Schneier on Security
A blog covering security and security technology.
« Amnesty International Launches Campaign Against Internet Repression |
| Surveillance Tour of Minneapolis »
August 9, 2006
This is interesting. Seems that a group of Sri Lankan credit card thieves collected the data off a bunch of UK chip-protected credit cards.
All new credit cards in the UK come embedded come with RFID chips that contain different pieces of user information, in order to access the account and withdraw cash the ATMs has to verify both the magnetic strip and the RFID tag. Without this double verification the ATM will confiscate the card, and possibly even notify the police.
They're not RFID chips, they're normal smart card chips that require physical contact -- but that's not the point.
They couldn't clone the chips, so they took the information off the magnetic stripe and made non-chip cards. These cards wouldn't work in the UK, of course, so the criminals flew down to India where the ATMs only verify the magnetic stripe.
Backwards compatibility is often incompatible with security. This is a good example, and demonstrates how criminals can make use of "technological arbitrage" to leverage compatibility.
EDITED TO ADD (8/9): Facts corrected above.
Posted on August 9, 2006 at 6:32 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Do UK cards really have RFID? They have a chip built in, but I believe this requires electrical contact in order to be read. It's required for the 'Chip and PIN' system we are now using most of the time instead of signatures. That has it's own security issues.
It's my understanding too, that the new breed of UK credit/debit cards have contact chips.
Also, I reckon this report relates to the other half of the scam relating to tampering with card/PIN readers here in the UK to obtain the PINs for known card numbers. This affected Shell petrol stations, and perhaps others too.
The problem was discoverd a few months ago (perhaps February) and several arrests were made in the UK. I don't think the case has gone to trial yet.
Shell, and some other petrol stations have not been using Chip&Pin for some time, because of this. They have reverted to signature. I hear that a revised system is being worked on; presumably this provided readers with better tamper detection, and maintenance staff with greater honesty.
Just a quick point - the new UK cards don't have RFID, they have chips built in that are accessed via a contact system. They do still have the magnetic stripes, though.
The same thing happened with european debit cards: in addition to the magnetic stripe, they featured an optical security tag that let the readers in ATMs identify cloned cards. The thieves just stole/copied cards in germany, then went across the border to the netherlands, belgium or some other european country where the readers didn't look at the security tags.
No UK credit cards do not contain RFID's yet, travel cards do (Phillips MyFare system).
The artical is a bit vague, I suspect that the attack is one that has been used in the UK frequently since the introduction of Chip-n-Pin.
Basically the design of the system has a fall back possition if the Chip either does not work or cannot be read (ie dirty contacts lock up due to static or one of a hundred other ills these chips can suffer from).
The fall back is to use the Mag stripe (which incidently is the way they work outside of the UK as well...).
All of the card holders details can still be obtained by the simple process of skimming at an ATM (or shop Pay Point as all the Chip-n-Pin cards are also Debit Cards).
If you want further details of this simple and other not so simple attacks on Chip-N-Pin card systems have a look at the following sites,
"this was the cyber crimes unit first arrest in its three years history"
"the Cyber Crime Unit was entirely unfamiliar with recent developments in credit card security. The commissioner had never heard of RFID chips"
No wonder they haven't had an arrest in 3 years.
"No UK credit cards do not contain RFID's yet, travel cards do (Phillips MyFare system)."
The Phillips system you're talking about is actually called MiFare (not MyFare).
It's a general purpose passive RFID system with a range of products from inexpensive "ID only" cards up to expensive crypto-capable, programmable cards.
It's used for many corporate access control systems and while the cards themselves and the technology is very capable, it is often poorly implemented.
UK credit & debit cards now mostly have "Chip&Pin" smartcards.
Most cash machines are rumoured to still read the magnetic stripe though.
A more likely for using the cards in India rather than the UK is that almost all UK cash machines have CCD cameras and take your picture during the withdrawl process.
UK ATM and credit cards use the ISO 7816 standard for smart cards, with a square of copper contacts on the front. The interface is basically low-voltage RS232 - a direct descendent of the electro-mechanical teletypes of the 1960s (ASR33 etc).
> Backwards compatibility is often incompatible with security. This is a good example
Note that the criminals could instead have used the cloned credit cards online without the new technology kicking in. There is currently no practical means of validating the chip online (although I understand some plans are afoot). So it's not quite as simple as backwards compatibility - the new scheme does not cover all use-cases. Sometimes this is because of compatibility with old-style card readers, but not always.
