Schneier on Security
A blog covering security and security technology.
« The DHS Secretly Shares European Passenger Data in Violation of Agreement |
| The Ultimate Terrorist Threat: Flying Robot Drones »
May 8, 2006
Shell Suspends Chip & Pin in the UK
According to the BBC:
Petrol giant Shell has suspended chip-and-pin payments in 600 UK petrol stations after more than £1m was siphoned out of customers' accounts.
This is just sad:
"These Pin pads are supposed to be tamper resistant, they are supposed to shut down, so that has obviously failed," said Apacs spokeswoman Sandra Quinn.
She said Apacs was confident the problem was specific to Shell and not a systemic issue.
A Shell spokeswoman said: "Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards.
That spokesperson simply can't conceive of the fact that those "relevant industry standards" were written by those trying to sell the technology, and might possibly not be enough to ensure security.
And this is just after APACS (that's the Association of Payment Clearing Services, by the way) reported that chip-and-pin technology reduced fraud by 13%.
Good commentary here. See also this article. Here's a chip-and-pin FAQ from February.
EDITED TO ADD (5/8): Arrests have been made. And details emerge:
The scam works by criminals implanting devices into chip and pin machines which can copy a bank card's magnetic strip and record a person's pin number.
The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented - often abroad.
This is a common attack, one that I talk about in Beyond Fear: falling back to a less secure system. The attackers made use of the fact that there is a less secure system that is running parallel to the chip-and-pin system. Clever.
Posted on May 8, 2006 at 12:41 PM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interestingly it's not a chip and pin specific vulnerability; any system which just uses a magnetic card and a pin is vulnerable. It's funny that they didn't turn off the use of mag-strip and PIN and that they made the mag strip go on the same card as the chip. Why not just force signatures?
Note also that Apacs lied or are totally incompetent. If they could "confident" (not "fairly sure" or "expect that") that this was a shell specific when it wasn't then they clearly have no understanding of the system they are running.
One very good reason *not* to have two methods of authorization running simultaneously. This attack made use of a vulnerability in one system (at the supposedly secure terminal) to leverage an attack on the older system (which doesn't require the chip).
So, instead of increasing overall security (by implementing a more difficult to forge authorization process), they decrease overall security (by opening a new way to gather pins and account numbers).
Ain't backwards-compatibility a pain?
This doesn't sound right, allow me to edit:
> One very good reason *not* to have two methods of
> authorization running simultaneously.
Change this to "two non-atomic methods of authorization running simultaneously"
The failure here is that both systems use the same pin. If the chip & pin system used a different pin, you would not be vulnerable to this attack (because the "chip & pin" pin is only usable with the chip).
Still, in general, two authorization systems = bad (even if they're atomic), since you have two set of processes with potential weaknesses.
Hypothetically, could one scrape the magstripe from the card to ensure that only the chip could be read? Or perhaps be able to request a card with just a chip and no magstripe?
I've been refusing to use C&P - which can be quite hard work overcoming the objections of shop staff who keep telling me it's more secure.
Mind you last time I got Shell petrol (with cash) the guy tried to give me the wrong change.
"One very good reason *not* to have two methods of authorization running simultaneously."
Exactly. You'd think they would learn from a very well known fact that counterfeiters produce old bills, not new ones.
Jarrod - The dual mechanism was part of the compromise to get Chip/Pin off the ground in UK. The initial publicity I saw presented this as a way for small retailers to be given a bit of leeway and ensure they were not left without payment methods since it was feared that the big boys would utilise all the capacity for new machines. However as we have seen in this case, the small merchants did the conversion but some big corporates decided to ease their own cash flow, to the detriment of the public.
The one BIG benefit I have noticed with the new technology - all restaurants now use little handheld devices, which connect via wireless to some controller, so the waitperson does the payment transaction while s/he stands at your table. Not only does the card never leave my sight, it never is more than a few inches away and under my control. None of this taking the card into the back room and running off a dozen slips. Of course having written this I realise where the new exposure is . . .
