an update to the chip and pin protocol.
Before C&P came into being, if your card was used fraudulently (excluding CNP fraud) the defrauded person only had to ask for a copy of the signature to prove it wasn't them - Very easy to show it wasn't their signature and bank had to cough up.
Now, as there is no "paper" trail you (a defrauded person) have a mountain to climb to prove it wasn't you. Personally I am now going to ask for a Chip and Signature card from each of my card suppliers.
So what you are saying is that with magstripe/signature, if you wanted to defraud a bank all you had to do was mess up your signature and they'd just hand over the cash when you said "fraudulant activity" to them? Do you really believe that is was that simple?
It's just the same now as it was with magstripe and signature, an investigation takes place, sometimes the customer will be required to hand over evidence such as their card etc, the police will probably be involved, CCTV will be acquired if applicable etc. etc. The only change is that there are currently no known frauds that have taken place in chip and pin areas where a customer hasn't in some way handed over their PIN.
I am not on about ME committing fraud, I am talking about fraud committed on my card (or cloned card).
Using the old system of Signature it would be easy for the bank to check that the signature does not match mine and thus give me my money back.
With C&P, as long as the crooks used my pin the bank can stick the story that as it was verified by PIN they will not give my money back. Without CCTV or other visible evidence you're gonna have a very hard time proving your case.
You also said "The only change is that there are currently no known frauds that have taken place in chip and pin areas where a customer hasn't in some way handed over their PIN."
I'd say "There have been no court cases whereby C&P fraud was committed and it was proved that the complainant had NOT in some way disclosed their PIN". The bank(s) chose that case very carefully and deliberately. Anybody who followed it from the start could tell the person was an idiot.
In addition just because YOU don't know of any frauds capable of being carried out does not mean they don't exist
A bank will/would not just automatically refund a signature verified transaction where the signature doesn't match because of the *possibility* that the card owner has fraudulantly used their own card and signed with something that isn't their own signature, furthermore the card has the signature on the back making it much easier to fraudulantly use by clone or theft. Any fraudulant use will be investigated, the same with chip and pin, although with chip and pin your authorsiation method isn't written on the card.
Now as to your assertion that the banks carefully chose the case of the guy who claimed that his card had been fraudulantly used: They don't get to only have one go at this, that's not how the law works, if someone else comes along with a credible case they also get to take them to court. If lots of credible people complain to the regulator, the regulator will investigate.
I was also very careful to not say that because explots aren't known in the wild, doesn't mean to say there are any, however the lack of credible reports does suggest that there aren't.
I didn't mean to give the impression that a bank would automatically refund my point was more along the burden of proof if it came to a court/civil case. It would be easier to prove that it isn't your signature as opposed to proving you didn't input the PIN if no other visible evidence is available to prove it wasn't you.
Also, I agree that the law doesn't work that way however the banks have only allowed that case to go to court - knowing it was a slam dunk for them. I am fairly sure that there have been a couple or 3 other examples where the card owner has threatened to go to court only for the banks to "refund as a guesture of goodwill without admitting any liability". Unless they are forced to the only case on the books is the idiot one.
A lack of credible reports only means that they haven't been discovered ;-)
IAD is specified by EMV - a fact they deny then publish later in the paper.
What they have proven here is nothing more than that there is an issuer somewhere who has not passed Visa and Mastercard Certification who is willing to approve transactions from a terminal that they know is PIN capable that they also know has not verified a pin.
And from that they are concluding that EMV is broken - utter rubbish.