Chip and PIN Vulnerable

This both is and isn't news. In the security world, we knew that replacing credit card signatures with chip and PIN created new vulnerabilities. In this paper (see also the press release and FAQ), researchers demonstrated some pretty basic attacks against the system -- one using a paper clip, a needle, and a small recording device. This BBC article is a good summary of the research.

And also, there's also this leaked chip and PIN report from APACS, the UK trade association that has been pushing chip and PIN.

Posted on March 12, 2008 at 2:12 PM • 16 Comments

Comments

kybMarch 12, 2008 3:46 PM

It's all irrelevant - nobody checks that their terminal is a genuine one anyway. Easy enough to make one that reads the magstripe and asks for a PIN, then apparently breaks, so the merchant has to use one of the many paper based back ups.

There's no need to actually communicate with the bank at all.

PalomidesMarch 13, 2008 3:34 AM

It isn't really irrelevant. The Cambridge group have shown that a (very) simple attack is possible that captures PIN and full magstripe data without disturbing the normal function of the PINpad. The point of that is that a criminal can harvest data to be used in foreign ATMs almost indefinitely. This work raises doubts about the common criteria "evaluation" required for PEDs (PIN Entry Devices) and also further highlights the rather nasty position banks take when people report unauthorised withdrawals: "Your PIN was used, our systems are secure, therefore you have been careless with your PIN and are liable". They seem only to be inclined to accept that a criminal theft of data has occurred when lots of people from the same area all report the same thing.

The main selling point of Chip and PIN is the security of the entire system. Being able to compromise that at the card-PED interface in a matter of minutes with a paperclip and less than $500-worth of electronics is a substantial problem.

Aidan A. O'BrienMarch 13, 2008 4:22 AM

The mag stripe was never a security measure, it was a data entry measure (remember credit card phone calls in the 1990's)

There is no PIN and mag stripe solution to the bogus terminal problem. One can always sell (give away) T-shirts advertising a great price and harvest cards and PIN's with a fake terminal.

The track 2 is almost never encrypted on the data communications line. Observe the PIN entry (a small wireless camera will do) and record the track 2's. Build the inductive couple for the data com line from spare parts.

Chip is another story. The chip verifies the PIN and only then generates the cryptogram required for the transaction. The PIN can still be observed but posession of the chip is required (for now).

The industry is already moving away from mag stripe. This article is about 5 to 10 years too late.

PalomidesMarch 13, 2008 7:58 AM

Aidan, what this article describes is how to read the PIN and the track 2 equivalent data (an exact copy of the magsrtipe track 2) from tapping into the data line between smartcard and reader.

These two pieces of information can then be used to make a fake card that will work in non-Chip capable ATMs (in countries where EMV has not been rolled out).

There are several possible solutions:
1. Use encrypted PIN
2. Have different "track2" data stored on the card to that encoded in the chip
3. Implement EMV everywhere

Oh and
4. get PED manufacturers to design their devices properly, and get testing labs to actually do some proper testing.

Aidan A. O'BrienMarch 13, 2008 9:15 AM

Palomides, I agree with you. However with a mag stripe it doesn't matter how secure the PIN Entry Device is. Yes manufacturers should follow standards, but the article didn't focus on compliance testing and monitoring.

As to the vulnerability of mag stripe transactions, take a look at this article from the Toronto Star from last year:
http://www.thestar.com/printArticle/188460

It states:
"Thieves install two devices on the ATM: a miniature pinhole camera and a fake front that looks exactly like the bank's own card reader and fits over the top of the real ATM."

"The reader inside the fake front records account information as the card is passed through it, and the camera allows the crooks to see the PIN as it's entered."

"Thieves can even use wireless technology to transmit your card information to a computer in a remote location."

"With that information, they can make a duplicate of the debit card and help themselves to your money."

This attack utilizes a bank's own ATM. The fake fronts are very convincing. It does not matter how secure the PED is.

lucid nonsenseMarch 13, 2008 7:25 PM

There are already methods to reduced the risk of this within the existing standard.

1. Use a different verification values in Track 2 when its dipped instead of swiped.
2. There is the ability to have two pins per card. The online PIN which is verified by the issuer for use in ATM only and the offline PIN which is verified by the chip the rest.

The first point is easily performed by the issuer and enables the detection of captured chip data in a mag strip transaction.

The second point is also reasonable easy to deploy however this has the largest customer impact and also is impacted with other issue such as customer selected pins etc.

Stopping the access to cash is critical and should be the first issue focused on.

FatBazMarch 14, 2008 10:17 AM

Would you believe that the data from the keypad of the Chip and Pin reader to the computer is not encrypted? Unbelievable! So the last fraud carried out at a certain chain of petrol stations involved inserting a hidden device to read this data. Also when you enter a petrol station look where the security camera is pointing. In one garage the camera was in a position where the customers face could not be seen but was pointing such that it could see the keypad and therefore see what PIN number was being entered. If you see the camera in this position ask at the counter what purpose the camera is for if it can't see the customers faces - the answers are quite surprising - so cover the keypad with your hand.

gregMarch 14, 2008 11:40 AM

@FatBaz

cameras take usally 1 frame per sec or less at rather low quality. The chance of getting more than 1 number is pretty small.

most cameras are there to catch low paid staff from till dipping and such.

