Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Expose New Credit Card Fraud Risk

kdawson posted more than 6 years ago | from the tamper-proof-isn't dept.

Security 219

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

cancel ×

219 comments

Sorry! There are no comments related to the filter you selected.

Get rid of the damn things! (4, Interesting)

seanadams.com (463190) | more than 6 years ago | (#22592860)

The reason the security is so poor is because the banks don't give a s**t. It's the _merchants_ that are liable for fraud, even though it's almost entirely the fault of the banks! They banks only have to make it just good enough that it's easier for the merchants to take credit cards than cash - even after the exorbitant ($0.25 + 2.5%) processing fees that they charge just to move the bits around.

The powers that be LOVE us using credit cards. They can track us, and they can dupe the feeble-minded among us into spending our way into a lifetime of indentured servitude.

The failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

Re:Get rid of the damn things! (3, Interesting)

suso (153703) | more than 6 years ago | (#22592894)

I believe this is called Security Theatre.

Use the sauce, Luke (0)

Anonymous Coward | more than 6 years ago | (#22593430)

This is, after all, Web 2.0. With The Onion and video links posted on slashdot, with embedded flash ads,, and no website slashdotted for years, times have unfortunately changed since real techheads hung out here. But fear not, because we can go to the sauce [lightbluetouchpaper.org] and have a conversation with the professor and his team that did this research.

Re:Use the sauce, Luke (1)

DittoBox (978894) | more than 6 years ago | (#22593702)

I'm not 100% sure what you're smoking but sites go down once or twice a week after being posted to /.

Re:Get rid of the damn things! (3, Insightful)

ShadowsHawk (916454) | more than 6 years ago | (#22592956)

There are plenty of merchants that will not accept a $50 let alone a $100.

Most will for large-ticket items (4, Insightful)

davidwr (791652) | more than 6 years ago | (#22593242)

While it's true they don't have to do business with you, most stores will accept a $50 rather than lose out on a $55 purchase. Ditto a $100 and lose out on a $101 purchase.

It boils down to risk:
Most people passing funny money will want to get change rather than goods they can only resell at diminished value.

Also, many merchants use basic anti-counterfeit measures when accepting $20s and higher. Granted these measures have a high miss rate but they do catch amateurs.

Re:Most will for large-ticket items (4, Funny)

Dogtanian (588974) | more than 6 years ago | (#22593930)

While it's true they don't have to do business with you, most stores will accept a $50 rather than lose out on a $55 purchase. Ditto a $100 and lose out on a $101 purchase.
They're evidently not that keen. Last time I tried to make a $53 purchase with large-value bills, they refused.

The cheek of it- my $50 bills are as good as anyone else's! As was the $3 bill...

Re:Get rid of the damn things! (1)

magarity (164372) | more than 6 years ago | (#22593346)

They don't have to give you change if they don't keep enough on hand for security reasons (there's almost always a sign to this affect) but if a $50 or a $100 is all you've got for a small purchase then I assure you, they'll take it if it's to pay for something you've already consumed.

Re:Get rid of the damn things! (5, Interesting)

the brown guy (1235418) | more than 6 years ago | (#22593366)

I tried paying for my university tuition with cash (I have a cash based job) and the woman there said that I can only pay online with a credit card. After explaining that I am too young to have a credit card, and that I only had cash she relented. Even then, she said that they couldn't give me any change, so I had to go and get exact change. Its bullshit, not everybody can have a credit card, plus I like the anonymity that paying via cash provides.

Re:Get rid of the damn things! (1)

David_W (35680) | more than 6 years ago | (#22593628)

Devil's advocate...

Its bullshit, not everybody can have a credit card

True, but can't pretty much everybody get a debit card tied back to a checking account?

Re:Get rid of the damn things! (3, Insightful)

Raistlin77 (754120) | more than 6 years ago | (#22593924)

Not everybody can have a checking account, especially if they are unfortunate or irresponsible. And which would you rather have, cash or an electronic transaction that can be reversed or check that can bounce?

Re:Get rid of the damn things! (1)

TooMuchToDo (882796) | more than 6 years ago | (#22594168)

Either way, as a merchant, I'm accepting the risk. With cash or EFT/ACH, it's harder for a customer to strongarm a merchant vs. the customer paying with a credit card and threatening a chargeback. And yes, customers threaten chargebacks over issues that aren't the merchant's fault/problem. The customer is not always right.

Re:Get rid of the damn things! (1)

DShard (159067) | more than 6 years ago | (#22594250)

Why do you want to track every financial transaction?

Re:Get rid of the damn things! (0)

Anonymous Coward | more than 6 years ago | (#22594116)

I predict that whatever your chosen course of study at the university, you will do just fine in life. You're a smart kid.

Re:Get rid of the damn things! (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22592964)

The data mining industry is so ingrained in our society that even if people started using $100 bills to pay for major purchases, the serial numbers on the bills would probably be scanned for tracking information. The only way you are going to get privacy in your monetary transactions is with a national privacy overhaul with penalties for data mining without permission. Since the government is one of the entities doing the data mining, this is probably not going to happen anytime soon.

