Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chip & PIN terminal playing Tetris

Hemos posted more than 7 years ago | from the the-joy-of-subversion dept.

Security 228

Fearful Bank Customer writes "When British banks introduced the Chip-and-Pin smartcard-based debit and credit card system three years ago, they assured the public it was impervious to fraud. However, the EMV protocol it's based on requires customers to type their bank account pin number into store terminals in order to make any purchase. Security researchers at the University of Cambridge Computer Laboratory derided the system as insecure at the time, as it gave access to customer's bank account pin numbers to every store they bought from. Despite these objections, the system was deployed, so researchers Steven Murdoch and Saar Drimer recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident, and that even students with a spare weekend can take control of them. The banks are claiming that this can be reproduced only "in the laboratory" but seem to have missed the point: if customers have to type their bank account pin into every device they see, then the bad guys can capture both critical card information *and* the pin number for the bank account, leaving customers even more vulnerable than they were under the old system."

cancel ×

228 comments

Sorry! There are no comments related to the filter you selected.

to misquote Franklin... (4, Funny)

PresidentEnder (849024) | more than 7 years ago | (#17509128)

Those who would exchange security for convinience deserve Tetris!

Re:to misquote Franklin... (2, Informative)

shaneh0 (624603) | more than 7 years ago | (#17510266)

Misquote indeed. Especially considering Franklin wasn't actually the source of that nugget of wisdom.

http://en.wikiquote.org/wiki/Benjamin_Franklin

The real question is: (1)

Oddscurity (1035974) | more than 7 years ago | (#17509158)

Does it run Linux?

Re:The real question is: (1)

onkelonkel (560274) | more than 7 years ago | (#17509892)

Flipperwalt?

snort..

giggle..

ha ha

a ha ha ha he he...

Thud

Hold on a sec here... (4, Insightful)

Shoten (260439) | more than 7 years ago | (#17509160)

They got it to play tetris by replacing the majority of the electronics inside it. It's not exactly like they got the actual terminal to play tetris...it's more like "They put a tetris game console inside the empty terminal shell, and used the terminal's keypad and screen for control and display." It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"

Re:Hold on a sec here... (5, Insightful)

crossword.bob (918209) | more than 7 years ago | (#17509208)

But if someone can put custom electronics in what is supposed to be a tamper-proof shell, people will blindly insert their cards and type their PINs. The issue is not one of terminal software security, but of hardware integrity.

Re:Hold on a sec here... (1, Insightful)

jimicus (737525) | more than 7 years ago | (#17509498)

Tell you what. Why don't you go away and build me a 100% tamper proof Chip & PIN which cannot be easily replicated (eg. with casting resin and alginate), doesn't cost a small fortune to produce and provides some easy, immediately visible means of differentiating it from any possible fakes? Then persuade Tescos (and anyone else with similar systems) to use that rather than their existing system (which is "all cards, regardless of type, are swiped through the card reader on the checkout"), because if you don't, people won't be at all fazed by having to hand their card to the person at the counter.

Bear in mind that Tesco is large enough that if they say "No", you're a bit stuck. It's estimated that £1 in every £4 earned in the UK is spent there.

The point being... (5, Interesting)

Junta (36770) | more than 7 years ago | (#17509718)

That the whole point of this is to demonstrate that if you use the merchant's hardware to enter any personal data, it is *impossible* to be tamper-proof or tamper-evident for sure.

My vision has always been a smart device with a crypto engine, that provides it's own display and entry. It would plug into POS equipment, and tell the POS equipment at first, only enough to identify itself and tell the POS which financial institution to contact.

The financial institution would receive from the merchant the account holders ID number and some info about the transaction (i.e. the amount, maybe an interval if a service, maybe a tolerance if a repeating service charge). The financial institute would look up the customer's public encryption key, and use it to encrypt all that data together with a challenge string, and send that back to merchant.

Merchant relays the encrypted package to the customer smart device. The device then (maybe using a passphrase to decode private key like a pin, but not linked to anything outside the device) uses the private key to decode the data, and display to user what the financial institution thinks the merchant is asking for with a confirmation. If user confirms details, the decrypted challenge is sent to POS and the merchant relays it to Financial institute.

Financial institute upon receipt of a correctly decoded challenge, authorizes the transaction, and gives the merchant an affirmative response with an authorization code that is *only* valid for that specific transaction.

Here, the financial institute *only* has the customer private key, so ripping off that database won't give anyone access to the account. The merchant knows they are getting the money, but isn't left with anything they *could* use to get more money than the customer authorizes directly. The only place that has the private key is the customers smart card, which should *never* allow it to be transferred out (probably should be generated by the card and only the public part uploaded when issued). If using a passphrase for storage of the private key, it even has resistance to physical theft.

For bonus points (actually, I would pretty much demand it), have it somehow able to plug into usb ports for online transactions. Of course, online, the customer and financial institute can talk directly, simplifying some of it, but the model need not be changed much for online stuff). Again, the PC would never get the private key, so you would have to use the device.

I would *pay* an upfront charge to help cover the cost of the device in exchange for such security. If it's half-assed and uses merchant display/entry, or shares the private key *ever* theoretically, I wouldn't.

Re:The point being... (1)

Junta (36770) | more than 7 years ago | (#17509758)

Here, the financial institute *only* has the customer private key
I meant public key, whoops....

My idea.... (2, Insightful)

shaneh0 (624603) | more than 7 years ago | (#17510378)

While your idea seems very well thought out, it still wouldn't gaurantee it couldn't be a dummy terminal that's designed to collect swipe data and pin codes.

My thoughts are that after you swipe your card, the terminal should give YOU a PIN number that should match a PIN that the bank sends you with your card. At this point, once you verify that it is indeed legit, you provide your counterpart PIN.

And since it doesn't have to be entered, it could be a word, or with LCDs, even an image.

Hell, for that matter, even an image of YOU would work (in fact, this would also have a good usage to prevent fraud in cases of CREDIT transaction (as opposed to the debit transactions that we're talking about)

Re:Hold on a sec here... (1)

smallfries (601545) | more than 7 years ago | (#17509728)

You've really missed the point here - as explained in the article, in the summary and in the post that you're replying to. The researchers pointed out when Chip'n'pin was introduced that what you've described is impossible. What you've posted is exactly their gripe with the system. The only difference is that they've sensibly suggested that this is a reason that we shouldn't use an authentication system where we give away information, whereas you've concluded that we're just stuffed and people should quit bitching.

If I type my PIN into a terminal everytime then the terminal knows my bank details and my PIN. The banks insisted that the boxes were tamperproof. As this article shows they are clearly not. The solution is not to build a tamper-proof box - it's to use a challenge-response protocol where you don't leak private information on every transation.

NOT A CRACK: I think you're missing the point too (1)

goombah99 (560566) | more than 7 years ago | (#17510394)

If we accept the response by the manufactures at face value what they say is that while the doctored machine can intercept some information it still cannot be used to counterfeit a chip-and-pin card or forge a chip-and-pin transaction. Thus they are still correct in saying it's impossible to beat--for now at least.

