×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chip and Pin "Weakness" Exposed By Cambridge Researchers

samzenpus posted about a year and a half ago | from the get-them-where-they're-weak dept.

Security 133

another random user writes "A vulnerability in the widely used chip and pin payment system has been exposed by Cambridge University researchers. Cards were found to be open to a form of cloning, despite past assurances from banks that chip and pin could not be compromised. In a statement given to the BBC, a spokeswoman for the UK's Financial Fraud Action group said: 'We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

133 comments

Never trust security through obscurity (4, Informative)

dajjhman (2537730) | about a year and a half ago | (#41319927)

Lots of these systems use proprietary protocols and have pushed out 3rd party verification by researchers. the random number being generated by time? Any serious security auditor would have caught that if the banks allowed them in, one of the golden rules of cryptography is to have a proper random number generator. The contact-less systems in the US came under similar fire this past year, after years of assurances by card issuers that it couldn't happen. http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/ [forbes.com]

Re:Never trust security through obscurity (-1, Troll)

Anonymous Coward | about a year and a half ago | (#41319969)

What is a "proper" RNG? Does it say please and thank you? Does it chew with its mouth closed?

Re:Never trust security through obscurity (4, Funny)

scdeimos (632778) | about a year and a half ago | (#41320069)

A web cam pointed at a lava lamp works for some people.

Re:Never trust security through obscurity (1)

SuricouRaven (1897204) | about a year and a half ago | (#41321093)

An ideal RNG uses a quantum entropy source. Usually thermal noise, sometimes radioactive decay. It has to be done in hardware. Some modern processers include a thermal noise RNG on-die, but for a high-volume application like banking that wouldn't be enough entropy, so they'd have to use an RNG periheral. You can get them as USB sticks or PCI(/e) cards.

Re:Never trust security through obscurity (2)

petermgreen (876956) | about a year and a half ago | (#41322223)

The ideal RNG collects as much entropy from the real world as there is information in it's output. Second best is a cryptographically secure PRNG. To be cryptographically secure given an arbitary sized sample of the outut it must be computationally infeasible to predict the next bit with an accuracy greater than random chance. This requires both an algorithm that is resistant to reversal and sufficient seed data and internal state to prevent brute forcing of the random number genertor's state.

Re:Never trust security through obscurity (3, Informative)

necro81 (917438) | about a year and a half ago | (#41322457)

IEEE Spectrum reported last year on new RNG tech from Intel [ieee.org], called Bull Mountain, and implemented in Ivy Bridge processors [wikipedia.org]. It uses a large array of cross-coupled inverters. Thermal noise (a semi-random process) causes them to each inverter pair to latch to 1 or 0 very quickly. The inverters are reset, then allowed to re-latch, many times per second. This isn't particularly new. But they also add circuitry that continuously checks the statistical randomness of the output, and combines multiple number streams to ensure maximum randomness. The result then becomes the seed for a more conventional PRNG. The upshot is the ability to produce billions of demonstrably random numbers per second, all in a low-power peripheral on the microprocessor.

Re:Never trust security through obscurity (-1, Troll)

cayenne8 (626475) | about a year and a half ago | (#41319999)

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.

Guessing it has something to do with a credit card type thing?

Does cash not work over there anymore?

Re:Never trust security through obscurity (2, Informative)

Anonymous Coward | about a year and a half ago | (#41320099)

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.

It's referring to a credit card & a pin number combination for security.

Re:Never trust security through obscurity (2, Informative)

Anonymous Coward | about a year and a half ago | (#41320149)

credit and debit card too.

Re:Never trust security through obscurity (2)

stepho-wrs (2603473) | about a year and a half ago | (#41320859)

It means smart cards (typically embedded in credit/debit cards) that have a chip on the card.
You enter your PIN into the payment terminal at a store and it uses the PIN to form part of the key used for comms with the card.

Whereas magnetic credit cards and PINs (er, I mean personal PIN numbers) have been used since the 1960s without a chip on the card.

Re:Never trust security through obscurity (0)

tubs (143128) | about a year and a half ago | (#41321155)

> (er, I mean personal PIN numbers)

You do know that PIN is a TLA that stands for "Personal Identification Number" :-)

Re:Never trust security through obscurity (3, Funny)

stepho-wrs (2603473) | about a year and a half ago | (#41321359)

A personal PIN number is what you enter into an automatic ATM machine or an electronic EFT terminal.

Re:Never trust security through obscurity (0)

Anonymous Coward | about a year and a half ago | (#41321843)

A personal PIN number is what you enter into an automatic ATM machine or an electronic EFT terminal.

I think you've got this one mixed up. EFT is "electronic funds transfer"

Re:Never trust security through obscurity (0)

Anonymous Coward | about a year and a half ago | (#41322115)

Correct. Most banks require one to enter a PIN into a security token before arranging an EFT through on-line banking.

Re:Never trust security through obscurity (0)

Anonymous Coward | about a year and a half ago | (#41321857)

He's right, somewhat.

It's Personal Identification PIN Number.

Re:Never trust security through obscurity (0)

Anonymous Coward | about a year and a half ago | (#41322767)

PNS Syndrom much?

Re:Never trust security through obscurity (1)

leonardluen (211265) | about a year and a half ago | (#41322791)

Why do geeks get so bent out of shape about people saying "PIN Number" when we have things like GNU?

Re:Never trust security through obscurity (1, Troll)

MadMaverick9 (1470565) | about a year and a half ago | (#41320213)

Does cash not work over there anymore?

gee - where do you live?

It's "1984" and governments and big corporations want to know what you're doing and where you're doing it.

Can't do that with cash.

Re:Never trust security through obscurity (1, Interesting)

Anonymous Coward | about a year and a half ago | (#41320771)

> Can't do that with cash.

Are you serious. Scanning devices for bill's serial numbers are ubiquitous. The ATM knows who it gave the bills to, the cash register knows who it got the bills from and so on.

If you want to stay anonymous, pay everything with coins. Those are secure for now.

