At last! A way to own an iPad.
Computer scientists from Cambridge University have rebuffed attempts by a banking association to persuade them to take down a thesis covering the shortcomings of Chip-and-PIN as a payment verification method. Omar Choudary's masters thesis contains too much information about how it might be possible to fool a retailing …
They aren't worried about people using this information to circumvent the technology.
They're worried that people might use it as evidence that they were actually scammed. This will mean that the banks have lost their get out of jail free card and wont be able to just blame the card holder for any loses.
They're crapping themselves that they might actually have to compensate customers.
Banks have to show that a customer was the cause of the fraud, not vice versa. The burden of proof lies upon the bank, they have to prove the customer was in the wrong. This was even written into law over a year ago.
I've lost count of how may times I've said this, it still comes up again and again by those who find it fashionable to slag off the banks because, they're like "the man" dude.
....banks have to show that the customer is the cause of fraud - true
How is this proved? If a PIN is used. The customer must have disclosed (by some means) their PIN.
Ergo, if it's a chip+PIN either it is a valid transaction or the customer is at fault. Either way, the bank does not care and the law is useless (the transaction was authorised by the PIN and that should only be known to the customer).
The banks are not "the man", they simply own "the man".
*IF* the PIN was stolen, the PIN was written down.
If the PIN was written down, the customer was negligent.
As there is no way (according to the banks) for the PIN refactored ar machines compromised, the customer *MUST* have been at fault if they ever query a transaction where the PIN was used.
It really is that simple.
instead of demanding it be taken down, more banks give us the super secure method of payment they promised us with Chip and PIN!
Having said that, it's still more secure than the previous method. I remember the times cashiers actually checked the signature on the card and slip as being the exception.
Indeed. Just before the introduction of Chip and Pin my gf had broke her leg so when we went out socialising together I would go to the bar when it was her round and pay with her card. I always signed my own name and NEVER had any problems. Even the ~50% of times the person processing the transaction would go through the appropriate hand and eye motions to 'check' the signatures matched.
Having just read the thesis, I think it's disturbing that no action is seemingly being taken by the banks. The banks seem to be assuming (at least publicly) that fraudsters are too stupid to exploit this, a policy that I think is a little on the, well, naive side.
But also quite disturbing to me is the fact that this flaw doesn't seem to be reported more widely. It was published at the beginning of the year but I only heard about it today! Surely the Daily Mail and the like should be screaming loudly about our insecure debit cards by now, forcing the banks into action?
Fail because the whole thing smells pretty badly. Kudos to Cambridge for sticking up for its' researchers though.
1) Banks don't tend to tell everyone the updates they've made to their systems, so contrary to what Prof Anderson says, we don't know the status of the roll out of the fix, except for on PEDs his guys have tested.
2) The complexity of carrying out a firmware upgrade to a couple of hundred thousand devices is massive, especially in a (rightfully) change averse environment such as financial services IT. It takes a long time to plan, check, recheck and slowly roll out. You never do this sort of thing in a single big bang for fear of taking out sizable chunks of the country's payment infrastructure.
3) Banking IT is classified as critical national infrastructure, if someone or something takes out a large chunk of it very serious questions are asked at very senior levels of government. I wouldn't like to be the CEO getting an arse kicking from the PM because I tried to roll out a firmware upgrade for a problem which isn't being exploited.
is that the banks often claim that they have absolute proof that a card was legitimately used when the card's owner is adamant that they didn't use it. They then refuse to disclose how they "know" this, on the grounds that it would compromise security.
The user can't report it to the [UK] police as the law now says that the police can only get involved if the bank reports the fraudulent transaction to them, which of course the bank won't do, as it suits them to refuse to acknowledge that it was fraudulent and thus they can make the customer pay the bill instead of taking a loss.
Thus, anything which suggests that, in fact, it is possible that the card owner is telling the truth [because their system can be compromised] must be kept secret, as it contradicts the bank's public position that this sort of thing can't happen and that the customer is therefore responsible for the loss.