I think there are multiple layers of authentication/authorization problems regarding this issue:
1. What has alraedy been commented - Multiple methods to authenticate users being concurrently applied, where the security properties of the stronger system are compromised by known vulnerabilities in the weaker one.
2. Lack of procedures to properly authenticate personnel:
"There is evidence that criminals have posed as technicians to implant devices into till terminals at the petrol stations."
3. Poorly designed card readers that allowed the transparent installation of extraneous hardware.
It was through the simultaneous exploitation of all these that the system was compromised. Evidently, APEC's statement that "this is not a systemwide issue" is a blatant PR lie: If Shell lacked the capability of preventing the installation of skimming hardware in the card readers and later its fraudulent use, it is to be expected that similar attacks in other commercial establishments could be successful. In my opinion, APEC is responsible for vulnerability 1 and Shell for vulnerabilities 2 and 3, and it would be fair for them to incur any financial losses derived from their incompetence.
> Not only does the card never leave my sight, it never is more than
> a few inches away and under my control.
Ah, but the number is now transmitted wirelessly through the air. Before you were trusting the waitperson and the terminal the waitperson was using to authorize your card. Now you're trusting your waitperson (who could still get your number through a number of methods, albeit not as transparently as before), the restaurant's wireless network, and the terminal.
This is not necessarily a better environment.
Regarding c&p in general. I'm in the UK and have yet to use a c&p keypad that was effective in hiding my finger movements when typing in the pin number. Most shops make no attempt to position the keypad is a secure manner and often it is fixed so you can't move it yourself.
A magician can "read" pencil and pen movements to determine what someone is writing without seeing the text. I would guess that with a little practise anybody would be able to "read" someones pin number from quite a distance just from the hand movements. Of course, if the keypad cannot be used securely it's much easier.
Regarding my post above, typo: APEC should be APACS.
Despite all of this I still prefer Chip and Pin to the magnetic stripe and signature.
The kind of attack perpitrated here is not really that different from recent attacks against ATM machines where skimmers are attached to ATMs, and fake keypads added over the real one. It is not a flaw as such with Chip and Pin, but a flaw with the whole concept of Pins.
While I agree that this is caused by having multiple forms of authentication being allowed I am not sure I am convinced that this will ever be fixed. The use of magstripe and signature will not disappear until two things occur:
1. Everywhere in the world uses chip and pin.
2. There is no one unable to use Chip and Pin. (There are some people who are unable to due to dysabilities).
In addition there is the issue of trust in the hardware being used.
I have seen some comments on sites about this issue talking about a major flaw being that the Pins cannot be sent over the internet for internet based payment, and I think this is a good thing, I cannot think of anything worse than online stores remembering not just card details, but Pins too. I guess I could cope if the chip were to encrypt some data transmit it to the online store for relay to the bank, provided each encryption is single shot and secure, but sending the pin just screams to me of problems to come.
Phish and Chips, Chip and Spin. Again good old R Anderson and co has done some great research on this.
There is a paper amongst the website that details the problems with the terminals, and other esoteric security issues, old stories we all know, but recurring ones none the less.
It doesn't take a great deal to educate oneself about these matters. However if there isn't a management security culture in these corporate entities to support due dilligence, nothing will ever change. Until legisistlation forces acceptence...and even then of course...there will always be failure. I think I'm harping on about the PR from APACS, it really narks me off.
The main reason magstripes were retained was for use in ATMs.
I'm surprised they say the machines where the cloned cards were used were often abroad; I'd have expected them to withdraw cash.
I have never liked that the pin for ATM cash withdrawl is the same as that used in the shop. As described above entering a pin in a shop at a till, (usually being recorded on CCTV as well) makes it much more likley that your pin be compromised there.
The attraction of then being able to use this pin to obtain cash if one could get hold of the card - seems to me to make wallet theft at the shop door of considerably more interest.
Clive, I think you're forgetting how easy it is to go overseas from the UK. It takes 2 hours, 40 minutes, from Paris to London, and presumably you can make that much shorter if you're closer to the shore on both ends.