Any system can trick users by social engineering. But techincally this chip-and-pin system is still secure in the face of that. Their weak point is that because the overseas transactions are robustly secure and can be forged from the information gather by this attack. Thus the banking systemis not perfectly secure but the problem is not the chip-an-pin itself.

Re:Hold on a sec here... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17509222)

Actually, chip & pin credit cards have been in use in various countries for something like 20 years or so (give or take 5), with very very few stories of security issues. And yes, they are far more secure than signing a piece of paper.

Re:Hold on a sec here... (1)

oliverthered (187439) | more than 7 years ago | (#17509306)

But all you need is something that looks like a chip and pin reader and people are willing to enter their pin numbers into it.

(Then all you need is a second real device to enter the coppied pin number into to make the transaction look ligit)

Re:Hold on a sec here... (1)

jacksonj04 (800021) | more than 7 years ago | (#17510222)

The only way around this would be to have an active crypt device on your card linked to some form of display visible even when the card is in the machine (slim LED on the opposite end to the chip?). That way the LED will only light green (Or ultrabright blue to please the geeks) if the card is satisfied that it has in actual fact been talking to the bank.

However, this doesn't stop you hacking the keypad matrix to extract the keypresses. The only way to get around this would be to have your card perform *all* the authentication using a private/public key system. So the input pad would send your card the pin it received, the certificate issued to the merchant, and the crypt unit on the card itself would encrypt this using the private key and send it to the bank for processing. This would be best combined with biometrics rather than pin, since they're a lot harder to store.

Combine the two and you end up with a card which not only does all the secure stuff, but lets you know via a clever little LED if it has spotted a problem with the transaction.

--

On the more realistic side, never let your card out of your sight. For example, restaurants will sometimes try take your card then bring you a reader with it already inserted. I just ask them to bring me the reader and I'll put the card in myself.

Re:Hold on a sec here... (3, Insightful)

pdawson (89236) | more than 7 years ago | (#17509402)

The point is if they can do that, bypassing the 'tamperproof' systems, they can open a unit in the field and piggyback a chip in to record account# and pins with the with the user being none the wiser.

Re:Hold on a sec here... (1)

DigitAl56K (805623) | more than 7 years ago | (#17509492)

The real point is that the system by design encourages (or in fact requires) users to give up their bank pin in order to make purchases. Let's hope they don't actually try to band-aid the problem by making tamper-evident casings.

Question: what role does the 'chip' have? Does it have any way of securely authenticating the transaction with the merchant, and thus in some way verifying that the merchant trusts the terminal? The article summary suggests that the same old information is on the mag strip.

Re:Hold on a sec here... (1)

dsanfte (443781) | more than 7 years ago | (#17509598)

The Interac system in Canada has been running since at least 1997 and involves swiping your normal bank card at the store and entering your pin on a keypad for via-telephone authentication of the purchase.

There are some fraud problems. Mostly, people hook up card cloners to ATMs and have a small camera set up to record pin numbers. Then again, they also do that in the US, as well.

If entering your PIN at the store is a significant vulnerability, it's one that has existed here for 10 years without significant problems. If there is fraud, the bank refunds your money.

Re:Hold on a sec here... (1)

Biggest Banana Tree (980484) | more than 7 years ago | (#17509690)

If there is fraud, the bank refunds your money.

It can take a while though, my debit card got cloned - took 8 weeks before I got my money back, always try to use my credit card now, as if thats cloned I'm not out of pocket...

Re:Hold on a sec here... (1)

Nursie (632944) | more than 7 years ago | (#17509912)

Chip cards are impossible* to clone in that way, and if someone clones the strip part of it under EMV then the PIN is not used and the transaction is flagged for attention as a possible fraud.

(*yeah, ok, very difficult!)

I wrote Tesco's system you should all listen to me (5, Informative)

Nursie (632944) | more than 7 years ago | (#17509810)

Sorry for the pompous post heading, but the first part is true, I wrote a large part of Tesco's system including about half of the EMV processing component. It's a customised version of what was the world's first integrated EMV system (ie card reader + PC + store level auth servers + central connection to VISAnet, LINK etc).

Whether you should listen to me or not is another matter.

The chip controls the transaction. That's how it goes. The chip decides if it can trust the terminal or the bank based on cryptographic signing operations. The terminal is verified by a process in which it concatenates various pieces of data, performs a crypto op on them and presents the result to the card. The card compares this to its own result (depending on the card it either has one precalculated and uses the same one each time (low security) or does the same calculation itself on a set of data including some session data (better security)).
PIN is encrypted as soon as it is entered and should never leave the device it's entered on in plaintext form, it is presented to the card as a cryptogram for validation.
When a transactioon is presented to the bank for authorisation it is presented with yet another cryptogram so that the bank can validate the card. The response also comes in the form of a cryptogram so that the card can validate the bank.

However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof. Your PIN doesn't ever even get to the PC that's running the transaction.

If you want to know more then the actual standards are available at EMVco [emvco.com] , but they're the nearest thing to legalese I've ever encountered as a software Dev. I'm out of the payments game now, but my knowledge should still be pretty relevant, I hope.

In other words: Chip and Pin is a scam! (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17510798)

However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level.


I assume you were doing your best to avoid saying it outright?

Re:I wrote Tesco's system you should all listen to (1, Funny)

Anonymous Coward | more than 7 years ago | (#17510838)

However, I'll agree, all this is pretty useless if someone can get inside the terminal and intercept the PIN at hardware level. Other than that and the looking-over-shoulder social security hole problem, EMV's pretty bullet proof.

This seive is watertight... except for the holes that is...

Doesn't this assume hardware integrity? (1)

john-da-luthrun (876866) | more than 7 years ago | (#17510872)

Thanks for that explanation. However, doesn't this presuppose that you are slotting your card into a bona fide machine? Couldn't someone do what the team in TFA have done and replace the innards of a chip and pin machine with new electronics? Then this machine could fake the entire process of entering your pin, the whole "Checking card, not not remove", "Please remove card" thing, spit out a receipt from the cash register and away you go, innocently believing that you have just completed a purchase when in fact you have handed over your card details to the crooked retailer.

My understanding is that this is the purpose of TFA: to point out that chip and pin depends on the user's trust that the machine in front of them is a genuine, verified chip and pin machine, when in fact the user has no way of checking this for sure, and that the validation for chip and pin (i.e. entering your PIN) is highly vulnerable to compromise by such means.

Re:Hold on a sec here... (1)

sentientbeing (688713) | more than 7 years ago | (#17509532)

This kind of potential problem has already happened with whole ATMs. ATMs can be bought by scammers from manufacturers, set up on a quiet street corner and configured to record transactions from unprepared marks using their bank card to draw cash.

Its an awareness and confidence thing not a vulnerability thing.

Re:Hold on a sec here... (1)

Megane (129182) | more than 7 years ago | (#17509542)

They got it to play tetris by replacing the majority of the electronics inside it.

That really can't be mentioned enough. Link to The Register's article [theregister.co.uk]

It'd be like skinning a copy of Windows 95 to look like Xwindows, and then saying "Look at all the vulnerabilities I found in linux!"