Because the card thieves were forced to take the cards to India instead of using them in UK ATMs, it becomes that much easier to spot the suspicious transactions. In particular, they can easily be found in retrospect once the MO has been identified. This is an improvement over the old system, it's just not as good as it would be if every ATM in the world (or, even better, every vendor in the world) could use the chip.
@Greg: > Most cash machines are rumoured to still read the magnetic stripe though.
Easy way to test it - prise the chip off your card, and try to use it in a cash machine. You should be able to glue it back afterwards. Or just cover it with tape (make sure it can't come off and gum up the machine: that would be extremely bad news if that CCTV camera caught you).
I had a card (before C&P, but still with a contact smart card) where the chip fell off at the start of a 2 month holiday. Fortunately the holiday was in the US, not Europe, since the card worked fine there without it.
Just exactly, what is the benefit of checking the chip against the magnetic strip?
* If both chips and magnetic stripe could be cloned then this check would only catch the bad identity thieves that didn't catch that they had to clone both chip and strip onto the same card.
* If chips cannot be cloned, then it is sufficient to check the chip to validate the card. If chip reader is available, the magnetic strip does not provide any additional security.
The magnetic strip is there entirely and only to provide backward compatibility - or if you like, to facilitate such attack. If you know you won't need your magnetic stripe, just delete it.
There is no point in matching a card against itself. There is a point in matching a card against the claimed owner.
....Backwards compatibility is often incompatible with security...
There's definitely a lot of crime opportunity during the transition to 'all chip'. I was standing behind a Dutch holidaymaker at a UK filling station last week. His card didn't have a chip, so the attendant swiped the mag stripe instead. So, thieves should clone the stripe of cards and pose as foreign visitors, this would work well.
By the way, the driving force behind chip&pin in the UK is that as from April, fraud losses (from mag stripe cards) need to be covered by the shops and not the card issuers. Therefore there's a mad scramble to change over and use the chip.
RS-232 is only "a direct descendant of the electro-mechanical teletypes of the 1960s" in the sense that both standards use serial communication and can be used for sending text. Teletypes were generally current-loop, which is quite a lot different from the voltage levels used by RS-232, and they normally used a 5-bit code quite unlike the 7- or 8-bit codes normally used on RS-232 connections.
"Most cash machines are rumoured to still read the magnetic stripe though.
"almost all UK cash machines have CCD cameras and take your picture during the withdrawl process.
ALL UK ATMs read the mag strip as the card goes into the machine. The reason for reading all cards is,
1, Non UK cards can be used
2, Defective Chip cards can still be used (fall back mode I mentioned above).
And actually most ATM's do not have cameras in them (think Shops Petrol Stations etc etc) for the simple reason that they are very easy to avoid (think hood gloves and a scarf) and expensive to maintain.
For those of you in the UK quite a few shops still do not have Chip-N-Pin compatable terminals (Maplin, SpecSavers are two that I know of that I have used this month)
Also there is a very real issue with Chip-N-Pin you do not hear mentioned (as it's low tech). Most shops have a hiden CCTV camera hidden above the till to check for employee theft etc. Most of the Chip-N-Pin terminals are badly designed and the camera usually picks up what you press as your pin number...
Chip-N-Pin has been badly thought out from the customers perspective, but that's ok as it saves the banks lots of money (think cheque clearing costs). As it is a direct Debit card not a Credit card it is uncertain as to what the consumer protection realy is as it does not use a signiture. Oh and the banks can always acuse you of giving your number away...
It's almost trivial to read the PIN for a Chip&Pin card as it is being entered. Ask any stage magician. I've yet to find a key pad that properly hides your hand as you type.
I heard today that Barclays Bank is to issue a small device that can generate one-time passwords. Apparently it will use a standard Chip&Pin card and is a stand alone unit - it doesn't need a PC (or worse "Windows".)
This could be linked to a story that was reported recently regarding the Withdrawal of EMV (chip and pin) authorisation from a chain of petrol stations in the UK.