I find it confusing that they say the device copies the magstripe using the chip-and-pin machine, as most chip-and-pin readers I've seen couldn't possibly copy the magstripe, unless the contents of the stripe are stored on the chip. (OTOH, I don't recall the reader in any Shells.)
I am unsure about the relative merits of the technical arguments but I think I do understand something about the way commercial companies operate. If you are not happy with their service then don't use it and let them know about it. Free market forces will work very well if we boycott companies with poor security. As soon as company management understand that bad security is hitting the bottom line they wil respond. I will try to avoid Shell garages.
Using the same pin for Mag and C&P is a huge weakness driven by dumb corporate ease-of-use policies. See/record me put my card in the little machine. What the card number and expiry and it sits in the card holder. Watch me enter my pin. Duplicate magstripe card, use at any ATM, or better sell details to Russian Mafia for $100 each and email them over to Moscow. Easy.
it's basically the same issue with single-sign on, except your username is a card number, and password is a PIN. Catch the credentials through the weakest authentication mechanisn, and reuse them.
@Geoff, "Reading" pins:
I generally hold at least three fingers in close proximity to the keys, so (hopefully) anyone watching me would have to be watching *very* carefully to figure out exactly which key I pressed.
On a tangental note: I've noticed that a lot of direct debit PIN pads where the numbers are silk-screened on (as opposed to being molded into the key itself) show a lot of wear on the 1 key (to the point that the number's almost obliterated), almost as much on the 2, 3 and 4 keys, and very little wear on the rest of the keys. This leads me to suspect that if you were to try hacking a PIN, the pins 1111 and 1234 would have a very good chance of succeeding.
I'm sure I'm not the only person with a wallet full of cards. C&P means I have to memorise a lot more PINs which I won't remember.
So should I change all the pins to be the same, or write them down somewhere in my wallet? Or only use one card whose PIN I can remember?
Are these the (un)intended consequences of changing one element of 'security' in isolation?
Actually, I still use cards which are not C&P and this might work in my favour. I find that people now take more care with my signature.
Yet I've never seen anyone enter their PIN in the secure APACS-recommended way:
I liked the APACS rep's response ...
The association's spokeswoman Sandra Quinn said: "They have used an old style skimming device. They are skimming the card, copying the magnetic details - there is no new fraud here.
So what she IS saying is that the current C+P cards foisted on us is itself KNOWN to be insecure by APACS. Echoing Moz's rhetoric ... lies incompetance, or just desparate attempt to transfer transaction risk away from the issuers ??
I raised the question of removing the mag stripe, but my issuer (MorganStanley) stated that this is required (and I've sometimes seen merchants swipe the card in their mag stripe reader before using the chip - habit or requirement?). Likewise, I'm stuck with four-digit PINs ... given the choice, I'd like to choose my own 5- or 6-digit PIN.
Finally, I wonder how many of the "foreign" transactions is associated with "Cardholder Not Present" transactions conducted via Internet ... no travel required.
This wouldn't have been an issue if the staff had been trained to be aware of social engineering risk. Is this training now being planned by Shell and other chip and spin retailers.
"I've sometimes seen merchants swipe the card in their mag stripe reader before using the chip - habit or requirement?"
Where it is swiped through a separate machine it often seems to be for legacy systems where the accounting software stores your card details against the transaction details. Some other integrated systems (like our local Tesco) seems to be because the chip reader is at the bottom of the swipe channel, and some others like the RBS terminals it is because it is quicker to wake up the machine like that than by pressing buttons.
>I find it confusing that they say the device copies the magstripe using the chip-and-pin machine, as most chip-and-pin readers I've seen couldn't possibly copy the magstripe,
unless the staff are complicit in the scam.
>This wouldn't have been an issue if the staff had been trained to be aware of social engineering risk.
I expect the response will be to accelerate the upgrade of UK ATMs to use chip & PIN authentication, so increasingly where a withdrawal occurs from a magstripe ATM (e.g. user is in a country where c&p is not used) the home bank can use this as an extra indicator into their fraud detection heuristics.