This has happened before, and Ross Anderson was involved then -- search for "Munden, Halifax, Anderson". (Munden reported phantom withdrawals from his Halifax account, Halifax had Munden charged with fraud (on the grounds that their systems could not have made a mistake), Anderson came on board as expert witness for the defence, Halifax backed down rather than let him examine their systems).
(I closed my Halifax account a while after hearing of this case, the final reminder to do so taking the form of my Halifax account statement arriving several months late and with someone else's statement stapled to the back of it --- further evidence of the level of perfection of Halifax's systems.)
... you *CAN'T* go around telling people that Chip and Pin isn't perfect and wonderful and absolutely impossible to fiddle or defraud as we've been lyin^H^H^H^H telling people for ages now!
If you did that, then everyone who's been scammed with a C&P card and been told "too bad, the technology is perfect, it must have been your fault!" might get the idea that they don't need to be fobbed off like this and *can* get their money back from us!
WON'T SOMEONE THINK OF OUR PROFITS!!
- SIgned: The banks.
Im removing Secur3d from my cards. Being able to change a password using only data from the card and one very easy to find extra info (date of birth - they have surname, initials and your approximate location via the sort code - how hard is it going to be...), and without having to respond to an email, visit a sepertae site, or even re-enter the details you have just changed is in no way, shape or form SECURE.
Its a get-out clause for the banks - pure and simple.
For institutions that have, over the years, made fortunes from a marginally secure process to complain in this way is pathetic.
'But we don't have the money to invest' (unless we raise our charges) will be the cry. "To do more at this time will impair our competitiveness" .... Enough!!!
Get a proper system, in place without further delay, that secures your customers funds and privacy or get out because you are incompetent. Do not pass Go, Do not collect a big fat golden goodbye!
If you are really as smart as you claim then your marketeers will be able to help you steal a march on your competitors by selling how good and secure your systems really are. A little bit of trust might be restored in the competence of the Banks.
Having having f**ked up the country and wondering how to reward themselves with multi-million pound bonuses, I guess insecure Chip-and-Pin are the least of their worries.
Frankly the country would be a lot better off without the current banking institutions and structure. We need to get rid of a bunch of half-arses and I am pretty sure there are a load of competent wannabees who will step into their shoes for less than half the price.
We all fucked up the country, banks yes, but everyone who had an inappropriate amount of credit, payed off credit with credit, had a cheapass mortgage, a 100%+ mortgage. Those who didn't say anything about the amount of credit available, we all fucked it up. Now we just expect to be able to pin the blame on the banks, because they gave us the credit we wanted without asking any particularly taxing questions.
Disclosure: I had a 102% mortgage and a credit card I couldn't hope to pay off, I shouldn't have had either. Through my own hard work I got a my credit debt level to be serviceable, and a job that can pay a proper mortgage. I'm not blaming the banks for my own stupidity.
The simple fact of the matter is that the high street banks didn't bring in chip and PIN to make transactions more secure. They introduced it so that they could shift liability from the bank to the individual. The claim by the banks has always been that if you keep your PIN secure you cannot get scammed; therefore, if you are scammed it is your fault and the bank isn't liable. They want this taken down not to stop scamming, but because it would be strong evidence against them if a customer took them to court over the shift in liabilities. The British high street banks have always been very good at running this type of cartel. Look at what they did over unreasonable overdraft charges. The core problem in the UK is actually that the banks have had an effective monopoly position. Until recently, research has shown that people are more likely to get divorced or move house than change current account. Things are improving, but it will take at least another 10-20 years before the cartel is actually broken. Not really different to the length of time the BT monopoly is taking to break down.
"The core problem in the UK is actually that the banks have had an effective monopoly position. Until recently, research has shown that people are more likely to get divorced or move house than change current account. Things are improving, but it will take at least another 10-20 years before the cartel is actually broken."
So what you're saying is customers are stupid and deserve all they get for being so damn lazy? It is very easy to move accounts in the UK, having done it twice myself, by asking for the direct debit/standing order form that they have to give you. Pass this on to your new bank and they can take over the transactions. SImple. When it's this easy if you don't move you deserve to get screwed.