Except that a better analogy is those card skimmer devices that get stuck on ATMs that can record the card stripes and button presses. While the blame is misplaced ("oh noes! teh phish n chipz n pinz r haxx0r3d!"), it's still important as a reminder that sometimes you don't need to hack the security, if simply wearing a sheep's skin is good enough to get your wolf into the flock.

Re:Hold on a sec here... (1)

mandelbr0t (1015855) | more than 7 years ago | (#17509638)

Very good analogy. I'm most interested in what terminal they hax0red, and I can't really tell. I'm pretty certain of this though: any program that would be able to read the key presses will not authorize transactions - ever. If you can replace the electronics with something that can read the keypad, then you'll lose the benefit of the (tamper-resistant) electronics that actually encrypt the PIN block. Show me a proof-of-concept that can actually record keypresses while still authorizing transactions, then I might believe that these things aren't actually tamper-resistant.

mandelbr0t

Re:Hold on a sec here... (1)

whimmel (189969) | more than 7 years ago | (#17510016)

It looks like a VeriFone 3750 to me, but it's been a while (and I didn't actually work on those devices).

From what I know about them, the merchant doesn't have access to the PIN. The pinpad device encrypts the entire authorization request and that packet is sent to the merchant bank. It bangs around the visa/MC networks for a bit, then comes back with an auth code or not.

Arrr... In MYyyyyy day .... (0)

Anonymous Coward | more than 7 years ago | (#17510642)

we used to dust the keypad with talcum powder, but I suppose you use something a little less conspicuous now ......

PIN Number? (0, Troll)

Rhonwyn (49658) | more than 7 years ago | (#17509182)

Most people only have 1 PIN, so their PIN Number would 1. I don't see the risk in that.

If you just meant "Personal Identification Number" and not "Personal Identification Number Number", then I would have expected better to a slashdot poster.

Re:PIN Number? (3, Funny)

heinousjay (683506) | more than 7 years ago | (#17509228)

There's something about being pedantic that makes any joke you construct seem arrogant and quite the opposite of funny. Perhaps when you're filling the pedant role in the future, you can just stick to the job instead of trying to amuse at the same time.

Card and PIN security (5, Informative)

swillden (191260) | more than 7 years ago | (#17509184)

The potential security problem here is caused by the use of the same PIN for two purposes. You know how you should never use the same password for multiple security-critical systems? Well, that's exactly what some of the UK banks did.

See, EMV security is designed around the assumption that only the card and cardholder know the card PIN. The bank doesn't know it. The merchant terminals see it, but it has no value without the card. In particular, it should be of no use with the bank machine/ATM network.

How then, do you use a bank machine? Well, ideally, you insert your card, enter your PIN to unlock the card, and then the card performs a cryptographic authentication with the bank over the ATM network to identify and authenticate you so you can proceed to perform your transaction. But that requires the ATMs and network to be updated to support the chip card and to use the new authentication protocol.

The other method, of course, is just to use an account number and a PIN, just as you always have, but that PIN *must* be known by the bank's systems, which leads to the banks' dilemma when deploying the system. Their options were:

  1. Make customers remember two PINs for the same account, a card PIN and a "bank machine PIN". This is good for security, but bad for customer acceptance.
  2. Upgrade the ATMs and network to do the card-based cryptograhic authentication. Good for security, but, in the short term very bad for customer acceptance, because it means that the cards can't be used with non-UK ATMs that don't implement the new technology.
  3. Use a "shared" PIN, ensuring that every time a cardholder changes either the card PIN or the bank PIN, the other gets updated to match. This is called "PIN synchronization" and is actually not all that cheap to do either, but it's the only option that means customers only have to remember one PIN and can use their card in ATMs around the world. It's bad for security, though.

So, the banks mostly took option 3. I think some of them allow customers to request that their card and ATM PINs be "decoupled".

In theory, this means a malicious merchant can modify their PIN pad to capture the PINs and account numbers, and can then use the information to drain the accounts through the ATM network. In practice, this form of fraud hasn't happened, and it would be fairly easy to track unless the fraudster didn't steal very much -- a pattern of fraud on accounts whose cards have all been used at a particular merchant would be pretty easy to detect.

It could happen, of course, and probably will someday. If it becomes sufficiently serious, then maybe banks will have to abandon PIN synchronization. Hopefully, by then the rest of the world will have caught up and the ATM PIN can be discarded entirely.

Re:Card and PIN security (3, Informative)

rapiddescent (572442) | more than 7 years ago | (#17509450)

actually, with regard to point 3 above:

EMV cards have two data items for the PIN usually called online PIN and offline PIN but pretty much all banks have the same value for each.

The key worry about this 'attack' is that the electronics could be changed easily:

  • get the mag strip by asking the customer to swipe
  • gets the PIN value
  • completes the transaction using the EMV chip
  • stores the mag stripe and PIN value
  • reuse the card in an ATM/Store that does not require chip

This fraud has already been perpetrated at a Shell garage in the UK [bbc.co.uk] when a bloke in overalls came into the Shell store to say he was the engineer to check the Chip n PIN device. The Trintech unit had a fault so that it would not self destruct when opened and a simple memory chip was added to the device. The bloke in overalls went back a few weeks later to 'check everything was OK' and took back the memory chip and had the card details and PINs - resultant fraud loss was GBP 1m; although not sure how much was recovered.

I'm very wary of Tesco stores (UK) that swipe the mag stripe before inserting the card into a chip reader then ask the customer for the PIN - they effectively have the strip and the PIN which is enough to make a new card. The problem is that the chip cards have the legacy mag stripe to work in foreign ATMs and non-chip compliant stores.

The way things are going with APACS CAP - punters will be inserting their PIN into any old keypad, so it'll be getting worse before it gets better.

rd

Re:Card and PIN security (1)

crosbie (446285) | more than 7 years ago | (#17510178)

At least the card reader should have been required to say "Hello Mr A Person" plus a detail only obtainable via the EMV chip (a favourite colour). Then people would have a tadette of confidence that the machine could read their card properly.

But, yes, you're absolutely right. Tons of punters are being trained to pay absolutely no regard to the nature of the device into which their card is placed, nor whether the device and/or card is removed from sight.

Even once the mag strip is discontinued there's still another scam:
Make a device that captures the PIN, punches out the chip and returns the card without chip. If you install this at a petrol station on a motorway you can capture several hundred chips before the scam is revealed. Each chip can be re-inserted in a new card and cashed out at a nearby ATM or, if the new card looks good, a jewellery shop, etc.

Re:Card and PIN security (1)

KillerBob (217953) | more than 7 years ago | (#17509506)

In theory, this means a malicious merchant can modify their PIN pad to capture the PINs and account numbers, and can then use the information to drain the accounts through the ATM network. In practice, this form of fraud hasn't happened, and it would be fairly easy to track unless the fraudster didn't steal very much -- a pattern of fraud on accounts whose cards have all been used at a particular merchant would be pretty easy to detect.


Yes it does. It happened to my brother and to his wife. The experiences with the banks were something else, too....

My brother, who banks with CS Alterna Bank here in Canada, simply had to see the manager, and explain to her what had happened. She looked at the records, and confirmed that about 45 minutes after he used the card at a store in Ottawa, the "card" was used at an ATM in Montreal to drain his account. At his request, she immediately cancelled his card and issued a new one. As the amount stolen was less than the $60,000 for which you're covered automatically, she refunded his money and put in a claim with the Canada Deposit Insurance Corporation. This is how it's supposed to happen.