I think everyone here has missed how the exploit worked - it wasn't the commonality of the PIN that dunnit. The PINs and card numbers were extracted from the magstripe, and used in magstripe ATMs or terminals. Having different PINs for the chip and the stripe would have done nothing at all.
It was the continued existence of a less secure system that dunnit - that, and the fact that UK cards aren't true two-factor authentication. The UK implementation of magstripe, and the UK implementation of Chip/PIN, have the PIN stored on the card and verify it locally. Authorisation is online, authentication local.
If the PIN was only in the user's head and a remote lookup table, the easiest way to obtain it would be defeated. At the moment, you can get the PIN by the following means: 1) Intercept mail/2) Social engineering/3) Hack card/4) Hack terminal.
The banks have undertaken some effort to minimise 1), although it's tough (I'd have the customer come to the bank for it, personally..). 2) should be avoided trivially but probably won't be, 3) is doable and a serious threat so long as the PIN is on the card, 4) is doable and a serious threat, period.
Just a thought: what kind of encryption is there on the over-the-air wireless terminals you find in restaurants? I've heard conflicting tales from people who all ought to know (some say it's there; a number of others say it's unencrypted). It strikes me as a rather large potential hole in the security model, since the whole of the magstripe data will be flying through the ether much of the time...
Posted by: Piman at May 8, 2006 06:36 PM
"The attraction of then being able to use this pin to obtain cash if one could get hold of the card - seems to me to make wallet theft at the shop door of considerably more interest."
Or try this:
Wait in a que while the shopper infront of you puth her card into the terminal, overlook her pin, while the terminal displays "please wait, don't remove card", grab the card and run out of the shop. Get to the next ATM and you can withdraw upto £500/day until the card is cancelled.
Ah. Yes. Some self-criticism is in order: I'm actually the author of the BBC piece in question. Should've specified that. Apologies to all here - no intent to deceive. At the time of writing (late afternoon in the UK), I had that bit of info from three sources who really ought to know, and therefore decided to go with it.
Some further research this evening indicates there may in fact be some level of encryption, albeit not a terribly effective one - but I'm still not at all sure I've got to the bottom of things.
Anyone with further information, I'd love to see it posted here. Needless to say, I'll report back here on further inquiries as well, and update the story as required.
Having worked with POS hardware before, I can say that there are 2 main ways that the stripe data can be obtained off a chip card:
(1) The firmware in the reader is hacked so that is siphons off the "track 2" data from the chip. This is very unlikely, as you need incredibly specialised software and programming skills to do this.
(2) Install a mag stripe skimmer at the entrance to the chip reader. This needs to ensure that the entire length of the mag stripe passes the skimmer.
Almost all POS hardware like this contains physical security features, so that you can't take apart the machine and read any stored information.
It's definitely getting harder for fraudsters to do their thing, at least for card present transactions.
I have just had my credit card cloned and £600 stolen! On April 26th the chip and PIN machine was stolen from my local Shell petrol station counter in the Bath road in Speen, Newbury.
I discovered this last night after reading an article in the Newbury Weekly News (11May 2006). I checked my account and £600 has been withdrawn from ATM’s in London over the last 3 days. (I have not been to London since Last Friday) I last used that Shell garage with C&^P on the 23rd of April.
Shell is quoted as saying "Shell's chip-and-pin solution is fully accredited and complies with all relevant industry standards.��?
If this is the case then surely there are other C+P systems, which are vulnerable? If the Shell system was accredited then surely the accreditation system is flawed and hence potentially all Chip and pin systems are flawed?
I believe the entire system should be audited by an external authority to find out what has gone wrong, and how many flawed systems are out there.
Of course APACS now say it's an inside job- anything else would admit that the C&P system is fatally flawed. But the fact that this has happend shows that flaws exist and are being exploited.
Even when all ATMs in the uk used the chip, the cloned cards will be used abroad where nmag stripe remains the only technology.
So when exactly is chip and pin going to be safe? The whole idea of chip and PIN is that it is hard to clone -it isn’t!
What does "dunnit" mean?
Jeremy SJ (sidelong)...