Re:Get rid of the damn things! (1)

eat here_get gas (907110) | more than 6 years ago | (#22593564)

RE:

"Since the government is one of the entities doing the data mining, this is probably not going to happen."

there, fixed that for ya!

Re:Get rid of the damn things! (0)

Anonymous Coward | more than 6 years ago | (#22594190)


RE:

"Since the government is one of the entities doing the data mining, this is probably not going to happen."

there, fixed that for ya!


Yes, that is certainly much clearer and more insightful than the original. Here's to you, Mr. Forum Post Fixer-Upper While Not Actually Changing The Original Meaning Guy!

No cards for small transactions (0)

dj245 (732906) | more than 6 years ago | (#22593504)

I no longer use credit cards for small transactions. Usually, my small transactions are at places where the employees are paid poorly and the manager is somewhere else at the moment and doesn't care anyway. This includes restaurants where the waitor takes your card out of your sight. I don't want my cards stolen just because I didn't tip enough or Romero can't make rent.

Larger transactions are usually a little more safer. The merchants are usually more careful who they hire or care more about employees stealing cards. Additionally, if the the services or goods are no good then you can have the credit card issuer help you out.

Two of my friends have had card numbers stolen. both of them suspect a resaurant or bar. In both cases, the items purchased were Wal Mart money orders (and $500 worth of fireworks in one case). Forcing Walmart not to enable buying of money orders with cards would be a great help. The US Post office already has this policy.

Re:Get rid of the damn things! (2, Insightful)

geekoid (135745) | more than 6 years ago | (#22593560)

This is a manufacturing design problem.
These boxes can be made to make this attack nearly impossible.
But it would cost another 5 bucks to manufacture it.

Hell, if the designed them so the case was steel, and as thin as an iPhone this problem goes away because:
a) it would take serious effort even AFTER you knew what to do. Raises the risk.
b) You couldn't attach something to it without it being noticed.

As far as the software goes, encrypt the data.

Re:Get rid of the damn things! (1)

Nefarious Wheel (628136) | more than 6 years ago | (#22593888)

As far as the software goes, encrypt the data

In Australia, merchant banks will only accept transactions encrypted to 3DES. This was a fairly recent change. Retailers (including the very large one I helped through the PIN pad changeover) spent rather a lot of money on the changeover, and had no complaints about the investment. Nobody watches the till quite like a grocer...

Re:Get rid of the damn things! (4, Informative)

Raistlin77 (754120) | more than 6 years ago | (#22594000)

The problem is not missing encryption between the merchant and bank, the problem is with missing encryption between the merchant and the card reader/pin entering pad. The same readers/pads are still unencrypted, even though the merchant may be encrypting the data for the transaction to/from the bank.

It's like entering your credit card information on a website for a purchase. The connection to the server may be encrypted, but the data sent from your keyboard to your pc is not, and this is the same as where the hack with the card readers/pads is occurring.

Re:Get rid of the damn things! (3, Interesting)

Kalriath (849904) | more than 6 years ago | (#22594404)

Really? Over here our terminals require triple-DES encryption between the PIN-pad and the terminal and then the connection from the terminal to the payment processor is encrypted again. Anything else will not be certified for connection to the EFTPOS network.

Wow you guys really do have it bad.

Re:Get rid of the damn things! (1)

BigJClark (1226554) | more than 6 years ago | (#22593684)


uh....its either that, or they just like making money at 18% interest. Perhaps you chalk up more credit to your government than its worth. I prefer live by Occam's razor, and the older I get, the less prone I am to... delusional thinking. Or maybe, you're winston smith, and I'm part of the inner party. You dropped your tinfoil hat.

Re:Get rid of the damn things! (1)

DShard (159067) | more than 6 years ago | (#22594344)

Or: option number three, it benefited both, and they both made it possible. Even if it wasn't built with malice in mind, it will be used that way.

Re:Get rid of the damn things! (2, Insightful)

Mr. Underbridge (666784) | more than 6 years ago | (#22594364)

he failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

It might also have something to do with the fact that most people aren't crazy enough to walk around with thousands of dollars on them. In the end, it wouldn't matter, because any transaction of $10,000 or more with a bank will get reported anyway.

Besides, a suitcase full of stacks of $100 bills has more class.

Is anyone here really surprised? (5, Insightful)

suso (153703) | more than 6 years ago | (#22592862)

Proprietary software AND hardware companies basically cannot be trusted. I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. You can read about some of the read about some of the poor security I've discovered recently with web hosting providers [suso.org] . Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems. Ironically, this news program itself doesn't understand the value of open disclousure. I guess I can understand that as its human nature to want to hide things for fear of liability. But its not like they were doing something that's not so obvious that someone determined enough could figure out.

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

Re:Is anyone here really surprised? (4, Informative)

Pojut (1027544) | more than 6 years ago | (#22593136)

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.


This reminds me of a quote (the source eludes me at the moment):

"If it can be engineered by one human, it can be reverse-engineered by another human."