Re:Never trust security through obscurity (1)

cybernanga (921667) | about a year and a half ago | (#41321319)

yes, but they don't know where the note has been, or who has had it in between those two points.

Therefore, as I long as I don't get cash from the bank, or an ATM, or deposit cash into my own account, they'll never know what I've been up to.

Re:Never trust security through obscurity (1)

cayenne8 (626475) | about a year and a half ago | (#41322653)

...the cash register knows who it got the bills from and so on.

Wow...where do you live where you're seen a cash register that scans money put in or taken out of it???

I've only seen the conventional kind with a human teller as the go between myself and my money to the till, which I've not ever seen scan money...??

Re:Never trust security through obscurity (2)

whoever57 (658626) | about a year and a half ago | (#41320425)

Does cash not work over there anymore?

Actually, US-issued credit cards can be problematic in the UK because some ignorant shopkeepers and workers think that they cannot accept a card that does not have chip-and-pin.

Re:Never trust security through obscurity (5, Informative)

lxs (131946) | about a year and a half ago | (#41321151)

It's not that they cannot accept card like that, but that the processor will not reimburse the shop in case of fraud. At least that's the case here in the Netherlands.

Re:Never trust security through obscurity (0)

Anonymous Coward | about a year and a half ago | (#41322383)

that should be the case *ONLY* if the customer has a card with chip&pin.

Re:Never trust security through obscurity (1)

mjwx (966435) | about a year and a half ago | (#41320613)

What exactly is this 'chip and pin' system in UK apparently. Sounds British (like fish and chips?)...hahaha.
Guessing it has something to do with a credit card type thing?

Chip and Pin is the brand name for bank card security in the UK. It refers to a PIN (Number) and a chip embedded in the card. Chipped cards are a bit harder to replicate than regular mag stripe cards.

Does cash not work over there anymore?

Yes, cash still works in merry old England,

but much like a lot of fools in the US and Australia they have been brainwashed by their bank overlords to shun cash and pay for everything using credit. This is because the bank overlords get to charge the merchant for accepting credit but not for accepting cash (which is in turn passed onto the unsuspecting fool of a customer in the form of higher prices).

Re:Never trust security through obscurity (0)

foniksonik (573572) | about a year and a half ago | (#41320657)

Cash can be lost, stolen and devalues through inflation. My bank account is tied to my market account which can not be lost or stolen (FDIC) and does not devalue, often increasing in value over time.

My credit accounts are other peoples money I borrow to pay debts with a float and no interest unless I choose to pay it while my money is increasing more quickly or I can get a better return in an investment.

My money increases slowly but surely. Your cash is a pile of paper with no future.

Re:Never trust security through obscurity (1)

mjwx (966435) | about a year and a half ago | (#41320879)

Cash can be lost, stolen

And credit cant.

Awaken from your dreamy state

devalues through inflation.

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

My credit accounts are other peoples money

The problem with spending other peoples money is that other people are going to want their money back... with interest. Would you lend your money for free ?

A question that no credit addled fool has been able to answer is "why would a bank, a profit oriented business, offer you a service they dont make money on". And no, your not an outlier who's outsmarted the bank.

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries. This comes straight back to you in the form of higher prices.

My money increases slowly but surely. Your cash is a pile of paper with no future.

Wrong again.

My money increases at the same rate as yours, the difference is I have no debt to pay off that reduces it.

Actually do the numbers, over 4 years you will at best have earned $500 more interest than me and if you miss one payment you will have wiped that off completely and some. Remember that at that time you will owe money and I will not so I will end up with more money after you've paid your debts.

Seriously, do the numbers. If I earn $2,000 p/m and have expenses of $1,500 p/m. If my initial payment is $500 @ 5% PM I have $26,512 after 48 months ($2, 512 in interest). If I deposited the entire $2000 for that first month I would have $28,334 after 48 months ($2844 in interest) but I'd still have to pay off $1,500 so that brings my total down to $26,834 giving you a grand total of $500 extra at the very best.

However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.

Once again, we go back to the question "why would a bank lose money on you". The simple answer is they don't, they love people like you because you make them money without even realising it.

Also don't give me any bollocks about not missing a payment, say you're fired, in hospital or your payments are screwed up in any other fashion.

I wont even bother telling you about the amount I've saved in the last four years by paying with my own money. Even just in avoiding CC surcharges I've made $500. Credit cards have their place, just not for everyday transactions. For that I use cash or debit.

Re:Never trust security through obscurity (1)

Anonymous Coward | about a year and a half ago | (#41321249)

However when we consider that you pay between 0.5-3% per transaction on your credit card, you've pissed away $720 (at just 1% of $1,500 p/m) in merchant fees in the same period you've gained in $500 interest.

The merchant fees are paid by all the merchant's customers though (through higher prices). Also the ones paying in cash.

Re:Never trust security through obscurity (3, Insightful)

Captain Hook (923766) | about a year and a half ago | (#41321745)

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries

While thats true, you are forgetting that handling cash is not free for the merchant either.

It has to be handled by staff that can lose or steal it, it has to be transported around the store securely and transported to a bank to be paid in to an account (banks charge businesses for pay cash into an account) so the business can use the money for purchasing of supplies, paying rents and mortgage etc.

Credit Card fees look scary for the merchant because the fee is stated upfront in the contract with the Credit Card Provider but cash has costs as well, possibly hugely variable costs compared to a stated percentage per transaction.

Re:Never trust security through obscurity (2)

LordKronos (470910) | about a year and a half ago | (#41321917)

You are clueless.

Cash can be lost, stolen

And credit cant.

No. Federal law limits my liability to $50 by law, but every single one of my credit cards actually goes further and limits my liability to $0. No risk to me.

devalues through inflation.

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

Not sure how my "credit devalues through inflation". My "credit" has no actual cash value to me. The only effect inflation has is on my spending ability for a given credit line, but given the size of my credit line, I'll never reach that point...especially since lenders tend to increase that credit line over time.

