More European Chip and Pin Insecurity

Optimised to Fail: Card Readers for Online Banking,” by Saar Drimer, Steven J. Murdoch, and Ross Anderson.

Abstract

The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer’s debit card to generate one-time codes for both login and transaction authentication. The CAP protocol is not public, and was rolled out without any public scrutiny. We reverse engineered the UK variant of card readers and smart cards and here provide the first public description of the protocol. We found numerous weaknesses that are due to design errors such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses. The overall strategic error was excessive optimisation. There are also policy implications. The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm.

EDITED TO ADD (3/12): More info.

Tags: , , , , , , , , , , , ,

Posted on March 5, 2009 at 12:45 PM34 Comments

Comments

Kevin March 5, 2009 1:18 PM

I don’t understand why online banking fraud is so prevalent. Can’t the banks just introduce an extra check/balance and notification (with delay) whenever a customers web credentials are used to set up a payment to an unusual destination account?

Most people, at least in the states, only use “online banking” to pay the same few bills to the same few creditors each month. If an account suddenly is used to set up a transfer to an individual or to the Ukraine, shouldn’t this be flagged?

“The move from signature to PIN for authorising point-of-sale transactions shifted liability from banks to customers; CAP introduces the same problem for online banking. It may also expose customers to physical harm”

Great. Talk about your externalities!

AppSec March 5, 2009 1:46 PM

@Kevin:
Because profile management is only worthwhile in determining how to sell goods and services, not protect the customer.

Anonymous March 5, 2009 2:38 PM

@Kevin: At least in Germany, online banking including money transfers are very common. I would pay ebay stuff via bank transfer, online store sales, give a money as a gift to my sister etc. Noone uses checks, and sending money via mail is obviously insecure. Therefore, basically all money transfers are made via online/offline banking, including with private persons. It’s easy and free with most banks. Setting up a detection mechanism might be hard, monthly reports are usually sent though.

Chris S March 5, 2009 3:17 PM

Plus ça change, plus c’est la même chose.

“We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil.”

— Donald Knuth

Shane March 5, 2009 3:58 PM

@AppSec

“@Kevin: Because profile management is only worthwhile in determining how to sell goods and services, not protect the customer.”

Actually, profile management also seems to be really amazing at ensuring that [major guitar/music retailer] and [major electronics retailer] decline any of my attempts to purchase anything over $100.

Apparently my ‘profile’ states that any charge that isn’t sandwich or coffee related should raise a red flag of ruin.

Paul S. March 5, 2009 4:08 PM

Banks in the U.S. Have no desire to change the user experience one bit even if it is for security. If anything it looks like they are becoming less secure.
What ever happened to the FFEIC complaince?

kme March 5, 2009 4:39 PM

@Kevin

With my bank, the first transfer to a new third party account triggers an SMS to my phone, containing the new account number and a 6 digit number that has to be entered to authorise the transfer.

moo March 5, 2009 4:55 PM

Verified By Visa (and the Mastercard equivalent) do the same thing: they shift the liability from the bank onto the consumer. You are obligated to keep your password secret; if the password was provided they assume it was you. Their web interfaces are hopelessly insecure too (and its pretty hard for users to ensure they are entering their details into a legitimate page and not a phishing site). This is the main reason I have stopped making credit card purchases with my Visa over the Internet; VBV makes it too much hassle and too risky.

The Cynic March 5, 2009 5:02 PM

Leaving the motives of banks and liability issues to one side. This is a pretty piss poor paper to be honest. ‘Someone could be tortured for their PIN number which could be verified there and then by a portable card reader.’ shock horror how irresponsible of the banks… because we all know that no-one has ever been tortured for information before in the history of mankind.

Shame on Saar Drimer, Steven J. Murdoch, and Ross Anderson. Such a paper isn’t even at GCSE standard!