Re:Is anyone here really surprised? (0)

Anonymous Coward | more than 6 years ago | (#22594194)

While an interesting quote, it falls apart when taken to the virtual context. I'm pretty sure that both AES and the Diffie-Helmann key exchange were engineered by humans, yet I'd like to see someone reverse those ...

Re:Is anyone here really surprised? (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#22594468)

AES is easy to reverse, provided that you have they key.

Re:Is anyone here really surprised? (4, Interesting)

whyloginwhysubscribe (993688) | more than 6 years ago | (#22593590)

My bank in the UK (Barclays) has issued me with a secure ID card, that I type my PIN into, and it then gives me a number to type into the online banking system.

I think it is only a matter of time before this gets transferred to shop terminals - if you need to bring something and remember something, then it makes life a lot harder for hackers.

Re:Is anyone here really surprised? (2, Insightful)

irongroin (579244) | more than 6 years ago | (#22593660)

First rule of security should be: Physical access is all access.

Re:Is anyone here really surprised? (1)

sexconker (1179573) | more than 6 years ago | (#22594208)

That's a consequence, not a rule.

Though I say it should be a rule (for accessibility reasons).
If I have a box in front of me, I should have access to all of it's functions.
You can secure access with passwords or whatever if you want, but there better be a way to clear that password.

One of the things I hate most is TVs with no input switching button on them - if you've lost the original remote, you're often screwed. We've got universal remotes now, sure, but the damned physical button should be on the TV.

I prefer to keep humans in the loop, and a requirement for that is often to have a back door security-wise.
If that's a preset password or a jumper on the motherboard, fine. Just make sure people know about it and don't make it so you need proprietary tools to open up your damned case.

But you're right, and so many people forget that if you need something secured, you MUST start at physical security.

Damn you Clippy! (4, Funny)

techpawn (969834) | more than 6 years ago | (#22592876)

Damn you to hell!

You bastards shouldn't have insisted he be fired! (1)

StefanJ (88986) | more than 6 years ago | (#22593040)

If Clippy had been allowed to hang around in Windows he would at least been kept off the streets.

In related news, the alternate Clippy, the advice dog, lost his job as a neuticles model and was sold to a company that tests military grade blood-clotting bandages. He's shot in the abdomen three days a week so trainees can learn how to apply the dressings. And all because you didn't want a friendly little animated help-mate watching after you.

You bastards.

I can build an atomic weapon with a paper clip (5, Insightful)

wsanders (114993) | more than 6 years ago | (#22593324)

>> "As described in some detail in our paper, the basic attack tool is a paper clip. In order to record and analyze transactions a couple hundred pounds' worth of equipment is required, in addition to some digital design experience."

OK, a paper clip. PLUS A BUNCH OF OTHER STUFF.

Well, shoot, I could probably build an atomic weapon with a paper clip. PLUS A BUNCH OF OTHER STUFF.

Re:I can build an atomic weapon with a paper clip (2, Funny)

Jarjarthejedi (996957) | more than 6 years ago | (#22593804)

Macguyver wouldn't need the other stuff...just some gum. And you call yourself a nerd...shameful

Re:I can build an atomic weapon with a paper clip (1)

wsanders (114993) | more than 6 years ago | (#22593830)

I would suppose that two pieces of gum, accelerated sufficiently and fired head-on at head other, would result in a fissile reaction. You might have something there.

Re:I can build an atomic weapon with a paper clip (1)

wsanders (114993) | more than 6 years ago | (#22593858)

http://en.wikipedia.org/wiki/Fissile [wikipedia.org]

Actually I stand corrected - it won't work. But it would make a mess!

Re:I can build an atomic weapon with a paper clip (1)

garett_spencley (193892) | more than 6 years ago | (#22594130)

That's true but it seems like, while it's trivial to break, it would also be trivial to fix.

All they need to do is encrypt the account and PIN numbers on the card and then have them compared with the encrypted numbers on the bank's system and problem solved.

The way they've managed to break it is essentially to "tap" into the card readers and intercept the account and PIN numbers from the card. Then the fraudsters make fake cards with the information. It seems like ridiculously lousy authentication because a) the banks are trusting the cards with nothing more than the plain-text PIN and account number and b) they're being transmitted in plain-text. This is like 1980's network security where you could just sniff packets and get people's telnet passwords. You would think that they'd have learned.

The companies are defending themselves by saying "you would need a high level of expertise to break the system". But all you need is a basic understanding of soldering, an Internet connection (to Google some tutorials) and unsupervised access to a terminal (something that any store employee being paid minimum wage would have on occasion in theory).

Re:You bastards shouldn't have insisted he be fire (0, Offtopic)

CastrTroy (595695) | more than 6 years ago | (#22593480)

Does anybody else find it condescending to have little animated characters pop-up on your screen and try to help you. Some of us actually know how to use a computer, and find it insulting that you'd try to make the system more friendly with stupid animated characters.

Re:Damn you Clippy! (2, Funny)

holyspidoo (1195369) | more than 6 years ago | (#22593182)

"It looks like you're entering your secret PIN. Would you like help?"

I never should have said yes...