All over air transmissions are encrypted in some way - there are three main WLAN schemes in use, Bluetooth, DECT and WiFi. All have inbuilt encryption schemes of some sort (although I'm sure Bruce will have an opinion as to their relative security merits).
The PIN verification is local to the terminal, so the PIN is never transmitted over the air, encrypted or otherwise
Firstly, the 13% less losses might have something to do with a huge drop in fraudulent applications (I had the actual figures, can't find them now though). Of course APACS can't possibly think these are related, so it must be chip and pin that did it!!!
Secondly, chip and pin is insecure because you're revealing your pin! It's way too easy even for an 'untrained professional' to see what pin is being entered, so all we need now is for someone to pick the vic's pocket and extract the cards from the wallet... Voila!
In this context, dunnit = (has) done it.
My recent experience in a large uk bookstore chain would suggest that you only need to clone the magstripe to be able to succesfully use chip and pin. I have a bad habit of stuffing my debit card into my back pocket. If you do this often enough you find that the plastic card bends but the chip doesn't. Eventually the chip starts to work it's way out of the card. Time to order a new card. I was in bookstore paying for books. Chip no longer registered in reader. Sales assistant just took it out, swiped it and presented slip for my signature. No comment no hassle. So all you really need to do is have a fake chip that doesn't work and a mag stripe that does. Even scarier was this card broke in half later that day. I took it to $bank to order a new one. Teller took both halves of the card, held them together and succesfully swiped it to access my account. I'll be shredding cards in future!
Adding to my earlier post, the Trintech C&P readers are up and running again at Shell and having a closer look, my memory had let me down - sorry!
The reader is designed so that stripe portion of the card is fully inserted into the reader suggesteing that the reader has a magstripe reader built in as a back up to the chip reader. Even if it doesn't it is easy to add one within the casing which is completely undetectable. I suspect his is probably the way the card data was skimmed although from what I have read it may be as easy to find plaintext card data from the Chip within the system which can be hijacked.
I have seen some comments on sites about this issue talking about a major flaw being that the Pins cannot be sent over the internet for internet based payment, and I think this is a good thing, I cannot think of anything worse than online stores remembering not just card details, but Pins too.
Look at Verified by Visa and Mastercard SecureCode -- this associates a username and password with your card which is used for online shopping. The username/password is verified by a third-party site appointed by the banks, and the merchant never sees it, but has extra assurance that the transaction is valid. Unfortunately the poor customer has no way of knowing that the third-party site isn't a fake site phishing for their username/password.
The UK implementation of magstripe, and the UK implementation of Chip/PIN, have the PIN stored on the card
and verify it locally.
Not true -- the PIN is not stored, on the magstripe or the Chip. If the PIN was stored locally on magstripe, why would crooks install cameras at ATMs? There is no way to discover the PIN from the magstripe alone. The chip can authenticate valid PINs, but only against a one-way crypted version of the PIN, not plaintext.
So different PINs would help, in theory. Until people change them to the same PIN anyway, or, even worse, carry around a list of PINs in their wallet..
Addendum: Alex has hit on a key weakness though. When (not if) cloned chips become widespread, this use of a local secret should allow lots of new attacks.
Hi I had a look on your website, about hacking chip and pins, The article was interesting enough. I just want to say that in the store where i work i witnessed a hacking process. I was serving customers on the till and the customer entered the chip and pin card on the device. Afte i pressed the "credit card" button on the till, i saw the message " i su " then normally the message " enter pin number" showed up. Fortunatelly the transaction didn't went through and customer payed by cash. The same thing happen with another customer with the same outcome only this time the message was" i su r u".
The chip and pin devices were being replaced since last week in the store. This is the first time since i witnessed something like that.
Can you pls comment on the above?
Does the company that supplies the chip and pins has something to do with that?
what actions can be taken?
I recently had £300 taken from my bank account when I was home in bed at 7am. The money was taken from an ATM near where I live. The bank claim that the card was categorically original and that my pin was used - they say that there is 'no way the card could have been cloned' and are refusing to take this matter further.
Can anyone tell me if I have a leg to stand on here ?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.