My credit accounts are other peoples money

The problem with spending other peoples money is that other people are going to want their money back... with interest.

Funny. I haven't paid a cent in interest to a credit card in way more than a decade. On the other hand, I've made thousands from my credit cards, in the form of cash back and (more importantly) sign up bonuses.

A question that no credit addled fool has been able to answer is "why would a bank, a profit oriented business, offer you a service they dont make money on".

They lend me money because most people DO pay interest. They take a gamble on me that I'll be just as profitable. They lose that gamble every time.

The fact is you force merchants to pay a percentage of your transaction in a "merchant service fee" or bank interchange fee in some countries. This comes straight back to you in the form of higher prices.

If you could get everyone (or at least a very significant number of people) in the country to switch to cash, then maybe prices would go down. Otherwise, me switching to cash isn't going to reduce my costs one bit. All it's going to do is stop earning me cash back and sign up bonuses.

I wont even bother telling you about the amount I've saved in the last four years by paying with my own money. Even just in avoiding CC surcharges I've made $500. Credit cards have their place, just not for everyday transactions. For that I use cash or debit.

LOL. I've MADE almost $2500 just this year from credit card sign up bonuses, and that doesn't count what my wife has earned from the same.

Re:Never trust security through obscurity (2)

drinkypoo (153816) | about a year and a half ago | (#41322021)

Not only does credit devalue through the same inflation ($1000 credit devalues at the same rate as $1000 cash) it also costs you interest, so $1000 borrowed is $1000+interest to be repaid.

Uh no.

Credit doesn't devalue through inflation because if they think they can drive you into debt someday they will keep raising your limits.

$1000 borrowed is not $1000+interest unless you borrow the money for longer than 30 days. If you repay within the window you don't actually pay any interest. And in the case of hyperinflation, you'd actually make money by not paying, so there are situations where you're even more wrong. Credit has its uses.

Re:Never trust security through obscurity (1)

tubs (143128) | about a year and a half ago | (#41321169)

If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl. If they handle a lot of cash, then they also have to deal with security - safe, how to get the money deposited etc etc.

Unless a merchants average transactions are less than about 5 pounds, it makes economic sense to do things via electronic transactions rather than by cash.

Re:Never trust security through obscurity (1)

mjwx (966435) | about a year and a half ago | (#41321601)

If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl. If they handle a lot of cash, then they also have to deal with security - safe, how to get the money deposited etc etc.

Unless a merchants average transactions are less than about 5 pounds, it makes economic sense to do things via electronic transactions rather than by cash.

Please note, I said credit not electronic transactions. Electronic transactions on Debit (I.E. using your own money rather than the banks) attract a much lower service fee in Australia, some as low as A$0.20 here in Oz, most CC transactions cost more even before the interchange fee comes out. I'd be surprised if the UK were different.

Secondly, if it were true that cash costs more than EFT for anything over A$20/GBP 5, why would car yards offer better deals for cash? Every business is different, for a lot of businesses that do a high frequency of trade (cafe's, restaurants, 7-11/convenience stores) EFT costs a lot more than cash, OTOH, for places that do a low volume trade on high margin items (laptops, jewellery) the costs of using EFT are minimised. In both cases, credit as opposed to debit always costs the business more.

Re:Never trust security through obscurity (1)

SQLGuru (980662) | about a year and a half ago | (#41322271)

I assume a Car Yard is what I refer to as a Car Dealership -- a place to purchase cars.......

I think the key is who is taking the risk. A car dealership gives a discount for cash because they don't take any risk. If you take a loan, there's a chance you will default.....and they take a hit for that. A normal shop (i.e. for clothes) doesn't take the hit if you use credit (other than increased transaction fees), so they don't give a discount.

If you were to go in to a car dealership and negotiate as if you were paying cash, but paid with a credit card, they would still give you the discount.

Re:Never trust security through obscurity (1)

cayenne8 (626475) | about a year and a half ago | (#41322695)

If a merchant has a business bank account, then they pay whenever they make a deposit, and a withdrawl.

Not sure where you get that idea. I have a business account with the bank, and I don't pay for any type of deposits (cash or check), nor do I get charged a fee for withdrawals of either.....

Re:Never trust security through obscurity (1)

Dr_Barnowl (709838) | about a year and a half ago | (#41321269)

not for accepting cash

Not true ; banks charge merchants for handling cash. So much so that supermarkets here will offer to add some cash to your bill ("cashback"), obviating the need for you to visit an ATM. You benefit from increased convenience and they benefit from reduced cash handling charges.

Re:Never trust security through obscurity (1)

mjwx (966435) | about a year and a half ago | (#41321609)

not for accepting cash

Not true ; banks charge merchants for handling cash. So much so that supermarkets here will offer to add some cash to your bill ("cashback"), obviating the need for you to visit an ATM. You benefit from increased convenience and they benefit from reduced cash handling charges.

Are you trying to say there is a per transaction charge for handling cash?

If you aren't, it has no baring on what I said.

You need to give this a read and consider the costs to businesses [sba-bc.ca]. When you put everything on credit, you make a dent in that businesses profit and they have to in turn raise prices to compensate. Whilst massive super chains can bury costs like interchange and service fees in huge contracts, franchise owners and small businesses cant. Realistically if you think putting everything on the credit card is saving or earning you anything you're deluding yourself. Ask yourself, why would a bank, one of the most solid profit oriented businesses on earth, offer you a service they lose money on?