EMV specifies a fallback to mag stripe where a chip cannot be accessed for legitimate reasons. That can be in an ATM that is not fitted with a chip reader (of which there are still many in the UK) or when being authorised on a linked network that is not certified for EMV (most of the rest of the world). The mag stripe authorisation will require that the users PIN is validated so the crucial part of this fraud as with all ATM fraud is in getting the users pin.
The most frequent route to getting the card data and PIN information together is skimming (the fraudsters place an extra reader over the legitimate one, a technique that is becoming more difficult) and the use of a pinhole camera or shoulder surfing to capture the pin.
In this case it appears the attack was a bit more sophisticated, it works along these lines: The fraudsters, possibly in cahoots with corrupt retail staff remove the Point Of Sale (POS) terminal from the shop on the pretence of servicing it. The terminal is then fitted with an extra magstripe reader to collect the mag stripe data. The fraudsters also need the pin and this can be tricky as the pinpads are secure devices protected by a mesh that will burn the ROM if damaged. However where theres a will theres a way and you wouldn't have to be a genius to figure out ten different ways that the pin could be collected without destroying the pinpad.
The criminals then sit back and collect as much mag stripe data and matching pins as they can eat!
This is indeed technological arbitrage of the backward compatiblity and the inherent insecurity of the locations of some of these 'secure' devices
This ought to bring more urgency to the worldwide implementation of EMV
Ignoring the chip for a moment, and just thinking about ATMs, mag strips and PINs.
I fly to India, put my card into an ATM, type my PIN, the PIN is verified and I get my money.
How is the PIN verified? Is it the case that the ATM (directly or indirectly) contacts my home bank's computer for verification? There's a lot between the Indian ATM and my bank's computer which could fail, leaving me with no cash.
The alternatives are that the PIN is ignored, the information on the card is alone sufficient to verify the PIN, or my bank has already broadcast my PIN to India (and banks everywhere else in the world) so that it can be checked locally. Only the last of these is even slightly secure, but it hugely multiplies the number of souces from which damaging information could leak.
Changing topic to testing whether ATMs read the chip or not, and verify it against the strip or not: if you have cards for two accounts, you could clone the strip from one to the other. Use the mutant card, and see whether it is accepted, and which account the money comes out of.
In a mag stripe transaction the users pin is encrypted inside the pinpad and turned into an offset calculated from the pin and various other bits of data to create a standard pin block that is encrypted under the local banks keys and passed off into the network.
"Backwards compatibility is often incompatible with security. "
Yes, but there is also another factor at play here. As you point out the backward compatibility was not a universal vulnerability, and so the attackers actually "flew down to India where the ATMs only verify the magnetic stripe".
Makes me curious about how the threats were reviewed such that India was allowed backward compatibility, but not the UK. I find that strange since the assets in question are valuable enough to more than cover the cost of travel.
Ah, the human factor of the attack is interesting as well:
"Under the direction of a computer savvy crime boss, the thieves collected credit card numbers from an unscrupulus gas station attendant in London and uploaded the electronic information to the magnetic strips on the back of phone cards. Then they caught a flight to India."
This seems like two vulnerabilities:
1) payment system at UK gas station
2) withdrawl system in India
So the chip doesn't really fix the first since an attendant is still able to skim the cards s/he handles.
Mr W> ... ISO 7816 standard for smart cards, with a square of copper contacts on the front. The interface is basically low-voltage RS232
ISO/IEC 7816-2 "Dimensions and locations of the contacts" and -3 "Electronic signals and transmission protocols" is nothing like RS-232 "Interface Between Data Terminal Equipment and Data Circuit-Terminating Equipment Employing Serial Binary Data Interchange".
- 7816 defines 8 contacts in a square on a card; 232 defines a 25 pin connector (232-D specifies a D-shell connector).
- 7816 uses a single electrical contact for both transmit and receive, 232 uses separate pins.
- 7816 defines a block framing protocol, with error correction; 232 is limited to byte framing and defines no error correction.
- 7816 includes power and reset control for the card (as well as communications); 232 is purely communications.
Aside from extremely generic items such unbalanced circuits and parity, I suspect you'd be hard-pushed to find anything signficant that they had in common! But if you do, feel free to point out exactly which versions of the the standards and which clauses therein that you're talking about.
The real problem is that the greater part of "security specialist" don't (can't?) think like the criminals.
Before the launch of chip-n-pin I would have asked myself:
- it's possible to extract informations from the chip?