My sister-in-law, who at the time banked with the Bank of Nova Scotia, went into the bank expecting the same sort of treatment. Instead, she was outright told by the manager that she was lying, and that it was possible for her to get from Ottawa to Montreal in the time allotted. (well yeah, I guess, if you have a helicopter waiting in the parking lot of the store). Her manager outright refused to deal with her, and it wasn't until her mother came in and told the manager that if he didn't treat her daughter with the respect that was due, she would close out her account and take her business elsewhere. As her mom's account had a cash holding more than 6 figures, the manager was interested in retaining business, and reluctantly obliged to help my sister-in-law. Of course, they both closed their accounts a month later anyway, but that's beside the point.

The kind of fraud you describe has happened. And it's probably still happening. It's the Superman 3 plan... if I steal 5 bucks from your bank account, you'll probably never notice. If I steal 5 bucks from your neighbour's account, he'll probably never notice. If I steal 5 bucks from the account of everybody in a city the size of, say, Toronto, I've just walked off with $15million. Except they aren't stealing $5 here and there, they're taking as much as they think they can get away with.

Re:Card and PIN security (1)

swillden (191260) | more than 7 years ago | (#17510096)

Interesting. I hadn't heard of any actual cases, but I haven't been doing EMV stuff for the last couple of years, so it's not surprising that I've missed it.

Even with a little of this going on, the net effect is still to tremendously reduce overall credit card fraud. The bad part is that because this fraud is rare, the suspicion tends to fall more heavily on the card holder, especially card holders that don't have a solid reputation.

Re:Card and PIN security (0)

Anonymous Coward | more than 7 years ago | (#17509544)

Thanks, that explains the problem much better than the original article. I was having problems seeing why this would be a problem as a two-factor authentication system with one factor compromised is still just as secure as a single factor authentication system (ATM card) and more secure that one that uses a public identifier (Credit Card). How fast are they transitioning the ATM's over to Chip-and-Pin over there?

Re:Card and PIN security (1)

Jeffrey Baker (6191) | more than 7 years ago | (#17509652)

The real solution here is that both the chipcard and the PIN device should belong to the payer. Each account should be issued their own slim 10-key PIN pad with the smartcard integrated. When paying, the transaction would be transmitted to the smartcard (by contact or wirelessly) and then the user enters their PIN. The transaction is signed and sent back to the cash register or point of sale system.

This way, the payer is reasonable certain that the PIN device has not been modified.

Re:Card and PIN security (1)

swillden (191260) | more than 7 years ago | (#17509802)

Yes, there are various implementations of cards with built-in PIN pads, and even other authentication technologies like fingerprint scanners, but none of them have been deployed because of the costs and questions about reliability.

What may be the "next big thing" is called Near Field Communications and involves embedding a contactless smart card chip in a cellphone. With that architecture, the phone's keypad can be used as the PIN pad.

Re:Card and PIN security (1)

Jeffrey Baker (6191) | more than 7 years ago | (#17510210)

There is already a smartcard in your phone, and a radio (sometimes two), and a keypad. So the problem is entirely in the software domain at this point.

Re:Card and PIN security (1)

swillden (191260) | more than 7 years ago | (#17510566)

NFC adds a contactless (ISO 14443) chip in addition to the phone SIM, and and RFID reader as well. Both the contactless chip and RFID reader use frequencies and protocols the phone doesn't already support.

Re:Card and PIN security (1)

Jeffrey Baker (6191) | more than 7 years ago | (#17510334)

Oh by the way, I dispute your statement that none have been deployed. The Bloomberg Anywhere service uses a chipcard with integrated fingerprint reader and even an integrated camera.

Re:Card and PIN security (1)

swillden (191260) | more than 7 years ago | (#17510516)

Never heard of Bloomberg Anywhere. I'd be interested in reading about it if you have a link.

Re:Card and PIN security (1)

EatAtJoes (102729) | more than 7 years ago | (#17510608)

Excuse my ignorance, perhaps someone can explain how is this any less secure than American debit-card point of sale systems? Isn't there the same opportunity for PIN interception?

Re:Card and PIN security (1)

swillden (191260) | more than 7 years ago | (#17510724)

Excuse my ignorance, perhaps someone can explain how is this any less secure than American debit-card point of sale systems? Isn't there the same opportunity for PIN interception?

It's significantly more secure than magstripe and PIN debit card systems. Yes there is the same opportunity for PIN interception.

The team's next hack... (5, Funny)

reverseengineer (580922) | more than 7 years ago | (#17509202)

...will be a modification to Tetris to make that damn straight-line block appear more often.

Payment Card Industry Standards (1)

BladeRider (24966) | more than 7 years ago | (#17509216)

The Payment Card Industry (PCI) POS Pin Entry Device standards set by Visa/MC/JCB specifically require that a device used for credit card transactions NOT store the PIN and be resistant to tampering (such that a card holder would be able to see that something is wrong with the device if it had been tampered with). Merchants are required to use devices that have received PCI certification through a certified testing lab. It would be interesting if these devices have received that certification. Visa standards here - Visa Partner Network [visa.com]

Re:Payment Card Industry Standards (1)

KDR_11k (778916) | more than 7 years ago | (#17509896)

How does the customer verify if the device he's been presented with actually conforms to any standards or is just a memory system in a pretty case?

Re:Payment Card Industry Standards (1)

whimmel (189969) | more than 7 years ago | (#17510086)

Considering that the pinpad itself encrypts all the data, and the host POS device can verify it's a valid packet, I'd think that a "simple memory system in a pretty case" would have to do a lot to fool you.

Re:Payment Card Industry Standards (1)

crosbie (446285) | more than 7 years ago | (#17510604)

What evidence is the cardholder given that the card reader ever actually bothered communicating with the card?

Re:Payment Card Industry Standards (1)

crosbie (446285) | more than 7 years ago | (#17510426)

This is irrelevant. These standards only apply to bonafide card readers.

Fraudsters may observe standards, but they gleefully ignore them if it suits their purposes.

How is any member of a merchant's staff trained to inspect their black box and determine whether it complies with standards?

And remind me where I can read a bank's guidelines to its customers as to how they should refuse to use a card reader if it looks like it may have been opened recently? Moreover, is there a photo gallery of all the known legitimate devices?

A fraudster probably loves the tamper resistant requirement because it means no-one expects to be able to open them up to look for radio transmitters, etc.

"Put your card into a black box, any box, and enter your PIN - yes, that number that we always tell you never to reveal to anyone, even your wife".

Tetris on machine no evidence of tampering? (2, Funny)

noidentity (188756) | more than 7 years ago | (#17509220)

researchers [...] recently modified a straight-off-e-bay chip-and-pin terminal to play Tetris, with a video on YouTube, demonstrating that devices are neither tamper-resistant nor tamper-evident [...]

I think putting Tetris on the machine makes it pretty obvious that it has been tampered with.