Re:Damn you Clippy! (1)

countSudoku() (1047544) | more than 6 years ago | (#22594172)

HA! You can be sure Clippy is up to no good when he's packing something called a Field Programmable Gatorade. Whatever that is, it sounds refreshing *and* programmable.

They're looking in the wrong place (5, Insightful)

blhack (921171) | more than 6 years ago | (#22592940)

The huge security hole in the credit card system is the users. I flipped out at one of our vendors when they STORED my credit card number in their database, and just went ahead an charged it next time I was in the store.
People will gladly give their credit card number over the phone to a shady pizza shop, just to get a 15 dollar pizza delivered to their door.
We could build the most secure credit card system in the world, but the problem is that it has to be simple enough for idiots to use.

Re:They're looking in the wrong place (0)

Anonymous Coward | more than 6 years ago | (#22593122)

Why shouldn't we? If someone steals our card, we can dispute the charges and get a new charge. We lose nothing, it's the merchant who has to foot the bill.

Re:They're looking in the wrong place (4, Informative)

zippthorne (748122) | more than 6 years ago | (#22593138)

Which is not a problem if you use virtual account numbers (what Citibank calls it. I'm sure other banks have the same thing with different names) that are only authorized for one transaction for the amount you specify.

Re:They're looking in the wrong place (4, Funny)

Fnord666 (889225) | more than 6 years ago | (#22593274)

but the problem is that it has to be simple enough for idiots to use.
Even then someone will just build a better idiot.

Re:They're looking in the wrong place (1)

Dare nMc (468959) | more than 6 years ago | (#22593884)

The huge security hole in the credit card system is the users.

A security hole is users. The biggest, doubtfull.

I have had fraudulent CC activity 2*,
first time was because my CC company sent me un-requsted cash advance checks that were stolen from my mailbox (the guilty are now in jail)
second time was after a self serve gas station, guessing a camera pointed at the card reader.

Both of these are easily solved by the bank, it is going to be difficult for the users to keep appraised of all the new fraud attacks. Simple electrical tape will cover, and re-stick if needed to be exposed. But a better card design incorporating similar would be desired. Not sending junk, would solve the first...

Your example is highly unlikely to cause fraud,
1)monitoring phone calls for a number is time consuming per paying result.
2)an occasional CC number doesn't typically pay enough per effort.

so targeting high traffic places is where the fraud will be directed as well.

Paper clip? (4, Funny)

evil agent (918566) | more than 6 years ago | (#22593046)

Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs

Hmm, Macgyver must have tipped them off.

Re:Paper clip? (1)

noidentity (188756) | more than 6 years ago | (#22594442)

Hmm, Macgyver must have tipped them off.

Yeah, but MacGyver would have been able to do it with a paper clip made of paper.

Tapping (1)

esocid (946821) | more than 6 years ago | (#22593102)

From TFP

while a wire routed from the back of a mounted Dione PED to a recorder unit under the counter will not be detected unless the cardholder conducts a very close inspection - and knows what to look for.
At least I now know what to look for. The paper has pictures and examples of the exploits in the designs and lack of security. Either way I'll be carrying more cash from now on.

Re:Tapping -- knowing what to look for. (1)

MickLinux (579158) | more than 6 years ago | (#22594090)

Keep away from banks that have paper clips! Actually, be careful about banks with staples, too!

Oh, and one other thing to look for. Look for the authors of this paper in a maximum security prison, after complaints by the banking industry. We've seen this before with ATMs in france.

This is a UK/Europe card system issue... (5, Informative)

Anonymous Coward | more than 6 years ago | (#22593180)

What people are missing in this is that this pertains to certain card types mainly used in Europe. The type with RFID or embedded chips used for security. On standard US debit cards, there is no information sent to the card or from the card that ties to the PIN. The PIN is only seen by the pinpad component and immediately encrypted using a rotating DKPUT key algorithm before that, the card number and a sequence number are sent to be translated by a hardware security module. The pin pads themselves used by most US retailers are secure and do not pose a risk. If you tamper with most of those devices (example, the Welch Allyns used by best buy, lowe's and others) then the injected keys are erased and PIN translation fails. They normally don't remain out too long if they are tampered with since the stores will consider them broken and unusable when they don't work anymore. This is related to the system in place and used in the UK. The US system, while old, is only being updated currently to support the new double length key requirements and have not incorporated smart card support or RFID (except a few gas station chains). The most important thing in the US is to protect the card database since the data on the mag stripe can be used as a credit card. As for PIN security, don't tell others your pin, notice hidden cameras that look out of place and point at PIN pads and you should be safe. The way PIN numbers are stored at banks within a hardware security module is safe and those devices are very sensative to outside attack. They even employ motion sensors to prevent tampering in HSMs.

Re:This is a UK/Europe card system issue... (0)

Ritchie70 (860516) | more than 6 years ago | (#22594400)

Mod this AC up, this is spot-on.

The Verifone terminals I've dealt with (Everest and Omni 7000 series) will discard their encryption keys for the DUKPT if the are disassembled, or even if they're subjected to too hard of a shock. We've taken out a few just by dropping them.