@The FunkeyGibbon - unfortunately banks are a bit like most corporates. They spend a fortune on PR and still make an unholy mess of PR due to letting the legal dept. do things without first consulting marketting.
In relation to this, I saw on Yahoo a claim that UK card fraud had dropped by 20% from 2009 to 2010, but that does beg the question - was this due to chip n pin and if so, are the banks just getting more stubborn about refunding customers? This is before someone starts using this new system.
From what I've seen of the technical details however, it would be a bit tricky to do without arousing suspicion of the person at the till, unless of course this is being done with their help a bit like those petrol stations which were using cloned card machines.
Whilst Barclays is to be congratulated in closing this particular loophole, the bank cards association had plenty of time to remedy the defect yet all they wanted to do was to shut the info source down.
Lucky he didn't have Plod breathing down his neck, too.
Since the introduction of Pin and Chip the banks have adopted a harder attitude towards complaints of customers accounts being plundered, claiming that their new system prevents fraud when in actual fact it doesn't
This means they are defrauding / misleading / lying to the public whilst some parts of the banks know there are weaknesses. THIS is what is so DESPICABLE about the whole matter.
I never withdraw round amounts from ATM's (490 instead of 500) and I always scan those receipts that fade (so quickly) so in case of dispute I have all the records.
Nice rebuttal letter :)
I particularly liked this paragraph :-
"Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent."
Kudos to Prof. Anderson, beautifully put!
Another pair of "Security Enhancements" that do nothing of the sort.
You have to choose a password that is between 5 and 10 characters that CANNOT CONTAIN NON-NUMERICAL CHARACTERS (!!!!!!)
So 2 of the 3 major Password Complexity rules already broken then - well done.
Also if you forget your password, you can simply reset it, with those incredibly secret pieces of information, your Date Of Birth and Postcode - like they're tough to get hold of.
So, someone nicks or copies your card - not hard, uses the UK Info Disk or similar to get your DOB and address (and postcode) then goes online and spends to their hearts content - really fucking secure that.
It's all as others have said, just a method of the banks getting out of paying disputes, because if the transaction was 'Verified by Visa' then it must have been you, or you gave out your password to someone.
The banks are nothing but a bunch of fucking lying thieving teflon-coated-shouldered arseholes. And that's me toning it down.
I have (or had) accounts with HSBC, Capital One, MBNA, Alliance & Leicester and Halifax - none of them allowed non-alphanum characters in their VbV or MSC implementations. I think that's a pretty decent spread across the UK banking spectrum.
Granted I haven't used a couple of these for a while so they may have changed recently.
However this doesn't detract from the central premise of my comment - that these are not security improvements - they're methods of shifting blame from the banks to the consumers.
I presume that the upvoters were agreeing with this fact rather than what you obviously did and just reading the first paragraph and finding something to complain about.
The poster above replied in a decent manner - HIS implementation allowed non-alphanum - that's great. Your reply was just plain wrong.
Once CDA is implemented this will method of "attack" will be blocked, if you can even call it that because you need the dummy card you use in the terminal to be attached to a device that is capable of performing the attach. Just as the original EMV cards were SDA then moved to DDA so as soon as one form of attack is found so the organisations will move to block it.
Most forms of fraud are commited using mag stripe, not chip and pin. All of the info on how the PIN and PAN entry are collected and sent in the clearing/auth messages. I would hazard a guess that 100% of POS frauds are mag stripe but consumers don't have the knowledge to understand what has happened and are simply fobbed off by a banks call centre. They simply see a chip and assume the transaction MUST have been chip and pin.
In fact if you want to be really secure we would move 100% away from mag stripe and just have chip and pin.
Using my own statistics I would say that 99.999999999999% of people don't understand how mag stripe, chip and pin works, EMV or the authorisation/clearing messages either.
Now...if someone found a way of extracting the keys from an ICC THEN I would be impressed.
Keep the FUD rolling.
"as soon as one form of attack is found so the organisations will move to block it."
Except, of course, they've known about this for ages and done....hmmmm....fuck all. Barclays are the only ones to have fixed it.