Re:Never trust security through obscurity (1)

leonardluen (211265) | about a year and a half ago | (#41323037)

Are you trying to say there is a per transaction charge for handling cash?

yes actually there is! the store needs to keep their register stocked with small bills and change in order to make change for customers using cash. At least in the US businesses typically pay a fee to buy large quantities of coins and small bills from banks. sometimes they also need to pay a fee to deposit large quantities of coins, such as if they end up with too many nickels in the register and don't know what to do with them.

you also then have to somehow securely transfer the money to the bank, and the change from the bank to your registers. this is a direct cost that is incurred to the business for using cash.

as well a smart business balances their registers every night, or shift change. this takes 1 or more employees time to count the cash in the drawer to make sure your employee wasn't crooked and stealing from you. (or just stupid and doesn't know how to count out correct change)

there are other indirect costs to handling cash.
1) making change is often slower than credit cards (time is money)
2) you have various fraud risks, such as a bill being fake
3) the cashier could just pocket the cash (or even just giving out the wrong change to the patron)
4) it is a target for thugs. credit card receipts don't interest them much, but cash does.

Handling cash definitely isn't free

Re:Never trust security through obscurity (3, Interesting)

Mithent (2515236) | about a year and a half ago | (#41321549)

Cash works here, but I'd rather use a card if the store accepts one, because it's more convenient for me. Cash involves trips to the ATM, bulking out my wallet with coins, and hopefully having appropriate denominations for the purchase at hand (a £20 note seems a bit much for a 60p purchase, while a collection of 10p and 5p pieces is going to be annoying if it's £5). If it gets stolen, it's essentially guaranteed lost, which means I shouldn't carry a lot of it at once, whereas if my card gets stolen, I can hopefully cancel it before it's used by the thief, which Chip and PIN makes more difficult. There are also additional protections [moneysavingexpert.com] afforded for purchases on credit cards, and my credit card offers 1% cashback. Yes, it would be stupid to run up credit card debt, but that's easy to avoid by paying the full balance each month.

I'll pay by cash if I have to, but I'd much rather pay by card, which means I always have the right amount to hand and I get nothing back but a receipt.

Re:Never trust security through obscurity (0)

Anonymous Coward | about a year and a half ago | (#41322661)

I'll pay by cash if I have to, but I'd much rather pay by card

I go months without carrying any cash, not a cent. I pay 10-cent transactions with my debit card. There's barely any occasion in the Finnish society where you'd need cash, and there's never any transaction charge.

(The only exception I can think of is volunteers' coffee stands at childrens' soccer fields. They don't have the POS equipment and accept cash only.)

Wasn't this already covered (0)

Anonymous Coward | about a year and a half ago | (#41319933)

in DEF CON 19 last year?

Security by obscurity (4, Insightful)

jenningsthecat (1525947) | about a year and a half ago | (#41319949)

All the locks in the world won't keep crooks out of your house if you don't use the locks. Your house may LOOK invulnerable, but one day sonbody's gonna try the door, find it open, and steal you blind.

The same principle applies here - using obvious and predictable 'random' code generation, and relying on people not knowing that's what you're doing, only works for so long.

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

Re:Security by obscurity (4, Interesting)

Solandri (704621) | about a year and a half ago | (#41320539)

And arrogant people, (and companies, and banks), who crow about how secure their systems are, are just asking for it. Serves the fuckers right; but it's too bad that credit card holders are paying the price for their creditors' arrogance.

If it came out of the pockets of the credit card holders, it probably would've been fixed long ago. The problem is that the credit card companies have gamed it so that it comes out the pockets of the merchants. And no merchant can realistically refuse to accept credit cards if he's serious about running a business. The credit card companies have even managed to trick most card holders into thinking that they're doing the noble thing and paying for fraud, when in most cases it's the merchant who pays. After all, those high interest rates and annual fees have to be paying for something, not going straight into their pocket, right?

The analogy between labor and employers works here. Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Re:Security by obscurity (2, Insightful)

drinkypoo (153816) | about a year and a half ago | (#41322003)

Merchants need a union so they can negotiate on an even footing with the 3 credit card companies which control the vast majority of the electronic transaction market.

Or the government could quit sucking corporate cock, permitting more players into the game to provide some actual competition.

Re:Security by obscurity (0)

Anonymous Coward | about a year and a half ago | (#41322805)

Or they could come out with a government system. Not a stretch really, considering they already print the money.

just goes to show you (-1)

Anonymous Coward | about a year and a half ago | (#41319997)

Goes to show you what happens when you let a bunch of faggets run your chip company.

And pin company.

captcha: herewith

Presumed secure = blame the user (5, Informative)

muhula (621678) | about a year and a half ago | (#41320021)

In the US, a simple magnetic stripe is used to encode the data, which can be duplicated with little effort. Even if your credit card is swiped at a brick and mortar retailer, this well-known vulnerability gives consumers some credibility against the credit card issuer when they claim to have not made the purchase. The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds since chip and pin was presumed to be secure. From the article, "Others [banks] reported already being suspicious of the strength of unpredictable numbers... If those assertions are true, it is further evidence that banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds."

Re:Presumed secure = blame the user (3, Informative)

rover42 (2606651) | about a year and a half ago | (#41320223)

muhula writes: The scary part of this chip and pin vulnerability is that banks have a history of blaming the consumer and not issuing refunds ... banks systematically suppress information about known vulnerabilities, with the result that fraud victims continue to be denied refunds Ross Anderson heads the Cambridge group that found this attack and the earlier man-in-the-middle attack (a gadget between card & reader that makes all PIN verifications succeed no matter what number you enter). He's been writing about bank vulnerabilities for years. A famous older paper: "Why cryptosystems fail" http://www.cl.cam.ac.uk/~rja14/Papers/wcf.html [cam.ac.uk] Problems with PIN numbers: http://bits.blogs.nytimes.com/2012/02/20/security-of-self-selected-pins-is-lacking/ [nytimes.com]

Re:Presumed secure = blame the user (1)

Formalin (1945560) | about a year and a half ago | (#41320311)

Hah, yep. I noticed my "agreement of the services" with visa states that if chip authentication is used, it's assumed I authorized it - i.e. there are no fraudulent transactions that use the chip, I'm liable.

Makes you want to rip the contacts off the card...

Re:Presumed secure = blame the user (1)

pipedwho (1174327) | about a year and a half ago | (#41320569)

This might be true if 'you' used the chip authentication. However, if someone else has cloned your card (however they managed to do it), then 'you' haven't agreed to that transaction, and thus 'you' never used any kind of authentication, let alone "chip and pin".