From a "mental model" viewpoint, in the US, the PIN is encrypted practically in the plastic key-caps. An unencrypted PIN is never transmitted across a wire, even in those little PINPad devices that are PIN-entry only peripherals of a typical terminal.

RFID is supported at more than a few gas stations, though. I've seen them at almost every McDonald's I've been in lately.

Why isn't it a PIN = SecurID + PIN (4, Insightful)

apenzott (821513) | more than 6 years ago | (#22593196)

The PIN needs to be a moving target and much longer than 4 digits. Note that stateside that most automatic car washes are using at least 5 digit numbers to authenticate the sale as sold by the gas pump. (Example: SecurID or one-time pad.)

(offtopic)
My biggest pet peeve is why are account numbers (on checks) in the clear while the same is basically true of PIN numbers (without any added "salt")

For checks I would like to see the account number + check number translated a 16 to 20 digit hash of which only the bank knows how to decipher to the correct account and check number?
(/offtopic)

Re:Why isn't it a PIN = SecurID + PIN (1)

Shadow-isoHunt (1014539) | more than 6 years ago | (#22593328)

Given that a one way hash can't really be reversed, that idea doesn't make much sense in the way that you posted it. A one way hash at first makes sense, except in reality it doesn't, as currently deployed. The numbers on your check have a routing number and account number. Both are numeric values with relatively few permutations when contrasted against case sensitive alphanumeric hashing. The routing numbers of banks are also no secret. Put simply, it'd be a trivial matter to brute force the hash with the simple numeric values we use today.

Re:[Encrypted account and check numbers] (2, Insightful)

apenzott (821513) | more than 6 years ago | (#22593624)

Given that a one way hash can't really be reversed, that idea doesn't make much sense in the way that you posted it. A one way hash at first makes sense, except in reality it doesn't, as currently deployed. The numbers on your check have a routing number and account number. Both are numeric values with relatively few permutations when contrasted against case sensitive alphanumeric hashing. The routing numbers of banks are also no secret. Put simply, it'd be a trivial matter to brute force the hash with the simple numeric values we use today.
OK, I'm using the wrong terminology.

Routing number keeps the same public self (we need to send the check to the correct bank for processing.)

Account number xxxxxxxx Check number yyyyy becomes zzzzzzzzzzzzzzzz.

Issuing bank has key to turn zzzzzzzzzzzzzzzz back into original component numbers and verify that z... was not some made-up number in attempt to create a "bad check" of which there is no real account number attached to. Also xxxxxxxx, once extracted is verified to the name printed on the check. After about five or more bad values of z... in a day, a human is brought into the equation to look for the underlying cause.

If check is good, then issuing bank electronically clears the bank draft with bank (or presents cash to individual) that presented the check. This allows for a pre-verification of check prior to verifying the signature (which most banks no longer do anyways.)

I won't go into recurring drafts (automatic payments) as that makes things a bit more complicated.

Re:[Encrypted account and check numbers] (2, Informative)

Shadow-isoHunt (1014539) | more than 6 years ago | (#22593756)

Check numbers are incrimental and of limited permutation, again making the hash easy to brute force. If the hash changes with each check, it also becomes harder for retailers to identify bad checks based on account number. You're going to end up turning away legitimate customers money, and gain no security. By the time the check hits the bank, the fraud has been done. Also, "once extracted is verified to the name printed on the check"? Depending on your bank, this is already done. I signed a check with my right hand instead of left once(couldn't hold the pen because I messed my hand up), and I got a call a few days later about it. I'm with WaMu.

Re:[Encrypted account and check numbers] (1)

apenzott (821513) | more than 6 years ago | (#22594392)

Check numbers are [incremental] and of limited permutation, again making the hash easy to brute force. If the hash changes with each check, it also becomes harder for retailers to identify bad checks based on account number. You're going to end up turning away legitimate customers money, and gain no security. By the time the check hits the bank, the fraud has been done. Also, "once extracted is verified to the name printed on the check"? Depending on your bank, this is already done. I signed a check with my right hand instead of left once(couldn't hold the pen because I messed my hand up), and I got a call a few days later about it. I'm with WaMu.
The banks encrypt/decrypt function could include some randomness to make that attack harder (five digits of "special salt" that is discarded once verified.)

Conversation between Merchant and his bank:
(note: this entire conversation may be electronic as most "cash registers" have the ability to read the MICR numbers across the bottom of the check.)

Merchant to bank: I have a customer that has presented me a check with the following routing number and account number blob for this amount.

Merchants bank: let me check with issuing bank.

Merchants bank to issuing bank: I have a check with the routing number, account number blob for this amount.

Issuing bank to Merchant bank: [Good to go] [NSF] [call the cops]

Merchant bank to merchant: [endorse check and put into register] [casually advise customer he may want to talk to his bank] [hold check for USSS and FBI for further analysis]

Merchant to customer [have a nice day] [I'll accept your check but your bank would like you to call them] [have a nice day (customer leaves, merchant burns surveillance videos to DVD--including close-up of customers license plate, crime scene rules in play.) | if mob operation, customer has "physical therapy" done to kneecaps with baseball bat.]

Advantages: Account number not compromised by one missing check, Use same MICR numbers with minimal programming.