Just because you can't think of a non-obvious of exploiting the weakness in the wild doesn't mean that no-one can. We can't expect 100% secure, but surely we have a right to expect the banks to get their act together and fix weaknesses as their found?
The UK Govt *says* so.*
* And they've handed them a *big* bag of cash to prove it.
Seriously what would be the *real* impact of UK high street bank failure.
Some top bankers *might* not get their last bonus.
Disarray as the loan and mortgage books get sold off and it's worked out who people should be making their payments to.
a bunch of bankers get shown up as f**k witted managers.
I'd call those *acceptable* losses.
thumbs up for the backbone in not giving in to these people who *still* have mostly appear to have done f**k all about it.
Clearly the banks are uncomfortable with truth.
It is far better to live in a sublimely rich (and wealthy) fantasy world if the wealth created in that virtual & fantasy world eventually makes its way into the real world (and, of course, bankers' pockets (Q: do bankers use banks? If not why not?)).
Maybe this PIN thing is just what the banking industry needs to create next profits & bonuses in about 10 years time?
Here we go another brilliant PhD Researcher at this backwater of Cambridge University undermines the whole Security of the World Banking System by pulling a little stunt. I wish these guys would give it a break and concentrate on something else, they are as annoying as your average OCD afflicted Penetration Tester.
If you wish to expose the insecurity in Retail Banking it is easy, Banks leak information every day, they break their own Security Policies hundreds of times a day, Rules are broken as a matter of routine and members of IT teams, especially unvetted external contractors, have access rights which would make you faint.
Why you would bother to stick an electrical gadget up your sleeve with a wire connecting it to the terminal for a couple of cans of White Lightening is beyond me.
If you want to trash the Chip and PIN system, just move your Lab to Liverpool and set a few of the locals the challenge
How much Tax Payers money is being wasted on this 'Lab'?
Sorry but you're wrong. They may have have reported the flaws earlier in the year, but that wasn't the point. They STILL haven't reported the attempted censorship of Omar Choudary's paper by the ex minister Melanie Johnson at UKCA. See:
As expected, everyone expects the banks to act but this is an EMV issue NOT a bank issue.
Barclays are the only ones REPORTED to have fixed the problem. No one knows if other bank cards are affected because the "attack" have only tested a Barclaycard at a BMS terminal. And Barclaycard are a Visa Customer. There are also lots of MasterCard cards out there as well.
Kudos to Mr Choudary if he gets a masters degree out of copying Steven Murdochs paper and then building what is effectively a serial port sniffer/monitor (and the world certainly needs more of those... rolls eyes) good luck to him. There really is nothing new to see here.
And if that is the best that the Cambridge university students can come up with then I have seriously overestimated the abilities of what I thought was one of the best universities in the world.
There are much better ways of extracting pin numbers, using brute force against the face of person you are mugging is very effective but I don't think I am going to get a Masters proposing that in an academic paper :)
Just like most of the stuff that comes out of Prof Andersons' dept, hyped far beyond what it actually shows. This is a shame because they will start to get a reputation for crying wolf and when they do come up with something serious the industry will be fed up with them.
(I would admit that if I had to take on a bank in an IT security issue RA would be the first person I went to...)
Oh and kudos for mentioning that banks aren't payment processors.
Only in the most pedantic sense, where one wishes to distinguish between the organisation issuing the card (eg HSBC) and the (usually one of two) front organisations nominally processing the payments. (Readers may recollect the short-lived UK scam where some big UK retailers decided to nominally "in source" the "payment processing", with the sole purpose of dodging some of the VAT and keeping it for themselves. In a near-unique example of legal sensibleness this scam was ruled illegal. Please refer to Debenhams Retail plc vs HM Customs+Excise).
Who owns and (and is therefore responsible for) VISA? VISA is a publically quoted company but would anyone be stupid enough to think that it isn't controlled by the relevant banks? Same goes for Mastercard, which started life as the "Interbank Card Association".
UK banks seem to have had a collective falling out with Mastercard/Maestro. The alleged free market no longer provides a readily available debit card which will be widely acceptable in the countries where VISA Debit isn't (e.g. Germany prefers Maestro).
Biting the hand that feeds IT © 1998–2020