Living in Britain... (1)

Kr3m3Puff (413047) | more than 7 years ago | (#17509242)

Being an American living in Britian, Chip & PIN makes a lot of sense. Any sort of technology is available for fraud, but this is 100x better then the signature security as well as the PIN is not transmitted past the terminal because it is all handled through the card. Basically the CHIP on the card is asked if the entered PIN is valid and the chip is responsible for authorizing it, not some remote system that needs to be verified with.

While retailers could hack their terminal to swipe PINs, they would essentially need the physical card as well in order to use the collected PIN anywhere else and in most cases, the card never leaves the direct control of the card holder. Online retailers never ask for your PIN. They have to use the standard CCV2 code and authorizations with the bank to get their money.

So while someone could "sneak" my PIN it is totally useless without the physical card. I personally have reduced the amount of cash I carry with me, because everyone has Chip and PIN terminals and it is a lot easier to pay with that then worry about the cash. I really like it and think the States should adopt it.

Re:Living in Britain... (2, Informative)

oliverthered (187439) | more than 7 years ago | (#17509366)

the card never leaves the direct control of the card holder

Try shopping in sainsburys, they swipe the card in their own machine then get you to enter the pin number in the chip and pin thingy.

Re:Living in Britain... (1)

badfish99 (826052) | more than 7 years ago | (#17509808)

Actually that's true of Tesco: they have a policy of "the cashier always takes the card from the customer and swipes it", and they've actually crippled the pin-pads that they present to the customer so that if you insert you card into them, it doesn't work.
Sainsburys have the same policy, but haven't crippled their pin-pads, so if you just ignore the cashier trying to grab your card, and put into the pin-pad instead, it works fine.

Re:Living in Britain... (1)

doobie22 (970556) | more than 7 years ago | (#17509484)

Around this time last year Shell garages had to stop all chip and pin services in Medway Kent area due to some people using a second machine to grab information from the card to clone the card itself, and then grab the pin through the chip and pin machine.

The problem with this scenario (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17509888)

is that the banks have asserted that if there is a problem then it isn't THEIR fault, since the chip and pin system is hack-proof.

Either the customer or the metchant gets it in the shorts. NOT the bank. Which is why it was implemented, really.

Now that the system has been shown to be hackable, this line is no longer good enough and the banks must (but probably won't) take responsibility.

Re:Living in Britain... (1)

_damnit_ (1143) | more than 7 years ago | (#17510112)

I was in Newcastle-upon-Tyne for three weeks last year for work and found the "Chip-and-Pin" to be a pain in the ass when you don't have a Chip-and-Pin card. I found quite a few places with new rules which forbade using cards without Chip-and-Pin! If you come in from another country which does not have Chip-and-Pin, you are screwed. Credit Cards have become the new international currency (backed by various government species). They should be very careful about changes that make some countries incompatible with the rest.

That said, I would prefer they bring Chip-and-Pin to the US. I much prefer my credit card staying within eyesight than having some aspiring actor walk off with it for 10 minutes.

Re:Living in Britain... (0)

Anonymous Coward | more than 7 years ago | (#17510374)

I found quite a few places with new rules which forbade using cards without Chip-and-Pin!

They shouldn't really do that to foreign customers; and if they did it to someone who has a signature card because of a disability that could be illegal discimination.

Re:Living in Britain... (2, Funny)

breckinshire (891764) | more than 7 years ago | (#17510302)

Being an American living in Britian, Chip & PIN makes a lot of sense.
It's true what they say. British food really IS terrible.

Mod parent up (1)

John Harrison (223649) | more than 7 years ago | (#17510390)

This isn't that impressive of a hack. Basically they made their own machine and put it in a Magic 6000 box. They don't even show PIN or CC# capture in the video. Even if they did show that, they aren't able to dupe a chip and PIN card. The worst they might be able to do it create a magstripe card, which isn't nearly as useful.

Basically all this shows is that you can rip the guts out of a Magic 6000 without making significant changes to the top surface of the machine.

The real problem (2, Interesting)

Generic Guy (678542) | more than 7 years ago | (#17509282)

The real problem I see here is that new technology is presented as "unbreakable" then allows the business interests to ignore victims of fraud. In the U.S. we've already seen this happen with the special chipped keys for new vehicles. The auto makers insisted the technology was unbreakable, and the insurance companies responded in kind by denying theft claims from those victims unfortunate enough to have purchased a vehicle with one of these chipped keys.

I'm sure the banks are ready to further punish any victims of this broken "unbreakable" bank card system. I'm not British, so I don't know how applicable this is in the UK, but I imagine it is still a problem.

Re:The real problem (1)

apodyopsis (1048476) | more than 7 years ago | (#17509414)

Quite. There have been a spate of car thefts in the UK where the thief has also broken into the victims home to take the keys as well. So instead of just nicking the car they now have to break into the house to get the keys too, as they know that the car won't go without them. And you're also bang on the money (sorry about the terrible pun) about the new PIN system, the liability was shifted immediately.

In use in Canada (1)

GreenEnvy22 (1046790) | more than 7 years ago | (#17509284)

In Canada we've had a system called Interac for several years now. It works in a similar fasion. It's been enormously successful, and of course some people have taken advantage of it. Some use simple setups, like having a card reader to get the magnetic swipe info from the card, and simply watching the customer enter their PIN. Others have replaced the terminals with ones that record. Even more crafty people have put an insert on the card recepticle on an ATM, that looks like the stock one to the untrained eye. They leave it on for a few hours, then return and take it back with all the codes stored in it. Any system can be circumvented. To the best of my knowledge though, no one has broken the actual encryption on a system like interac, it's all methods of capturing the data in it's unencryped form (ie, a camera pointed at the pin pad).

Re:In use in Canada (2, Informative)

mandelbr0t (1015855) | more than 7 years ago | (#17509938)

I used to work at a private financial institution that was a member of the Interac network. The security on modern ATMs in Canada is very good. Interac certification requirements are equal to or better than VISA/Plus requirements, which require:

  • An EPP (Encrypting PIN Pad) that uses 128 3-DES shared key encryption. The EPP is sealed at the factory.
  • A specially hardware device for generating gateway keys and terminal keys
  • MAC-ing of encrypted message between terminal and gateway to prevent errors and detect tampering.
  • private leased line between gateway and Interac network
  • (coming soon) upgraded requirements for MAC-ing and encryption on private leased line

The link between ATM and gateway, and gateway and Interac is probably the most secure aspect of the transaction. Most fraud I heard of was isolated cases of stolen cards (probably read the PIN over their shoulder and stole the card without cardholder's immediate knowledge), or of cameras recording PIN numbers (you need an insert on the card reader too). The only real problem now is that some older gateways still process non-compliant terminals which use weaker encryption (64-bit DES) or use PIN pads that aren't certified. Fines must be paid to keep these terminals operational, and I believe that there is a drop-dead date where nothing will keep the non-compliant terminals operating.

In practice, this means that an individual needs to pay attention to what ATMs they use. If it looks old and unreliable, there's a good chance it is. If it looks shiny and new, it's pretty likely that it meets current security standards, though it's possible to upgrade the case on some older models without upgrading the security.

mandelbr0t

Re:In use in Canada (1)

Ubergrendle (531719) | more than 7 years ago | (#17510278)

Mod parent up. Excellent summary of the level of security required on Canada's banking networks.