- how I can use this informations?
- if I steal the "Gioconda", where I can resell it?
Criminals place these questions, and in this case they have:
- extractet the data
- used it in an unconventional way
- gone in another country
(I hope it's comprehensible. 7:00 AM here :P )
Small factual correction. In the UK, if your card does not have a chip then the mag stripe is still used and the transaction goes ahead.
This will always be a necessary feature as not all people are capable of entering a PIN (apparently) - see http://www.chipandpin.co.uk/consumer/index.html.
As an aside, AMEX have decided to not use Chip and PIN. Sure, our cards have the CHIP but no PIN, so we still get to sign. I think it's called Chip & Signature
It's really funny that this whole story talks about smart cards, when in fact, the magstripe information was stolen and duplicated.
In fact, as mentioned by Zaphod, the weak point is not the smart card, it is the PIN:
1: The article mentions an attendant. It is true that, in most cases, an cashier can watch customers type their PIN, and note the PIN while skimming the card.
2: Even without attendant, it is often difficult to hide. In France, there were scams with a concealed magstripe reader and a video camera in several automated gas stations. It is even quite easy to guess somebody's PIN just by looking at their arm movement from behind (great way to waste time in supermarket lines).
Basically, attacking the chip in a smart card remains a bad idea, because these things are well protected. But this does not mean that the "Chip&PIN" program is secure, because the PIN part of it isn't.
On the other hand, this remains in many cases better than other schemes, such as the RFID key fobs used in the US, which are "Chip without security, no PIN, no signature": just spy on RFID signal, program your copy of the card, and fill up your tank. It won't last long because of online protections, but you won't have to travel anywhere far, as long as you never use twice the same card number.
A new level of Airport security must now be added. Passengers must report/be bussed to to an initial security clearance facility located AWAY from airport terminals. All baggage must be checked in/inspected/x-rayed at that facility. Passengers should at this point go through metal detectors/x-ray equipment. Only after these procedures have been done should passengers be allowed to proceed to the airport terminal for final security clearance and flight departure. Terror Feeds on Chaos. We must restore order to our vital air travel hubs.
I think it is good.(http://www.beijingxiezilou.com)if you are interesting,please click this website.
Is there a way to tell if a card has an RFID tag imbedded in it? American Express Blue is clear so you can see the nasty thing. However, the surface of both sides of that card are pristine, with no ripples to indicate anything is sandwiched inside. If this was (the standard) opaque card, how would we ever know?
Also, is there an easy way to disable RFID? (i.e. putting the card in a microwave oven for a couple of seconds?)
PAPER TYGER LAUNCHES NEW RFID SHIELD
Bridgewater, MA, June 1, 2007 – Paper Tyger®, a product line of Chase Corporation, announces the addition of a unique “easily printable��? new product for protecting personal information on contact-less credit cards or “Smart Cards.��? This new patent-pending RFID Shield contains a new security barrier to assure that sensitive information contained on the card’s RFID chip remains protected when not in use. When fabricated into envelopes or sleeves this revolutionary new lightweight product provides water resistance, durability, and printing and converting benefits of the traditional Paper Tyger® line of products.
RFID technology, which provides exceptional convenience yet increases identity theft concerns, is experiencing explosive growth. “The Paper Tyger® RFID Shield is extremely effective at protecting consumer privacy and will assist tremendously in advancing the use of the technology by eliminating the fear of identity theft.��? stated Jim Lordi, Director of Paper Laminates for Chase Corporation. Jim went on to say, “Paper Tyger® provides the durability of synthetic products, but with the significant printing and converting advantages of real paper which makes it uniquely suitable for digital, laser and conventional printers.
Chase Corporation has manufactured shielding laminates for the Wire & Cable industry for over 30 years. Brad Gustavesen, Technical Director of Chase Corporation, commented, “The novel combination of our proven electronic shielding expertise with our paper laminate technology offers a unique product for the growing Smart Card application.��?
Chase Corporation is a publicly traded company (AMEX: CCF) and is a leader in manufacturing Tapes, Laminates, Sealants, and Coatings for the protection of Electronic, Construction and Consumer applications. Details of Chase Corporation and Paper Tyger® can be found at www.chasecorp.com
Mark Weibel: firstname.lastname@example.org, Telephone: 1 262.893.0919
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.