Disadvantages: Account number not in clear, recurring automatic payments.

Re:Why isn't it a PIN = SecurID + PIN (1)

geekoid (135745) | more than 6 years ago | (#22593696)

"of which only the bank knows"
security through obscurity doesn't work. someones, somewhere will figure it out. Then you will think you are secure, less people will be looking out for potential fraud thus giving more room to the fraudsters.

I have said it many times. Barring a radically new development, something that is a complete paradigm shift(literally not market speak) digital money will fail. You can NOT secure it for any real length of time.

My 'guts' tells me it can be done. I would love to put together a team from the companies for the sole purpuse of making these crimes harder, and develop specs for manufacturing that must be adhered to in order for it to be sold. Specs to adhere to to transfer the information. Remember, digitial money is only information, know different then this post.

Re:Why isn't it a PIN = SecurID + PIN (1)

KDR_11k (778916) | more than 6 years ago | (#22594074)

The bank's secret could just be an RSA key or something similar.

Re:Why isn't it a PIN = SecurID + PIN (1)

TheRealMindChild (743925) | more than 6 years ago | (#22593810)

Or better yet, encrypt the routing number/account number with a public key from the organization. Then only they can decrypt it with their private key. Or you could take it one step further and have the routing number BE the public key which encrypts your account number. Then only the issuing bank (and not the whole organization) can decrypt the information.

Re:Why isn't it a PIN = SecurID + PIN (1)

Mia'cova (691309) | more than 6 years ago | (#22594222)

Something you have + something you know = secure enough for me to use in the wild. I want networked ATM,etc machines that accept smart cards. The card has a certificate or somesuch that can not be copied. The bank fires a challenge 'question' to the card. The card uses it's secret information to answer it. Then the transaction proceeds. As soon as you walk away with the card, the pin used to authorize things is useless. Something you have + something you know. I like the one time authorization scheme people mention as well. I'd use with one-time purchases with small retailers.

Re:Why isn't it a PIN = SecurID + PIN (1)

jfim (1167051) | more than 6 years ago | (#22594328)

PINs longer than four digits are available outside of the US(at least in Canada). Canadian banks warn travellers to the US to change longer PINs to have four digits, as longer PINs are not well supported by the US ATM network. I assume this is an issue of interoperability, as the US bank system must be quite complex with the large number of financial institutions.

Tough Interview (5, Insightful)

Crazy Man on Fire (153457) | more than 6 years ago | (#22593214)

Wow. The interview at the end of that piece has me floored. Imagine if industry people and politicians in the US were subjected to this sort of probing interview and actually responded. The interviewer had the representative from the credit card companies on the ropes the entire interview. Props to the BBC for doing some serious journalism.

Re:Tough Interview (1)

abigsmurf (919188) | more than 6 years ago | (#22593260)

Jeremy Paxman is famed for being incredibly tough on his witnesses (and contestants on University Challenge)

Re:Tough Interview (4, Funny)

ettlz (639203) | more than 6 years ago | (#22593402)

Jeremy Paxman is famed for being incredibly tough on his witnesses (and contestants on University Challenge)
Yes, but did you threaten to overrule him?

Re:Tough Interview (3, Informative)

hairykrishna (740240) | more than 6 years ago | (#22594376)

For all you non-brits, this is a reference to a famous interview where Paxman famously asked Michael Howard exactly the same question 12 times in an attempt to get a straight answer: http://video.google.co.uk/videoplay?docid=5983432841587892898&q=paxman+howard&total=10&start=0&num=10&so=0&type=search&plindex=0 [google.co.uk] (3 minutes or so into the video).

It is one of the finest pieces of political TV ever.

Re:Tough Interview (3, Interesting)

mapsjanhere (1130359) | more than 6 years ago | (#22593442)

The big advantage of a publicly funded TV program - the producers are less likely to cave in to advertiser's interests.

Re:Tough Interview (1, Insightful)

giorgiofr (887762) | more than 6 years ago | (#22593778)

Yup! Instead, they are managed by the gov't. Isn't that great!

Re:Tough Interview (5, Interesting)

d3vi1 (710592) | more than 6 years ago | (#22593612)

KUDOS to the BBC for being a leader in all fronts of the Mass-Media. This video proves that they can do serious journalism, something that most media companies have forgotten how to do.
Short, correct and difficult to answer questions. Ask the right questions, that's all it takes.

Bravo BBC

Re:Tough Interview (0)

Anonymous Coward | more than 6 years ago | (#22593748)

The presenter, Jeremy Paxman, is known for this sort of interview. In fact, he has the nickname "Paxman the Axeman".

Re:Tough Interview (2, Interesting)

trainman (6872) | more than 6 years ago | (#22593786)

Indeed, I wish the media in this continent (we have the same problem with flaccid media in Canada too) would ask the tough questions like that. Alas most of the time the reporter doesn't even know what the story is about, and simply doesn't have the subject knowledge to ask such pointed questions. Then of course they would have to care enough to hold the subject accountable.

