When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it’s legit? In the past three months, Toronto and Peel police have discovered many that aren’t.
In what is the latest financial fraud, crooks are using distraction techniques to replace merchants’ machines with their own, police say. At the end of the day, they create another distraction to pull the switch again.
Using information inputted by customers, including PIN data, the criminals are reproducing credit cards at an alarming rate.
Presumably these hacked point-of-sale terminals look and function normally, and additionally save a copy of the credit card information.
Note that this attack works despite any customer-focused security, like chip-and-pin systems.
Posted on June 19, 2012 at 1:02 PM •
Research paper: “A birthday present every eleven wallets? The security of customer-chosen banking PINs,” by Joseph Bonneau, Sören Preibusch, and Ross Anderson:
Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression model to identify a small number of dominant factors influencing user choice. Using this model and a survey of over 1,100 banking customers, we estimate the distribution of banking PINs as well as the frequency of security-relevant behaviour such as sharing and reusing PINs. We find that guessing PINs based on the victims’ birthday, which nearly all users carry documentation of, will enable a competent thief to gain use of an ATM card once for every 11-18 stolen wallets, depending on whether banks prohibit weak PINs such as 1234. The lesson for cardholders is to never use one’s date of birth as a PIN. The lesson for card-issuing banks is to implement a denied PIN list, which several large banks still fail to do. However, blacklists cannot effectively mitigate guessing given a known birth date, suggesting banks should move away from customer-chosen banking PINs in the long term.
EDITED TO ADD (2/22): News article
Posted on February 21, 2012 at 7:36 AM •
The author of this article notices that it’s often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits.
Then he points out that if your PIN has only three different digits — 1231, for example — the PIN can be one of 36 different possibilities.
So it’s more security, although not much more secure.
Posted on January 6, 2012 at 6:30 AM •
Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn’t work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you think about your average ATM trip, that’s a pretty wide window and an embarrassingly high success rate for thieves to take advantage of.
Paper here. More articles.
Posted on August 24, 2011 at 7:13 AM •
Ross Anderson discusses the technical and policy details.
EDITED TO ADD (7/18): Yet again, my preoccupation with my book is making it harder for me to write timely and lengthy blog posts. So I thank Ross for writing about this issue, so I don’t have to.
Posted on July 18, 2011 at 9:42 AM •
There’s some great data on common iPhone passwords. I’m sure the results also apply to banking PINs.
Posted on June 27, 2011 at 6:15 AM •
Nice attack against the EMV — Eurocard Mastercard Visa — the “chip and PIN” credit card payment system. The attack allows a criminal to use a stolen card without knowing the PIN.
The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a signature or not at all. This particular subprotocol is not authenticated, so you can trick the card into thinking it’s doing a chip-and-signature transaction while the terminal thinks it’s chip-and-PIN. The upshot is that you can buy stuff using a stolen card and a PIN of 0000 (or anything you want). We did so, on camera, using various journalists’ cards. The transactions went through fine and the receipts say “Verified by PIN”.
So what went wrong? In essence, there is a gaping hole in the specifications which together create the “Chip and PIN” system. These specs consist of the EMV protocol framework, the card scheme individual rules (Visa, MasterCard standards), the national payment association rules (UK Payments Association aka APACS, in the UK), and documents produced by each individual issuer describing their own customisations of the scheme. Each spec defines security criteria, tweaks options and sets rules — but none take responsibility for listing what back-end checks are needed. As a result, hundreds of issuers independently get it wrong, and gain false assurance that all bases are covered from the common specifications. The EMV specification stack is broken, and needs fixing.
Read Ross Anderson’s entire blog post for both details and context. Here’s the paper, the press release, and a FAQ. And one news article.
This is big. There are about a gazillion of these in circulation.
EDITED TO ADD (2/12): BBC video of the attack in action.
Posted on February 11, 2010 at 4:18 PM •
Can anyone guess the entry codes for these door locks?
There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234.
Posted on July 2, 2009 at 12:09 PM •
Many can be opened with a default admin password:
Here’s a fun little tip: You can open most Sentex key pad-access doors by typing in the following code:
The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access box will be left in admin mode!)
Posted on March 13, 2009 at 1:46 PM •
Sidebar photo of Bruce Schneier by Joe MacInnis.