Tim March 5, 2009 5:47 PM

@tme

Yeah, I assume it’s HSBC? Using phones is a much better solution than custom card readers. One less device to carry around, and it’s extremely unlikely that the crooks will have control of your phone and bank account.

RH March 5, 2009 7:12 PM

What I don’t get is that this problem is TRIVIALLY solvable, especially if people are willing to have a bulky reader like what they did.

  • Use a communication channel between buyer and seller to transmit larger certificates
  • X.509 certificates and normal Zero information proofs can be used for offline authorization.
  • Display an ‘invoice,’ starting with Amount, then who it goes to, then any custom fields the seller wishes to add (optionally let the buyer add some too).
  • Use a keypad which randomizes itself (already done today)

  • Sign the hell out of everything.

I designed a system to do all they want, but I assumed that people would not accept carrying around a calculator shaped thing to authenticate. My design ran into a stumbling block when I needed to put keypads on the smart card.

Miguel Almeida March 5, 2009 8:26 PM

@Tim

It’s not so unlikely; it has happened before. At least where I live it has. Phishers would ask for your password and mobile number. Then they would try to get a new SIM from a careless mobile company shop. Some have succeeded…

Paeniteo March 6, 2009 2:39 AM

@Miguel Almeida: “It’s not so unlikely; it has happened before.”

Any sources for that?

I consider it very unlikely. While it may be possible that a phisher gets a copy of my SIM, I would notice this pretty quickly.
Also, commonly, replacement SIM cards are nothing to immediately take along from a shop. Generally, they would be sent to the address registered with the phone contract. At least, it would take a while to manufacture (a time during which the old SIM would be inactive already -> chance to notice).

Last but not least, the very same phisher that has my SIM would have to know my bank account data and PIN as well.

All this may be possible when talking about a specifically targetted attack, but I doubt it will become common for everday phishing.

Jeroen March 6, 2009 2:48 AM

Part of the problem is that banks are not primarily interested in the security of their customers, but in maintaining the TRUST their customers have in them. As long as customers trust their bank, there is little incentive for them to spend many millions on a high-security system to prevent a few million in fraud.

Tim March 6, 2009 6:19 AM

Just to clarify, is it correct that the use of these devices moves the liability from the bank to the customer, both for Barclays and the other bank ? That’s not a feature they seem to shout about, oddly, but presumably is a large part of the business case for introducing them.

Miguel Almeida March 6, 2009 6:34 AM

@Paeniteo

Regarding the source, I cannot disclose. Sorry about that. You can either choose to trust the word or you don’t – it wasn’t in the news… I understand you choose either way. Really. But I can say that phishers have been very creative in my country.

You are right when you say that you would notice when someone gets another copy of your SIM. But the truth is, you wouldn’t know what happened. And the crooks would have a window of time that was big enough to do the trick.

As regards the process, here in Portugal, it’s not exactly as you described. We have post-paid cards (for which there is a contract and the replacement is not so easy) but we also have pre-paid anonymous cards. For these, you could get a replacement SIM in a shop quite easily. The control was just proving that you knew a 2 digit number, and, even if you didn’t, you might social engineer the thing… (it’s not so easy anymore because of the incidents – the controls were slightly improved: you have to show some ID and this is registered).

And yes, he/she would have to know your bank account data. It worked like this: the victim would get phished and would provide the usual credentials AND the mobile phone number. With this info, the phisher would have all he needed to (a) get a new SIM and (b) enter the account.

It’s not an everyday phishing technique, you’re right. But again, my point was: it has happened before.

Cheers! — Miguel

bob March 6, 2009 7:03 AM

Finally. Someone stopped calling Eve the “MAN in the middle”…

Instead of giving you a device you have to use to log in to your bank, why not just give you a CD that boots a known good OS (linux comes into mind) which then boots a clean noninfected UI which has pretty much only a browser, the only certificate installed in the browser is the bank’s and it defaults to their website (by IP, not DNS). Cost to develop:$30,000 (coding, marketing, training, cost of a CD duplicator etc); cost to deploy $0.27 per customer (time, electricity, blank CDs, ink, sleeves).