Far too often I hear interviews were the subject gives some double-talk half twisted lie which makes no sense, and the interviewer simply accepts this line as fact. No follow up question, no challenging. It's turned me off watching TV news completely, because politicians continue to get away with the same lies unchallenged.

I wish I knew how to fix this problem. I'm sure corporate control is part of the problem somehow. :)

Re:Tough Interview (3, Informative)

BovineSpirit (247170) | more than 6 years ago | (#22593980)

Jeremy Paxman is famous for being a tough questioner. His most notorious interview [youtube.com] was with a slimy politician who later led the Tories to defeat against Tony Blair's Labour. I'm not sure what Paxman's personal politics are, but he certainly doesn't appreciate being messed around. Michael Howard can be sure that if one of his political opponents had weaseled around like that he would have had equally short shrift.

Re:Tough Interview (1)

Larry Lightbulb (781175) | more than 6 years ago | (#22594368)

BBCAmerica is going to start broadcasting "Newsnight" from the 29th, though I don't know whether it's going to be the whole programme (for example, the reviews to the front pages of tomorrows newspapers won't always make sense). Paxo is heavily featured in the trails, along with the moments we remember him for.

Re:Tough Interview (1)

AtariDatacenter (31657) | more than 6 years ago | (#22594382)

You beat me to the punch. If our media wasn't so asleep and staying in the good graces of various groups for potential favors, rather than putting them in a position to defend themselves, maybe we'd get a little more truth in our news.

In the US, this would be an incredible level of journalism.

Jail Time? (2, Insightful)

Frosty Piss (770223) | more than 6 years ago | (#22593244)

British television featured a demonstration of the attack on BBC Newsnight."
I'll bet that would land you in jail over here (USA) ...

MacGyver (2, Funny)

j4s0n (1121943) | more than 6 years ago | (#22593254)

How far you've fallen...

What not to do (1)

192939495969798999 (58312) | more than 6 years ago | (#22593320)

Every time I see these stories, it reminds me of how they'd say not to do drugs in school, then show us exactly how not to do them...

And here's a link of exactly what you should NEVER do because it is illegal!

(posts to internet site frequented by absolutely everyone)

Clippy? Is that you? (3, Funny)

bryny (183816) | more than 6 years ago | (#22593344)

It looks like you are trying to crack an account. Would you like help?

Carry Cash! (1)

LoudMusic (199347) | more than 6 years ago | (#22593356)

Quick, everyone start carrying wads of cash instead of using credit cards!

It doesn't really matter what technology you use for monetary transactions, there are bad people who will work harder to steal it than to earn their own money. Just minimalise your risk and stop worrying about it.

Mainstream media is the worst terrorist.

Re:Carry Cash! (1)

LunaticTippy (872397) | more than 6 years ago | (#22593530)

Oh great. If everyone carries cash for everything guess what next week's headline will be.

MUGGINGS UP 300%!!

Re:Carry Cash! (1)

Grishnakh (216268) | more than 6 years ago | (#22594034)

That's what guns are for.

"Hey, gimme your wallet or I'll cut you!"

BAM!

Re:Carry Cash! (1)

ameyer17 (935373) | more than 6 years ago | (#22593566)

How is cash safer? If I use a brute-force attack and take your credit card, in theory you don't lose anything. If I use a brute-force attack and take your big wad of bills, you'll never see them again.

Re:Carry Cash! (1)

geekoid (135745) | more than 6 years ago | (#22593762)

They can only take what you have on you.
No one has you arrested because they want to make you the criminal.
It is very hard to hold someone up from overseas
To rob you people have to be exposed to the surroundings.

I want how much money was physically taken from people in that same time period?

Re:Carry Cash! (1)

hitmark (640295) | more than 6 years ago | (#22593712)

and then we are back to hitting people from behind and grabbing their wallets...

Another hole in the sieve? (2, Insightful)

syousef (465911) | more than 6 years ago | (#22593380)

Credit cards are so incredibly insecure that the only reason people use them is that the banks so far have been willing to cover the costs of fraud (in most cases and as long as the card holder hasn't contributed to it through negligence).

This is just one more flaw.

Re:Another hole in the sieve? (4, Informative)

|Cozmo| (20603) | more than 6 years ago | (#22593724)

That's because the banks don't eat the cost of fraud, the merchants do. If I have an online store and someon uses a stolen card to buy something from me, I'm the one that gets screwed. The credit card companies reverse the charge, AND charge the merchant a fee for it happening. Then the merchant is out the money, a fee, AND the product they shipped to a thief. The lamest part is the credit card companies don't even provide you the tools to prove that a transaction is legitimate.

Re:Another hole in the sieve? (1)

tecmec (870283) | more than 6 years ago | (#22594458)

I believe that's why the merchant is supposed to at least make a half-assed attempt at checking the signature...but how often does that really happen?

Re:Another hole in the sieve? (1)

Sosarian (39969) | more than 6 years ago | (#22594174)

I don't know about where you live, but the credit card companies/banks are required by law to cover the costs minus fifty dollars where I live, which they usually waive.

They could refuse to offer credit under those conditions though, it's obviously still making them money at this point.