Clive RobinsonMarch 16, 2008 11:39 AM

I think a number of posters have missed a point or to about this attack against Chip-n-Pin (CnP).

1, this is an attack the CnP card holder has absolutly no way to detect.

2, EVM CnP will not get fully around the globe for atleast ten years if it ever does.

3, If EVM say (without proof) that both the chip and pin was used then the card holder is stuck with the loss.

For the criminal all they have to do is find a place where EVM CnP is not installed or beter still where the default or fall back is mag stripe (both of the latter are still in CnP area).

It is now known that it is actually extreamly unlikely (read ofther stuff by Ross Anderson and co) that the bank knows how the card is read nor do they care (except when chalenged in court). They just record a CnP activity in their logs and lie in court about verification.

The banks have passed the risk/loss out to the merchant or customer so they realy do not care untill a Judge gets them by the short and curlies and tells them to prove what they are saying is actually true...

As Bruce myself and others have indicated on this blog many times in the past, as long as banks can externalise risk/loss they have no incentive to implement a secure system.

Chip-n-Pin was EVMs little master stroke to get around legislation which gave customers the right to deny they had made a transaction (and thereby stick either the bank or merchant with the loss).

KeithMarch 18, 2008 12:35 PM

Chip and PIN isn't about security. It's about externalities.
When you sign for something, it's up to the merchant/bank to confirm that it's your signature. If someone else signs, that's the bank or merchant's problem for not authenticating the signature. Therefore, the bank pays.
When a PIN is used, it's up to you to keep the PIN secret. If someone other than you uses the PIN, that's your fault for letting it be known. Therefore, you pay (or at least you will once the banks have us all used to chip & PIN for a while).

RogerMarch 20, 2008 5:24 AM

@greg:
> most cameras are there to catch low paid staff from till dipping and such.

True enough, but the previous poster was indicating that in some locations, the staff are apparently able to move the aim of the camera to their own ends. Of course management ought to detect this, but in practice most small businesses never examine the footage until a crime is detected.

> cameras take usally 1 frame per sec or less at rather low quality.
> The chance of getting more than 1 number is pretty small.

This is not necessarily true at all. Frame rates for security cameras vary greatly. A decade ago, taking 1 fps was fairly common in small business analogue systems where you wanted to make a nominal 3 hour video cassette recording last over a weekend because staff wouldn't be present to change tapes. This also gave a margin of error in case non-specialist staff occasionally missed a tape change during the week. Slightly higher end systems (that would be changed daily by security staff) often did 7 fps on a nominal 4 hour tape to give a nice-and-tidy daily tape change policy. A 7 fps camera will almost certainly be fast enough to capture a PIN entry.

Today a significant proportion of cameras are digital. Tape rotation is a thing of the past, and due to MPEG compression quiet periods occupy negligible space, whilst even busy periods get to compress away the background. Consequently a hard drive costing a few hundred bucks is sufficient to store about 1 camera-week's worth of TV-resolution MPEG compressed video at normal or near normal frame rates. In practice, the actual frame rate will often depend on the number of cameras and the performance of the multiplexing card, but 10, 15 and even 25 fps are common.

RogerMarch 20, 2008 5:29 AM

@Aidan A. O'Brien:
> Yes manufacturers should follow standards, but the article didn't focus on compliance testing and monitoring.

You must have been reading a different paper to me! The one I read devotes about half of the entire paper to the examining the defective process of standards compliance testing. They went into considerable detail about the organisational and economic aspects of the process that had caused it to be so pathological, and gave suggestions on how to fix this. To me, however, the most interesting observation concerned the bogus "certification" used by APACS.

The process currently used by APACS is borderline fraudulent, in that through use of the misleading term "Common Criteria EVALUATED" they give the impression that the equipment has been Common Criteria CERTIFIED when it has not. Common Criteria Evaluation is an internal APACS process, the nature of which has not been publicly revealed, and which bears no relationship to CCC except the deceptive name, and that they claim (non-verifiably) to use the some labs. This is almost certainly a violation of the "Common Criteria Certified" trademark, but the trademark holder has chosen not to sue unless they use the exact wording.

These are the people you trust with your money. In fact, their product *IS* trustworthiness; they don't manufacture anything else. They don't seem to be too good at it any more.

VmsJuly 22, 2008 9:48 AM

My mother spent £9 plus a £50 cash back in Morrisons supermarket. This transaction does not appear on her bank statement. However, her bank account has had over £2500 removed from it via ATM's in the early hours of the morning over a period of 7 to 10 days. Lloyds TSB advise that a cloned card was not used therefore someone known to her has used her card on each occasion and then replaced her card. No one else knows her PIN or had access to her card.
The money has been returned but the slur remains. Is it impossible to clone a chip and pin card and can the bank really identify whether a cloned card has been used?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..