Re:Presumed secure = blame the user (1)

Anonymous Coward | about a year and a half ago | (#41322417)

lmfao, good fuckin luck getting your card company to buy into that one. Chip & pin is a scam designed solely to remove *ALL* liability of fraud from the card company, after all, its *your* fault you let your chip get cloned ; )

Re:Presumed secure = blame the user (0)

Anonymous Coward | about a year and a half ago | (#41321117)

This is why I refuse to sign up for online banking with my bank.

The TOS says that anything that happens through the web interface is my fault (supposedly because I didn't pick a good password, but it also asks me for security questions, so I'm immediately suspicious. It's a bank. If I forget my password, I'll walk into a branch with two forms of ID.).

Re:Presumed secure = blame the user (1)

drinkypoo (153816) | about a year and a half ago | (#41322015)

Makes you want to rip the contacts off the card...

buy a UV-curing clear coat repair pen, $3 or so, the rest is obvious

no liability for banks (2, Informative)

Anonymous Coward | about a year and a half ago | (#41320043)

Canadian banks just snuck in an update to the banking agreements--customer is now 100%responsible for losses with chip and pin cards, no doubt due to the ironclad security.

The problem is shifting liability (4, Interesting)

nemesisrocks (1464705) | about a year and a half ago | (#41320059)

The problem with the claim Chip & Pin is more secure, is that the card processors (Visa, Mastercard) used it as a justification to shift liability from the Bank over to the Merchant.

With swiped transactions, when a customer disputes the transaction, the Merchant isn't automatically liable for the transation -- they only need to prove the customer actually made the purchase (e.g. producing the signed receipt). With Chip & Pin, the merchant is automatically assumed to be liable, according to the merchant agreement. There's very little a merchant can do to dispute the chargeback.

Re:The problem is shifting liability (1)

DeBaas (470886) | about a year and a half ago | (#41320895)

The way I understood it is that the liability shift does not work that way. The least secure is liable. See http://en.wikipedia.org/wiki/EMV [wikipedia.org]

The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable (as from 1 January 2005 in the EU region) for any fraud that results from transactions on systems that are not EMV capable.[2]

If a merchant does not support chip and the issuer (your bank) and the acquirer (bank of the merchant do), the merchant is liable.
If the acquirer does not support EMV (aka Chip and pin), that bank is liable. Etc.

So only when the merchant keeps an old terminal that only supports magswipe despite his bank and the bank (/card issuer) of the customer supporting EMV and the chip, is the merchant liable.

Re:The problem is shifting liability (3, Insightful)

mattsday (909414) | about a year and a half ago | (#41321221)

I used to work in a store when Chip & PIN was introduced to the UK - after the switchover we were told in no uncertain terms that we would take liability if we didn't use Chip & PIN when it was available (e.g. verify by signature). This makes a lot of sense to me, as some peoples signatures had rubbed off and others really didn't match.

Whenever I go to the US, my card is almost never checked. I usually get my card back before I even sign. There is often zero fraud prevention at the point of sale. Even when they ask for photo ID (rarely) they often just check the picture, not my name or even if it's valid ID.

From my side, I would consider liability to be very much on a merchant who didn't bother checking properly and reduce it as an incentive to help me reduce fraud (e.g. chip & pin systems).

Re:The problem is shifting liability (1)

Mithent (2515236) | about a year and a half ago | (#41321485)

If this story [zug.com] is to be believed, you can get away with signing pretty much anything and it's highly unlikely that anyone will even look at your signature.

Chip and PIN might not be perfect, but at least it makes it more than entirely trivial to use a card that you've just found somewhere in a store.

Re:The problem is shifting liability (0)

Anonymous Coward | about a year and a half ago | (#41322445)

All of my cards have a small signature on them (to be compliant with cc regulations) and then in large and very bold "SEE IDENTIFICATION". You know how often I'm asked for ID? Well I only recall being asked once in the last year or so, and I use the card every single day.

You seriously want some idiot being your handwriting validation expert when a vast majority of them can't even take the time to ask for ID when the card itself says to?

Re:The problem is shifting liability (1)

NJRoadfan (1254248) | about a year and a half ago | (#41322141)

Don't some of the major processor's merchant agreements forbid ID verification? They don't check your ID because they aren't allowed. A few of my friends think they are smart and put "See ID" in the signature box of their card... right next to where it says "this card not valid unless signed"!

Its worse - Liability is shifted to the CARDHOLER (4, Informative)

brunes69 (86786) | about a year and a half ago | (#41321529)

Re-read your chip & PIN liability statements. Chargebacks with chip & PIN are very difficult to do and weighed heavily against the cardholder.

By default, if a transaction is conducted via chip & PIN, the consumer is liable for all charges. The use of a PIN constitutes, in the eye of the bank, de-facto shift of liability for the transaction. In the event of a dispute, it is up to THE CONSUMER to provide evidince that he / she did not perform the transaction. This is a marked shift from the old magstripe / signature liability, where it was up to the merchant to prove that it was you making the purchase in a dispute. Now, it is up to the consumer to prove it WASN'T you - good luck with that!

I am glad people are finally waking up to this because I avoided chip & PIN as long as possible due to this, but it is being rammed down our throats, along with this liability shift, and no one is noticing.

Mod parent up! (1)

Anonymous Coward | about a year and a half ago | (#41323293)

The main problem with chip-and-pin, from the consumer's perspective, is that it shifts the liability onto the CARDHOLDER, not the merchant. The issuers insist that merchants bear the liability for old magstripe transactions, but for chip-and-pin transactions it is presumed that you, the CARDHOLDER, are responsible unless you can *prove* otherwise. That's why the merchants were all so eager to get the chip-and-pin hardware deployed... it reduces their fraud costs (shifting them onto the victim cardholders instead).