EMV will only improve matters. To my knowledge, Interac is mandating all transactions must occur online with the new EMV cards, and no fallback will be allowed to magstripe if you have an EMV card at an EMV terminal. That means fraudsters can only rely upon EMV mags @ magstripe only terminals, which will have a very aggressive sunset date.

Re:In use in Canada (1)

dimeglio (456244) | more than 7 years ago | (#17510766)

In an article from a local newspaper there was a mention of individuals who were recently caught replacing the pin-pads with modified pin-pads rigged to send the pin "somewhere" on the Internet (the article did not specify where exactly on the Internet or how it managed to do it).

To get their modded pin pad in the store, they basically distracted the clerk, replaced the pin pad with their modified version and went away. They returned later to replace the pin pad back with the original.

Using this scheme, these individuals could have managed to capture a great deal of data but thank fully got caught before doing so. This store had a policy to ensure the serial numbers of their pin pads are the correct ones, they noticed the scheme and alerted the authorities.

This seems to me like a major security flaw even if these individuals managed to get caught but apparently, Interac Association will be switching to encrypted pin-pads to help mitigate the risk.

Here is the article (in French) http://www.info07.com/article-62081-Attention-aux- fraudes.html [info07.com]

Only in Canada, Eh? Pity. (1)

camperdave (969942) | more than 7 years ago | (#17510560)

This isn't the same thing as Interac. From what I gather, this is to replace credit card transactions. In other words, instead of reading the card and getting the client to sign a slip of paper, the merchant reads the card and gets the client to type in a personal identification number. This is clearly more secure, because the PIN/chip relationship is verified electronically every time a transaction occurs, whereas signatures need to be verified by people who can be lazy or distracted [zug.com] . Someone needs to steal both your card and your PIN in order to access your account. With regular credit cards, all someone needs is your credit card number.

Also, with Interac, both the card number and the pin are transmitted to the bank for verification. From what I understand, with the chip and pin system, the verification occurs within the keypad, and a one time transaction code is sent to the bank. The keypad is supposed to be tamper evident.

Oh, and by the way, debit card systems like Interac have been in use all around the world for years now. Canada may be a world leader in consumer usage, but it is far from rare in other countries.

liability shifty (5, Insightful)

apodyopsis (1048476) | more than 7 years ago | (#17509304)

What annoyed me was the shift in liability. The old fashioned "swipe and sign" cards, if they were compromised and somebody nicked your cash then the banks could be held liable and some remittance sought. However - with the new system there is an automatic assumption that you have given your PIN away and hence its your fault and you can he held liable. So if somebody stands behind you, watches you type in your PIN and then follows you outside, mugs you and steals your card - then you can be held liable for not taking care of your PIN number. Also the system seems quite unreliable even now.

Re:liability shifty (2, Informative)

iamdjsamba (1024979) | more than 7 years ago | (#17509768)

Actually, I think quite wrong.

With the original swipe system, the liability was with the bank; If you got frauded, then the bank had to re-emburse you. With the introduction of chip and pin, this remained the same; If you're chip and pin is frauded then the bank is still liable. FYI, if your swipe is frauded, it is now the place the fraud happened (e.g. the shop) that is liable, something that was introduced to basically force most companies to change over.

I can verify that the bank take liability, as my girlfriend recently had her card details stolen from an ATM (still not sure of the method, but there were about 100 students I'd guess who got done too, so i'd guess a some sort of magnetic swipe + camera job). She had about £200 taken, and the bank refunded all of it to her.

As for the actual security of chip and pin, as many people here have reiterated, everything is liable to be cheated some way or another, it's a sad fact of the technological world. However, all you need to do is look at the figures (thanks to chip and PIN, in 2005, there was a reduction of nearly £60m in counterfeit and fraud on lost and stolen cards (a drop of 24%) compared to 2004. [http://www.chipandpin.co.uk/overseas/success.html ]) to see that there is a clear reduction in fraud. The long term reduction in France has been even more significant (estimated to be 80% [http://www.whatprice.co.uk/financial/chip-and-pin -credit-card.html]). So the technology may be liable to fraud, but significantly less so than swipe.

Stuff like this is scaremongering and will stop people using cards when they're safe. Just like happened with internet shopping, which is actually safer than real life shopping (1/3 of adults frauded in real world, just 15% online according to research from paypal [www.easier.com/view/News/Finance/article-80950.ht ml]).

And the real question is, can it play doom? [itplaysdoom.com]

Re:liability shifty (2, Interesting)

kebes (861706) | more than 7 years ago | (#17510106)

As another poster pointed out, this concept is widespread in Canada. It's called INTERAC and it's so widespread that you can almost not even carry cash.

In my experience the fraud protection has been really good. If your PIN or card details are stolen, any money lost is reimbursed by the bank. Moreover, when they detect that a retailer is stealing card numbers somehow (which they detect using a program to analyze log files and look for inconsistencies, etc.), they immediately cancel the cards of anyone who used that retailer, and contact the customers to let them know a new card is in the mail.

So actually the fraud protection is quite good. It's better than cash, in any case. If your cash gets stolen: too bad you lost the money. And if you are given counterfeit bills: too bad you can't use them anywhere. However with Interac when you get defrauded you've got some amount of protection.

Of course this all hinges on the banks doing "the right thing" (and/or the laws being set up to force the banks to do the right thing). In Canada the system seems to work great. Not sure if it's the same elsewhere.

Re:liability shifty (0)

Anonymous Coward | more than 7 years ago | (#17510638)

From my experience with bank industry and fraud, fraud investigation by bank equals shifting liability. If they can shift it, they will. If they can't, they have to pay out. Hence the emphasis on creating a framework for denial of liability.

Technological exploits will come and go, denials of responsibility stay the same. Until government regulations -- or a tidal wave of negative media coverage -- hold banking industry's feet to the fire on security flaws, this will remain constant.

My experience: http://wamublamesgrandma.blogspot.com/ [blogspot.com]

Good thing I have practice! (1)

Sneakernets (1026296) | more than 7 years ago | (#17509362)

I don't know about you guys, but I wouldn't mind having to play B-Mode Level 9 for a quick $40. More fun than the previous models with the "number game". Maybe a little siren could go off and you'd get a free lolly. And it better be cherry, too.

Weird (1)

boa13 (548222) | more than 7 years ago | (#17509398)

First, we've been using chip-and-pin smartcard-based credit and debit cards for years in France, without significant problems. Of course, there's been a few researchers here and there claiming to have broken part of the cards security, sometimes rightly so. However, the system has remained quite sturdy considering the huge amount of transactions done every day.

I type my PIN almost every time I use my card, and I use my card a lot. Cheques are an almost exctinct species here. It's money or card, mostly. The only place where PIN is not requested is at the highway tollbooths. That would slow the traffic too much, the transaction amount is rather small, and they probably take note of the cars' immatriculations, so the risk is small and I don't mind using the magnetic stripe for that purpose. Apart from that, in the past few days, I've typed my PIN to: withdraw money from my bank, pay at the supermarket, pay for a few clothes, pay for the New Year's Eve food, pay for the Christmas gifts, pay for my monthly tram pass, pay at the gas station... That's just from the top of my head. And I've been doing it for more than ten years.