As far as getting mugged, thats provided by the ambient political system so I dont see any way a bank could fix it; but I am glad I would be over there as a tourist rather than a resident and therefore not be expected to have one of these readers on me.

Cassandra March 6, 2009 7:45 AM

Is it possible to remember all the PINs and passwords we are required to use without recording them in some way?

I know people who quite legitimately and sensibly have half-a-dozen bank accounts and a score or so of credit cards because they live and work in multiple countries. Add in the PINs for multiple mobile SIMs, and access codes for getting into secured buildings and it becomes non-trivial to remember the PINs.

While writing PINs down in plain text is risky, surely recording them in obfuscated form is reasonable. The Banking Code linked to from the article baldy states not to write down or record PINs. I think this is impractical.

Peter Galbavy March 6, 2009 8:16 AM

Problem with Chip-and-Pin is that the customer has NO WAY AT ALL to authenticate the terminal. There is no challenge possible to show the customer that the terminal is genuine and the channel to the clearing system is encrypted and safe.

The trasferral of liability is all the banks are interested in, not any form of real security.

Troy March 6, 2009 9:19 AM

I recently moved to the UK and I was absolutely amazed to discover that I was liable for any transactions made using a Chip + PIN credit card, where the valid PIN was entered.

The signature doesn’t exist any more… so suddenly a 4 digit number is the only barrier I have to someone getting away with my money? I guess that’s always been the case with ATMs, but you assume that they provide cameras and CCTV on a reasonably small number of machines to post-identify fraudsters… it is obviously ludicrous to monitor the huge number of retailers with their portable card readers.

I don’t mind if smart cards with a PIN number are added to the system to improve security, but I’m really unhappy with the idea of accepting liability unless I had to enter my PIN and sign a receipt. Unfortunately I’ve been told that damaging the smart card or its connections so PIN entry isn’t possible can lead to retailers rejecting your card, so I’m kind of stuck with no alternatives for as long as I stay in the UK.

In contrast, I still hold an account with a linked credit (debit) card in Australia. Signature only, but whenever there have been overseas transactions they try to authenticate them with me, and have suspended the card on a few instances when they couldn’t get in contact with me. Their proactive checking saved me from footing the bill for someone’s Eurorail ticket in Italy – I was in Asia at the time! For a comparatively small mutual/credit society in a small country, they have provided significantly better service than any of the big providers in any other country I’ve been.

Bryan Feir March 6, 2009 10:01 AM

@Peter Galbavy:

All the more annoying because this was a solved problem that people were discussing back when I was doing Network Security back in University, over fifteen years ago. I’ve got a Scientific American article from back then which discusses use of a smart card security system that did just that. I’ve seen prototypes of Visa cards which actually had a keypad and display on them like one of the small solar calculators.

It is certainly possible to design a smart card solution which can either detect modified terminals, or which (more to the point) does its own encryption and challenge-response with the server so that the terminal never gets to see the plaintext card number, only the PIN. Some of them the terminal never even sees the PIN, as that gets entered on the card.

Why don’t we have them?
– They’re too expensive to make reliable.
– As has been pointed out numerous times, Visa doesn’t care about stopping fraud entirely as long as they can make sure somebody else is on the hook for it.

Troy March 6, 2009 10:58 AM

I posted before reading the article before, and realise that the CAP mentioned in the research is slightly different; I don’t have a reader for authenticating online transactions, I was referring to POS card readers where a PIN is an acceptable substitute for a signature.

I always liked the fact that old fashioned credit cards actually contained all of the information required to perform an attack – a card and the signature – and yet it was still (slightly) robust against attack, since handwriting would come into play when forging the signature.