Here's this attack in a nutshell:

The protocol between card and ATM incorporates an "Unpredictable Number" which is generated by the ATM and sent to the card as part of a transaction request. The card returns a response which includes this Unpredictable Number, and is encrypted with a secret symmetric key stored on the card. The other copy of the symmetric key is known only to the issuing bank. The ATM sends this response to the issuing bank over the network, where the transaction is vetted and approved.

The important role played here by the "Unpredictable Number", is to guarantee the _freshness_ of the transaction to the issuing bank: its how they know that the challenge sent to the card, and the response returned from the card, were generated _while the user was using the ATM_ and not at some much earlier time. Unfortunately, the party relying on the unpredictability of the number is the issuing bank (the one who issued you the card) and the party *generating* the number is the ATM, which might be in a different country, might be operated by an adversary, might be compromised by malware, might be in a Mafia-owned store and have been tampered with, etc. To be secure, the number should have been generated by the issuing bank at the start of the transaction, but the system is not designed that way (probably because it would slow the transactions down too much). So instead of a few hundred issuing banks, you're relying on literally _thousands_ of different ATM manufacturers and operators, to securely generate unpredictable random numbers for you. But many of them don't... they use crappy generators like stdlib rand() or system timers which can be forced into a known state by power-cycling the ATM.

If the attackers can predict what "Unpredictable Number" the ATM will generate (and using the techniques from the paper, they often can) then that means they can send those numbers to the user's card when its inserted in a compromised ATM or POS terminal, and get the card to encrypt their illicit "request" as needed. Then at some later time (maybe days or even weeks later) they present the card's response to a real ATM somewhere else, and take money out of the cardholder's account. The attackers have to choose the amount and the date of the attack in advance, but they can use any vulnerable ATM in the same country as the compromised terminal where the cardholder's info was skimmed from.

So this attack is basically as strong as card cloning. There's basically nothing you could do with a cloned card, that you can't do with this attack.

Re:The problem is shifting liability (1)

DarenN (411219) | about a year and a half ago | (#41323633)

The flip side of this is that the processing fees for Chip & PIN cards are significantly lower. The fact is that fraud is vastly reduced by using Chip & PIN, so the fees charged can account for that.

damn right they do (1)

slashmydots (2189826) | about a year and a half ago | (#41320127)

We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

Yeah, they pass it along to sellers like me. Almost all fraud gets taken straight out of the pockets of the business owner but hey, we've got money, right? Total bullshit. Well guess what I'm refusing to accept ever under any circumstances.

Re:damn right they do (0)

Anonymous Coward | about a year and a half ago | (#41320167)

We've never claimed that chip and pin is 100% secure and the industry has successfully adopted a multi-layered approach to detecting any newly-identified types of fraud.

Yeah, they pass it along to sellers like me. Almost all fraud gets taken straight out of the pockets of the business owner but hey, we've got money, right? Total bullshit. Well guess what I'm refusing to accept ever under any circumstances.

Other people's money??

Re:damn right they do (0)

Anonymous Coward | about a year and a half ago | (#41320259)

I'm curious in what way.

In my storefront if a card holder chips a card and types their pin, there is no way they can charge back.
If it was fraudulent transaction, the end user is charged for giving out their pin or bank/visa pays for insecurity.
As a merchant I have no other way to verify the transaction.

In an online transaction does "verified by visa" / "mastercard securcode" not effectively provide you as a merchant the same protections?

Re:damn right they do (2)

FireFury03 (653718) | about a year and a half ago | (#41321081)

In my storefront if a card holder chips a card and types their pin, there is no way they can charge back.

That sounds incorrect to me, since (at least under UK law) there are various reasons why a credit card transaction may be subject to a chargeback even if it was a legitimate transaction at the time.

In an online transaction does "verified by visa" / "mastercard securcode" not effectively provide you as a merchant the same protections?

3Dsecure is, frankly, a joke and does nothing to increase security (in fact it actually decreases security). It was introduced as yet another way of pushing the liability away from the bank rather than actually being secure.

Unfortunately, my experience with banks is that, when it comes to digital security, they have no clue and are only interested in security theatre, even in situations where well thought out real security would actually be easier for everyone than the security theatre they invent instead.

Re:damn right they do (2)

SuricouRaven (1897204) | about a year and a half ago | (#41321115)

Verified by VISA? I've seen that one. Whenever I have to buy something online, I need to enter an extra code in addition to the card number, expirary date and CCV. It seems quite pointless to me, because I have to enter them all at once - which means I store them all in the same place, and anyone who has compromised my system can key-log the whole lot at once. The only time it'll add any security is in stopping someone who stole the card from using it to buy things online, and if that was their goal it would be easier to just take the CCV number off the card. Plus, using VBV is optional for the merchant, so it just ensures the frauster would shop with some company that doesn't require it.

Re:damn right they do (2)

Rockoon (1252108) | about a year and a half ago | (#41320277)

Fraud is overhead that needs to be paid for regardless of who is left holding the empty bag at the end, and that overhead will always end up being reflected in the retail prices.

So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?

Re:damn right they do (0)

Anonymous Coward | about a year and a half ago | (#41320291)

Counterpoint : What motive do banks have to secure their system if they are not liable for its insecurity

(Also merchants pay %2.5-%5 of every transaction to the processor for visa/mastercard. More for Amex.
Surely this HUGE sum of money skimmed from EVERY transaction can pay for the overhead?)

Re:damn right they do (1)

Rockoon (1252108) | about a year and a half ago | (#41320335)

Counterpoint : What motive do banks have to secure their system if they are not liable for its insecurity

Nothing has changed with your scenario because its based on the faulty premise that someone other than the consumer will pay the cost. The consumer is the side of the trade that has the money, and all costs must be definition by paid for out of that money.

Re:damn right they do (1)

pipedwho (1174327) | about a year and a half ago | (#41320609)

But, those costs would never have occurred if the banks secured (or continue to secure) their system properly. Thus the 'losses' that end up being paid for by the consumer end up being negligible.