Frankly, I don't see the problem with requesting the PIN at retail outlets. The article sounds like FUD and fearmongering.

However, here's the part that weirds me out, maybe just an error in the writeup: what about this bank account pin number? Does this mean that in England they have some kind of all-powerful PIN that unlocks whole bank accounts? In France the PIN is specific to the card, the bank wouldn't know what to do with it.

Re:Weird (1)

Moredhel (1356) | more than 7 years ago | (#17509894)

They seem to be pointing to the use of a single PIN number for the card, no matter what you use it for. I keep my credit cards and ATM card for those purposes. But many bank/ATM cards can also be used for making payments directly off your bank account, rather than via Visa/MC/Amex. So in those cases, if they have your PIN, and the data on the magnetic swipe, they can clone the card and empty your bank account. I suppose there's also the point that most credit cards allow you to withdraw cash at ATMs, if you know the PIN.

As mentioned elsewhere here, if this happens, the banks now feel they're in the position to say that anyone who has your PIN must have been told it by you, and so they're cutting down on ATM fraud by blaming the victims.

There's also the worry of people (and most do) having only one PIN number for all cards...

So while yes, the bank has no idea what your PIN is, if someone has the magnetic data from your bank card and your PIN, they can do you much harm, financially.

Re:Weird (1)

56ker (566853) | more than 7 years ago | (#17509994)

this bank account pin number? Does this mean that in England they have some kind of all-powerful PIN that unlocks whole bank accounts? In France the PIN is specific to the card, the bank wouldn't know w

For internet and telephone banking there is a 6-10 digit number (at least with HSBC) chosen by the account holder for verification.

Once you have someone's DOB, bank security number you can basically do anything with the account (eg wire the money anywhere else in the world). They usually ask for three digits of the security number making it a 1 in 1000 chance somebody would guess it by mere chance. Other banks have different security methods. Some insist on you entering a PIN number (different to the cards) for internet banking.

However PIN numbers are bad because:-

They're kept the same (how many people do you know who change their PIN after every transaction)?

They can be observed by anybody behind you in an ATM or in a shop queue.

The bank does (and has) held people liable on the basis that:-

a) only the accountholder knows the pin so QED

you must have told them the PIN number or been careless so you are liable (even in say amounts of £7,500).

No bank or organisation seems terribly bothered about fraud as it seems it's not in their financial interests to investigate it fully (especially when there's an international element/proof required in a court of law side) to it. Sadly it seems it's always down to the accountholder to prove they weren't either:-

a) present during the transaction or
b) the card was lost/stolen

Missing the point... (2, Funny)

creimer (824291) | more than 7 years ago | (#17509410)

Anyone tampering with one of these machines will be caught by one of Britain's numerous public security cameras, promptly arrested and beaten senseless before being throw into the drunk tank with an American dick named Sue. The banks are correct that tampering can only happen in an controlled environment.

That's nothing. Tetris in Delft in 1995. (1)

splutty (43475) | more than 7 years ago | (#17509426)

http://www.etv.tudelft.nl/vereeniging/archief/lust rum/90/english.html [tudelft.nl] was the Guiness book of records attempt by the faculty of Electrical Engineering at Delft University of Technology in the Netherlands.

I was there and it was absolutely hilarious :) Although walking through the corridors was a slight bit of a problem with all the cables lying there.

Great stuff for those interested in Tetris :)

No Cards Here (1)

nbannerman (974715) | more than 7 years ago | (#17509464)

I'm 24, live in the UK, and I have no credit or debit cards. All I have is a savings account card for the classic 'hole in the wall' money system. Shell (the petrol station) removed their Chip and Pin facilities for 3 months because of security concerns. Think I'll stick with cash for my purchases in the future.

PIN Number? (2, Funny)

Tau Neutrino (76206) | more than 7 years ago | (#17509508)

Yeah, that's what I use at the ATM machine when I want to drive my SUV vehicle to the store and buy some DIMM modules. I'm working on a device to detect the HIV virus, but a I need a good TLA acronym to call it.

Re:PIN Number? (0)

Anonymous Coward | more than 7 years ago | (#17510846)

Just DIMM modules? Why don't you pick up a RAID array whilst you're there?

Are British banks that clueless? (1)

Iphtashu Fitz (263795) | more than 7 years ago | (#17509530)

There have been cases in the US where thieves have gone as far as setting up real ATM's in places like shopping malls in order to con people out of their bank cards & PIN's. They just buy/steal a machine like you see in a convenience store, rig it so that it looks like it's working but displays an error message instead of dispensing cash, then wait for people to try to use it. It records the bank card info & PIN's that are entered, so when the crooks come and retrieve the machine they have a bunch of accounts & PIN's to go have fun with.

If thieves are smart & brazen enough to do this with full ATM machines then doing it with one of these small terminals is a virtual no-brainer for high-tech thieves. They just need to figure out how to locate them where people are likely to trust & use them.

Re:Are British banks that clueless? (1)

Hanners1979 (959741) | more than 7 years ago | (#17509962)

You couldn't just set up a machine anywhere a la an ATM - If hackers were to set up a Chip and PIN terminal of their own, they'd have to do it at a checkout of a major store, which as you can imagine would be tricky.

The most likely mode of attack along those lines I suppose would be to disguise yourself (or get a job as) a repair person for these devices, and then tamper with them in some fashion so that they record key presses. It would still be a pretty tricky undertaking though I would imagine.

Re:Are British banks that clueless? (2, Informative)

apodyopsis (1048476) | more than 7 years ago | (#17510054)

Its not actually that easy.

Yes, you can get the PIN that method, but unless you can actaully handshake with the EMV chip you have absolutly zero chance of getting the bank details. In the UK certainly the chip readers do now actually have the option to confiscate the card so a fake mini-EPOS terminal is not going to work.

Your idea about using a real EMV EPOS terminal is a non starter as most of them are not allowed to do offline transactions - so you'd need an account and access codes to be able to use them. Good luck, let me know how that works out.

The only method that can still be used is a skimmmer (sits in front of the slot on an ATM and reads the card and photos the pin entry) but the average user is thankfully getting smart enough to detect that the shiny plastic thing clipped to the front of the cash point is probably not to be trusted.

skimmer: http://news.bbc.co.uk/1/hi/england/hampshire/dorse t/3399175.stm [bbc.co.uk]

So that really only leaves mugging somebody or creating a fake ATM (which has been done many times) - both of which probably would work, but are futunately quite rare these days.

They replaced all the innards! (1, Redundant)

Viol8 (599362) | more than 7 years ago | (#17509550)

"Steven Murdoch and myself took the chassis of a real terminal and replaced much of the internal electronics such that it allows us to control the screen, keypad and card-reader"

Umm , how exactly does that prove the actual terminal is vulnerable? Other than if you get hold of one and have some tools at hand and lots of time then yes you can open the lid and get to the electronics inside. But I think we all knew that already.

This is a non-event.

Re:They replaced all the innards! (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17509666)

Instead of putting something in there that played Tetris, what if you put something in there that looked and felt like a normal C&P terminal, except instead of communicating to the bank, it just kept a copy of your card details and PIN for later extraction? That's the problem this demonstrates.