Then again, the average counter salesperson probably isn’t trained in what to look for when comparing signatures for forgery, and nobody’s handwriting is at their best when signing on a small glossy receipt.

ed March 6, 2009 12:32 PM

Think of it this way: the technology allowed the banks to shift liability (cost) to the victim, instead of keeping it themselves. Fraud is now customer-presumed-guilty instead of customer-presumed-innocent. From the bank’s viewpoint as a commercial concern, what’s not to like?

Matt from CT March 6, 2009 1:45 PM

since handwriting would come into play
when forging the signature.

But then most stores have you sign an electronic pad — an unnatural method which leaves everyone’s signatures looking nothing like the penned signature on the back of the card.

HJohn March 6, 2009 2:38 PM

@Matt from CT: “But then most stores have you sign an electronic pad — an unnatural method which leaves everyone’s signatures looking nothing like the penned signature on the back of the card.”

I agree. Not to mention, even with hand written signatures: 1) who says the cashier is a forensics expert, and 2) who says the fraudster didn’t sign the victim’s name on the card.

I write “ASK FOR PHOTO ID” on my back of my card. 1 out of every 100 or so actually asks me for it. On top of that, I log online and check my transactions every single day to make sure the are all mine.

I recall the days when they would make sure to authenticate you when you wrote a check because they would have to eat it if they check was bad. Maybe we should have the same incentive with credit cards.

greg March 9, 2009 3:13 AM

As i have said before. Liability with My master card in normal “mode” is with the bank. But if I opt into there awesome ultra secure mode, I am liable. Guess what I didn’t opt into.

Put your money where your mouth is.

This goes for companies that provide https certs. How much should you trust a cert? Only as much as they are prepared to cover your costs in the case of a “bad” cert. But none do, so YMMV.

Alice March 9, 2009 5:08 AM

@bob,

“Instead of giving you a device you have to use to log in to your bank, why not just give you a CD”

Your scheme is theoretically wonderful. But unusable in practise. User’s cannot be expected to reboot their systems in order to login to their bank. Moreover, banking isn’t viable in such an environment — companies need to be able to open various applications whilst banking. Maybe if you adapt your solution to rely on trusted computing then it can get somewhere.

Clive Robinson March 9, 2009 6:39 AM

@ greg,

“”

That’s exactly the reason SET failed. Unfortunatly in the UK the banks have foisted “Chip-n-Spin” on us by default.

Even to the point of issuing combined Credit and Debit cards that when used default to Debit (which is covered by the Banks imposed rules not those of the consumer credit legislation).

Basicaly I treat anything the banks offer these days with extream suscpision and I would advise people to absolutly avoid Credit Cards issued by your own bank…

Compartmentalisation is the very essense of security 😉

Clive Robinson March 9, 2009 6:46 AM

Opps, I forgot to copy

“Liability with My master card in normal “mode” is with the bank. But if I opt into there awesome ultra secure mode, I am liable. Guess what I didn’t opt into.”

Into my above post…

That’s the trouble with using a tiny screen mobile to post, it scrolls of the screen 8(

SumDumGuy March 11, 2009 4:17 PM

@HJohn

Re “ASK FOR PHOTO ID”

The signature on your credit card is not an authentication mechanism. It is a legal contractual agreement between you and the bank. That is why the cashiers are instructed to make you sign a blank card before allowing you to use it – which would be stupid if it was meant for authentication, but perfectly reasonable to agree to a contract. The signature is legal proof that you are agreeing to take out a loan (and pay it back) by using the card.

You are lucky that you have not been refused service yet. Standard procedure in both the visa and mastercard merchant guidelines is to refuse service to anyone with a card that does not have the cardholder’s signature. Under extenuating circumstances they may even confiscate it.

Also, FWIW, the merchant guidelines prohibited requiring any form of ID in order to use the card UNLESS the merchant has significant reason to believe that fraud may be involved. Some companies try to implement blanket policies that require cashiers to verify ID with every transaction – such policies specifically fail to meet that requirement for suspicion of fraud.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.