Re:damn right they do (0)

Anonymous Coward | about a year and a half ago | (#41320305)

The liability should be with the party that has the power to do something about it: the card companies. If not, it will grow out of control, since there is little incentive to contain it.

Re:damn right they do (1)

Rockoon (1252108) | about a year and a half ago | (#41320429)

The liability should be with the party that has the power to do something about it: the card companies.

So neither person at the point of sale has the power to do something about it? Its the institution that is by definition not at the point of sale?

Re:damn right they do (1)

pipedwho (1174327) | about a year and a half ago | (#41320647)

The liability should be with the party that has the power to do something about it: the card companies.

So neither person at the point of sale has the power to do something about it? Its the institution that is by definition not at the point of sale?

The best the consumer and/or merchant can do is complain to the 'authorities' that their bank just sucked a huge chunk of cash out of their account. Maybe they could sue the bank for losses incurred due to a poorly secured transaction system. But, all that does is send the responsibility back to where it belongs in the first place: with the banks.

Re:damn right they do (1)

0111 1110 (518466) | about a year and a half ago | (#41320683)

There is not much consumers can do about having their card numbers stolen. They could never let the card leave their sight, only use Linux for online purchases, and use temporary card numbers for purchases from merchants they are not certain of, but even then their number could still be stolen. This problem is not one that the cardholder has created and it is not one that the cardholder can fix.

I think chip and pin was a great idea. Relying on it as perfect security and holding the user responsible for every transaction however was stupid. If Iived in the UK or another chip and pin EU country I would be way too paranoid to ever use my card. Instead of a credit card I'd probably use a debit card and transfer the exact amount needed from another account for every purchase. Thieves can't steal from you if there is nothing to steal.

US banks will generally cover you even if you knowingly gave away your ATM pin number in one of those ATM kidnappings so popular in certain parts of the world. The whole pin and chip thing was a raw deal for EU cardholders. They get no benefit, but all the risk. It's definitely not an equitable solution. Bank of America has a two factor authentication system for their online banking, but I don't think they hold the user responsible for fraudulent transactions.

So, aside from the thief, who is to blame for a fraudulent transaction? Almost never the cardholder or the merchant. The two parties at the point of sale are just using the system. They didn't create it and holding them responsible for the lax security of the system is absurd and unjust. All that consumers and merchants can really do is just stop using/accepting credit cards, and I don't think either the bank who issued the card or Visa/Mastercard want that.

Re:damn right they do (1)

drinkypoo (153816) | about a year and a half ago | (#41322029)

So, aside from the thief, who is to blame for a fraudulent transaction? Almost never the cardholder or the merchant.

The merchant is often [at least partly] at fault. It used to be poor control over carbons; you could steal CC numbers just by strolling into the local drug store in between busy times and raiding a checkstand's trash can while someone else occupied the checkers. Now it's poor control over readers, permitting criminals to install skimmers, or outright complicity.

Re:damn right they do (1)

pipedwho (1174327) | about a year and a half ago | (#41320599)

So who better to be left holding the empty bag than the party that has direct control over retail prices, and even some control over who he does business with?

The answer to that question is: The party that has control over the implementation of the financial transaction system.

Anything less and there's no incentive for the financial institutions to improve security and reduce overall losses in the system. There is no way a merchant or a consumer has any control over this. The most they can do is refuse to accept 'plastic', but due to the ubiquitous nature of credit based transactions, that would be akin to closing the door on a large portion of their income.

Why the quotes? (2)

rebelwarlock (1319465) | about a year and a half ago | (#41320147)

I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

BBC is a "news" provider.

Re:Why the quotes? (0)

Anonymous Coward | about a year and a half ago | (#41320347)

It's because it's not a mere "weakness", it's a fundamental flaw

Re:Why the quotes? (1)

Anonymous Coward | about a year and a half ago | (#41320553)

The BBC "always" puts lots of "quotes" around "words" in their titles. I don't know why; it "doesn't" change the meaning "of" the words, it's like the heavy-metal umlaut:.. http://en.wikipedia.org/wiki/Metal_umlaut

Re:Why the quotes? (2)

mysticalreaper (93971) | about a year and a half ago | (#41321031)

The quotes indicate that a third party is making the assertation. So the BBC's staff has not looked at the evidence and concluded there is a weakness, the BBC is merely repeating a conclusion reached by others. The BBC has not verified the validy of this conclusion. Therefore the BBC is not reporting this as an established fact, they are reporting that reachers from the University of Cambridge are saying this, and the BBC isn't certain it's a demonstrable fact.

If you read the full article of any headline that contains quotes, you will find that the origin of the statement in quotes is not the BBC's writers, but another organization or person: a third party.

The BBC is trying to help you understand the source of the informaiton, an important part of journalism. They are trying to help you understand what they are reporting, not belittling your intelligence with 'emphasis' quotes.

Re:Why the quotes? (0)

Anonymous Coward | about a year and a half ago | (#41322157)

The BBC is trying to help you understand the source of the informaiton, an important part of journalism.

Apparently they are doing good job. :)

Reminds me of a story about my bank. In Denmark, we have a system where stone-age organizations can sign up and send their mail digitally (PDFs) to consumers that have also signed up. This is pretty retarded compared to just asking for my email address, but, well.

Now, one day I login and discover I have probably around 20 unread PDFs from my bank, all just printouts of my account transactions. As if I would ever look at these compared to just logging into the bank. So I write to my bank and ask them not to spam me. The reply I get back is that they sometimes send one if there's been a slightly suspicious transaction (e.g. I've bought something on Ebay) in the previous period. Huh? Now they don't explain this anywhere, they just send the stupid printout with transactions.

Re:Why the quotes? (1)

Neil Boekend (1854906) | about a year and a half ago | (#41323237)

Somehow I usually interpret it as sarcasm, or a euphemism.
For example: She had some huge "eyes".
It usually doesn't work, but it causes enough hilarity not to change it.