PIN Number? (1)

EllisDees (268037) | more than 7 years ago | (#17509594)

Personal Identification Number Number?

Why not PINN number, or PINNN Number?

I'm sure they enter their "PIN Number" into the "ATM Machine".

Debit Cards (4, Informative)

Lodragandraoidh (639696) | more than 7 years ago | (#17509634)

In the US we have debit cards that operate as both an ATM card, and equivalent to a credit card - only drawing the cash from the bank account instead of a line of credit.

So - the only time I have to enter my pin number is at the ATM. For all other purchases I use it like a credit card (and save the ATM surcharge as well).

Re:Debit Cards (1)

saintm (142527) | more than 7 years ago | (#17509780)

That's what Debit cards over here do too, in addition to the chip and pin option.

Re:Debit Cards (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17510892)

I can see the value of debit cards for some people (e.g., can't get credit, or need it as a way to enforce budget discipline), but for me they are an abomination.

I pay off my credit card balance every month, from a checking account that earns a modest interest rate (currently in the range 3.0-3.5% annually). So the 30 days of float I get means in effect that the bank is paying me roughly a 0.25% bonus for everything I charge.

With a debit card, the money is siphoned out of the account immediately at the point-of-sale. The attractiveness of this from the bank's point of view is obvious. It would also not surprise me if the Visa people ding merchants at a lower rate for debit than they do for credit.

A second major flaw is the fraud angle. If fraudulent charges show up on my credit card, I call my bank and refuse to pay the charges until the matter is settled. With a debit card, the money is gone, and I have to convince someone to give it back to me. Having the first sign of fraud be the fact that my checking account has been cleaned out is not a good feature, IMO.

Debit cards also lose out to ATM cards for the same reason. With an ATM card, there's a one-day limit of something like $300-$500. So if my pin or card gets compromised, there are limits to how much damage they can do. (Of course liability limits are much lower, and you should *eventually* get all of your money back, but again I don't want to start from the position of having my checking account cleaned out, and then trying to recover.)

Fish & Cushion (1)

jacksonic (914470) | more than 7 years ago | (#17509958)

I'm sure Fish & Cushion would have something to say about this.

Re:Fish & Cushion (1)

Hanners1979 (959741) | more than 7 years ago | (#17510130)

Damn, I just used my Mod points, and I can't reward you for the Mitchell and Webb gag. :(

Forget about the PIN (2, Informative)

carvalhao (774969) | more than 7 years ago | (#17509984)

In Portugal we had an attempt on a similar technology back in the middle 90's, called PMB ("Porta Moedas Multibanco", which translates roughly into "ATM Wallet").

It was basically a smart-card you could load with a certain amount on any ATM and make payments anywhere a terminal existed (many vending machines, for instance, accepted PMB) without inserting any code whatsoever. So it basically replaced your wallet, if someone stole it the money still loaded in the card would be lost.

This wasn't much of a problem, since in Portugal we have a single entity managing all debit cards, so you get money at any ATM or pay at any debit terminal regardless of your bank, so the PMB cards were only used for micro-payments and never carried much money anyway.

The system wasn't very successful, though. Not enough information given to the public in a time where the concept of electronic money wasn't all that widespread...

Re:Forget about the PIN (1)

16384 (21672) | more than 7 years ago | (#17510168)

The system wasn't very successful, though. Not enough information given to the public in a time where the concept of electronic money wasn't all that widespread...

That was not the only reason why it failed. I had one of those, but it was easier just to use cash. The transaction was harder with the electronic wallet card that just handing some coins. Sometimes the card wouldn't work at the first try, other times the vendor would have to search for the terminal as it was infrequently used. I don't miss it one bit (my card probably has still 10 ou 20 escudos left :-) )

Cod3k (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17510074)

Replacing Electronics (1)

popo (107611) | more than 7 years ago | (#17510082)

Meh... If replacing the electronics inside a device counts as a demonstration that
the device is "unsafe", then can never be a "safe" device.

Its like taking a Volvo, swapping the accelerator with the brake, and then declaring
that Volvo's are inherently unsafe.

I still haven't seen evidence of the tamperer's acquiring possesion of credit
card info -- which is really the issue at hand.

heavily flawed (1)

abigsmurf (919188) | more than 7 years ago | (#17510402)

there are multiple reasons why this exercise is meaningless:

1: they cannot authorise the transaction using this method so the customer wouldn't be able to pay for what they intended to buy. The second a chip and pin card reader is opened and modification is attempted, it bricks itself. This would mean it's impossible to modify the internals and still enable the reader to contact a bank. Shops would notice pretty fast if lots of people were stealing goods and getting someone to swipe the card in two different readers (one fake, one real) would quickly get you reported.

2: it is impossible to clone a chip using a reader. The chip only accepts certain encrypted commands and responds differently each time to these commands in a way only the bank is able to decrypt. It's not possible to dump these chips and it would be easier to steal the card then to recreate the chip physically. And no they are not RFID, they require physical contact (as a scare story last year mistakenly made out)

3: Magnetic stripe info and pin is not enough to use a card. These cards cannot be read without the chip (I assume if you try, the card gets swallowed). There was an incident last year when cloned chip and pin cards which didn't have the chip would be read in some ATMs in India causing accounts to get emptied but this was down to sloppy authorisation techniques by the banks in question (it should've been obvious the holders weren't in India, withdrawing 500quid from outdated, insecure ATMs).

Bricking....perhaps not? (1)

dino213b (949816) | more than 7 years ago | (#17510944)

Well, unless you know something I don't, I partly disagree with one point on your #1: bricking. I thought you would be interested to see a related example of chip hacking, which can be applied to smart-cards using a PIC chip:

http://www.bunniestudios.com/wordpress/?page_id=40 [bunniestudios.com]

Clearly those cards use different technology but -- caveat emptor! A PIC wasn't meant to be hacked either - with microscopic physical protection in place. The example was in DIP form but there is virtually nothing different from the guts of a DIP chip and QFN.

Also, given enough time, boredom or economic motivation anything is possible. I have seen hackers decrypt things that shouldn't be possible to decrypt...and I have seen them do this for me for $50.

Not that I have a better suggestion, but, I don't believe in being too assured- paranoia is a healthy component of my life. :)

Chip and Pin drove me nuts this Summer... (1)

weave (48069) | more than 7 years ago | (#17510756)

I visited UK this past Summer and had two different incidences where the (admittedly) very young waitresses didn't know how to handle my old fashioned American credit card. They kept sticking it into the chip and pin terminal and telling me it wouldn't work.

Amazing it's only three years old and already so integrated into society there.

Can someone with a chip and pin card from UK use it like a regular credit card in the US (where there are no chip and pin terminals)? Seems a bit ridiculous to me to be migrating to schemes where the former ubiquitous use of credit cards worldwide is changing to be incompatible, at least as far as usage goes.

nothing new here (0)

Anonymous Coward | more than 7 years ago | (#17510832)

we men have been using this tactic to get laid since beginning of time. We trick women into thinking we're sweet, sensitive, smart guys all the time. women = card holders, men = fake machines, PIN = u figure it out ;)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?