Where's the crypto? (5, Interesting)

Junta (36770) | more than 6 years ago | (#22593528)

I've been wanting something much more sophisticated than a 'shared secret' that you have to give to anyone to give money. If I let random restaurant a charge me 2 bucks for a drink, I have to give them potentially full access to my accounts.

Where's my private/public cryptography? I want to carry around my own damned device with keypad and display. The display would show me *exactly* what my financial institution will think I'm authorizing, and the keypad would be used to enter the passphrase to decrypt my private key, which is never ever ever transferred outside of the devices local filesystem. It's generated by the device and the public portion uploaded in a secure manner to my financial institution. The secure manner is a complicated issue, but there are degrees of inconvenience that can be induced to do it right, and allow me to opt to allow nothing more convenient than that.

I go to a damn store or online retailer.. When ready to purchase, it somehow gets the data to my device (maybe encrypt with my public key, maybe direct connect to my device, maybe through the financial institution, whatever, the security risk in this transaction being the nature of what I'm buying, not in any way risking the actual money being transfered). I enter my passphrase (which could be as simplistic as a 4-digit pin, but at my discretion, not theirs) to signify accepting the terms my display gives me (i.e. authorized wal-mart to take 5 dollars from my account this one time, or authorize phone company to withdraw no more than 25 dollars on a monthly basis, the transaction may have tolerances and periodic, but always show me the tolerances and period and *who* I'm really authorizing to get the mony). With my private key decrypted, use it to sign the payload, then my financial institution *must* receive that cryptographically signed authorization to transfer payment. The retailer *never* has anything more than data to confirm that one transaction (or reuse for repeat data if I declare that trust, within definable thresholds). To commit 'identity theft' (horrible phrase), they would either need to compromise the financial institutions database with *write* access to replace my public key with their own (by the way, invalidating my real key so I should notice it) or steal my device physically, which I should know. The device should overwrite memory contents where the key was with random bytes every time it completes an authorization, and therefore physical theft or tampering should lead to a dead end without my passphrase.

Re:Where's the crypto? (0)

Anonymous Coward | more than 6 years ago | (#22593648)

There's no incentive to the banks or VISA/MC to do this, and they drive that bus in the US. $how me the money.

Re:Where's the crypto? (1)

geekoid (135745) | more than 6 years ago | (#22593814)

You forgot the step where your computer has a key logger installed and someone overseas now has all your data.

That's not even getting into your other major flaw, and your incorrect assumption.

Re:Where's the crypto? (1)

WK2 (1072560) | more than 6 years ago | (#22594242)

As it is now, any number of things can allow someone to impersonate me, most of them involving a thief getting my personal information from somebody else. There is little I can do about it.

With a secure authentication system, the only way someone could impersonate me is if I make a mistake. Much better. The old fashioned "username and password are the same" needs to go.

Re:Where's the crypto? (1)

lixee (863589) | more than 6 years ago | (#22593868)

Reading Slashdot is indeed the ??? *Rushes to patent office*

Re:Where's the crypto? (0)

Anonymous Coward | more than 6 years ago | (#22594082)

That is the single most convenient method for purchasing goods and services that I've ever heard of. And think of the space I'll save in my wallet!

Doesn't apply to US card systems (2, Insightful)

33tango (994241) | more than 6 years ago | (#22593602)

US Cards do not have the pin stored on the card. That's like keeping your password in your top desk drawer. This attack will not affect US Cardholders. Could you accomplish the same thing? Yes, but much more difficultly. And that's what security really is about, making a target so difficult thieves go elsewhere.

Re:Doesn't apply to US card systems (1)

KDR_11k (778916) | more than 6 years ago | (#22594280)

The video wouldn't play properly for me (stutters, after a few minutes stops playing entirely) but are you sure the PIN they take is read from the card and not the keypad?

Re:Doesn't apply to US card systems (1)

goofyspouse (817551) | more than 6 years ago | (#22594440)

And that's what security really is about, making a target so difficult thieves go elsewhere.
Elsewhere, in this case, means Europe I guess.

Worth pointing out (1)

abigsmurf (919188) | more than 6 years ago | (#22593808)

As the woman in the interview said, this isn't a probable method of widespread attack. It requires lengthy access to a chip and pin terminal to drill a hole in it and run a wire through. This wire would have to lead to a box or wireless transmitter. Takes a while to do, isn't easy to remove quickly and requires permanent evidence.

On the otherhand, you can attach a skimmer to a reader to copy the magnetic strip and set up a camera to capture the pin in 5 minutes and remove it in 20 seconds. Far easier method of attack.

Both of these methods are actually only possible because of insecure ATMs which don't read chips. At the moment there are so many countries that use outdated ATMs that it's not worth banks banning card use in countries where this type of fraud is possible.

What we really need is a secure ID RFID Token (1)

jameskojiro (705701) | more than 6 years ago | (#22593934)

That is pretty much automatic, like a rotating RFID token That has your pin encoded on it, this is really the only type of RFID I would accept. My current RSA credit card toekn has a LCD screen with numbers on it and it lasted me years, a credit card with a simular feature with no screen the batteries would last for years and years and with no physical contact replacements would be needed far and few.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>