Re:Why the quotes? (1)

Anonymous Coward | about a year and a half ago | (#41320989)

I like how they highlight "weakness" in the headline, giving it the appearance of being of poor credibility. Can I try?

BBC is a "news" provider.

It simply means the BBC is reporting but not necessarily endorsing the claim. Journalistic integrity many other more sensationalist outlets could learn from!

Re:Why the quotes? (0)

Anonymous Coward | about a year and a half ago | (#41321195)

Husband "kills" wife.

The BBC keeps quoting verbs such as "kill" in its headlines. How should I interpret this? (In case it isn't obvious, I'm not a native speaker).

Re:Why the quotes? (0)

Anonymous Coward | about a year and a half ago | (#41321247)

One obvious reason for Husband "kills" wife is that the husband is a suspect and probably did it, but has not been convicted yet so it should not be considered an established fact.

Re:Why the quotes? (2)

L4t3r4lu5 (1216702) | about a year and a half ago | (#41321199)

They're called quotation marks. They're quoting the researchers saying that this is a "weakness" in the security of chip and pin cards, in that the researchers used the word "weakness" to describe the vulnerability.

My debit card (0)

Anonymous Coward | about a year and a half ago | (#41320169)

doesn't even have a chip. It's from a major American bank.

Chip & Pin was already broken no later than 20 (1)

mark-t (151149) | about a year and a half ago | (#41320467)

And, in fact, the pdf paper that the article links to even mentions it as one of the references.

This appears to be something new, however

Old News (0)

Anonymous Coward | about a year and a half ago | (#41320977)

The crooks have been cloning chip and pin cards for a couple of years now, why is it that it only becomes news when Cambridge Researchers catch up and realise the same thing ?

You can buy the gear you need to do it for about £200 from online retailers no questions asked.

I realised how frail and easily crackable the entire system was when I was asked to research an EPOS system using an online payment gateway setup and discovered that at certains points in the system all the information exists in plain text, the onus is on the developer to ensure the data remains encrypted.

Exaggeration (and a bit of scandal mongering) (2)

bhaktha (1462779) | about a year and a half ago | (#41321369)

Folks, I read the paper by Omar and Co in a fair amount of detail. Here is the gist. Some ATMs do not have a true RNG (Random Number Generator), something like FIPS 140.2 compliant. With such defective systems in a particular country, at a particular time and for a particular amount and a system which can do a transaction at mS granularity accuracy an attack is possible. And the card has to be in the system (which is recording) for a longer time than it is for a typical transaction. That is a very NARROW vulnerability (not that it is justified ...). The paper clearly says on a large set of ATMs they could NOT decipher the "algo" for the UN generation. This is a exploitation of a very very corner case. The paper also clearly says that EMVCo HAS ALREADY published rigorous tests to test the randomness of UN generation (before this paper was published). So the title here, in the BBC website and some of the comments are way off. (understand that BBC and /. have to have readership ...) Couple of additional comments, EMV cards are unclonable (so are the SIM cards used in phones which use similar technology), the standards are open (you can download the standards for free from the emvco website) and there are plenty of fraud detection algos running on issuer servers to detect suspicious transactions. The paper in the second page unambiguously states that AFTER the introduction of EMV cards "card-not-present" transaction fraud went up, precisely because EMV cards are secure. There will be always studies like this which exposes flaws (this particular one was an extremely corner case) which generally strengthen the current systems. I have followed the research coming out of cambridge on related topics (have exchanged notes with some of them), they are fine researchers and if you read the paper, you will see that they are NOT saying EMV is insecure but are identifying corner cases and defective implementations. Cheers, -Bhaktha

Re:Exaggeration (and a bit of scandal mongering) (0)

Anonymous Coward | about a year and a half ago | (#41322073)

And the fact that the issue existed at all is a major embarassement.
In addition the fact that they could not break many other ATMs doesn't really say much about their security, since so much information is secret it is very hard to know that not in fact _all_ of them would be easily attackable in a similar way by an insider.
Which all comes down to the banking sector usually doing the opposite of long-established security best-practices.

Menjadi Pengusaha Sukses, Franchisee Minimarket Al (-1, Offtopic)

kembud (2583605) | about a year and a half ago | (#41321571)

Seandainya Saya Jadi Member dan Franchisee Minimarket Alfamart [a-ant.com], Waralaba Alfamart adalah usaha minimarket yang dimiliki dan dioperasikan berdasarkan kesepakatan waralaba dari PT. Sumber Alfaria Trijaya Tbk, selaku pemegang merek Alfamart. Dengan motto “Belanja Puas, Harga Pas” model bisnis Alfamart adalah menjual berbagai kebutuhan sehari- hari dengan harga terjangkau dan berlokasi di sekitar wilayah perumahan.

We should move to fish & cushion! (0)

Anonymous Coward | about a year and a half ago | (#41321639)

http://www.youtube.com/watch?v=B80SyRmtbdI

Fp hO8o (-1)

Anonymous Coward | about a year and a half ago | (#41321713)

noises out of the to get some eye in a head spinning dying' crowd - said. 'Screaming you get disTracted a way to spend

Serge Humpich, anyone??? (1)

JigJag (2046772) | about a year and a half ago | (#41322891)

I know it happened 12 years ago, but come on, the chip cards with pin have been cracked and crackable for a long time. In 2000, Serge Humpich, a french hacker found a flaw in the chip design and used Japanese algorithm to factorize the prime used in the chip card.

In French:
https://fr.wikipedia.org/wiki/Serge_Humpich [wikipedia.org]
http://www.bibmath.net/crypto/moderne/cb.php3 [bibmath.net]

In English:
http://www.theregister.co.uk/2000/02/26/french_credit_card_hacker_convicted/ [theregister.co.uk]
http://www.amazon.com/Serge-Humpich/e/B001K7H3DE [amazon.com]

I remember my reaction when chip cards appeared in Canada *after* 2000, as if they were waiting on having a backdoor before they deployed them.

JigJag

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...