Jump to content
House Price Crash Forum

Banks' Bid To Gag Student Who Exposed Fatal Flaw In Chip-And-Pin Cards

interestrateripoff
 Share

Recommended Posts

0
HOLA441
interestrateripoff

interestrateripoff

Posted
Posted

http://www.dailymail.co.uk/news/article-1342218/Fraud-fears-banks-try-silence-student-exposed-fatal-flaw-chip-pin-cards.html

Britain's banks were accused of a cover-up today after they tried to silence a Cambridge University scientist who highlighted a fatal flaw in 'chip-and-pin' card security.

The UK Cards Association, which represents the country's biggest banks, objected to research that showed how a simple £20 hand-held device could be used by fraudsters to buy goods without entering a PIN code at the till.

Ex-Labour MP Melanie Johnson, a former Treasury minister who now works in the private sector as chair of the UKCA tried to stop the embarrassing research being published.

But in a blistering defence of academic freedom, Cambridge professor Ross Anderson warned the attempt to gag the scientists was 'a nasty piece of spin doctoring' and 'deeply offensive'.

The professor said that the university would not bow to external pressures and would continue to publish controversial research just as it had done in the past with famous Cambridge scientists such as Sir Isaac Newton and Charles Darwin.

The chip and PIN system, introduced in 2006, was intended to reduce card fraud as thieves would not be able to use stolen cards without knowing the PIN.

Scientists at Cambridge University, including Professor Anderson began to investigate whether there were flaws in the system after a number of card users said their cards' had been stolen and their PIN numbers had been used - something the banks still deny is happening.

The UKCA became incensed after Cambridge research student, Omar Choudary, described in a MPhil research project how to build a gadget that tricks chip-and-pin machines into accepting cards without a valid PIN.

Mr Choudary bought books and CDs worth £50 in Cambridge HMV using a card borrowed from a French journalist connected to the cigarette-packet sized gadget he was carrying.

Miss Johnson, on behalf of the UKCA, wrote to the university's communication department demanding that it remove all details of Mr Choudary's device from its website.

To be honest if your going to steal money your better off doing it via huge mortgage pimping and then getting the taxpayer to pick up the tab.

I'm surprised they haven't labelled the researcher a terrorist.

Link to comment
Share on other sites
1
HOLA442
2
HOLA443
RufflesTheGuineaPig

RufflesTheGuineaPig

Posted
Posted (edited)

Chip and Pin has been open to fraud since the day it was launched.

Banks heralded it as the future, saying it reduced fraud by 90%. In fact is merely reduced the banks LIABILITY to fraud by 90%.

Technically banks have NO LIABILITY to card fraud follwoing the launch of chip & PIN. If the PIN is entered, the customer is liable, is the PIN wasn't entered, the retailer is liable. The bank is NEVER liable. EVER.

The location of terminal and the way people are forced to input their PIN in locations where others can easily oversee them made chip and PIN the biggest card security treat since the invention of the portable card skimmer.

The terminals are riggable to copy card and PIN details, the cards are hackable, and once you've typed you PIN in in the supermarket where everyone can see, it takes seconds for them to pick your pocket at the crowded supermarket exit, or, as more commonly happened, mug you in the car park.

The theives simply withdraw the max amount from your card at the nearest cashpoint, try the same PIN with any other cards you have, (most people use the same PIN for several cards) then dump everything in the nearest bin and go home with between £500 and £5000.

The fraud is so simple even I'M tempted to do it. I'm a well paid computer programmer, and am not short of cash.... but chip & PIN fraud is just free money. They've made it so easy they are simply inviting you to do it.

Edited by RufflesTheGuineaPig
Link to comment
Share on other sites
3
HOLA444
spongeh

spongeh

Posted
Posted

Dunno if I'm allowed to post a link to the research paper, but it makes very interesting reading. It even gives you the parts list and diagram of how to put it all together.... very thorough research and very scary reading.

Basically your PIN isnt verified against the card and the communication between the terminal and the card is intercepted so the card thinks the PIN isnt needed and the terminal gets back the correct response code that the PIN was correct.

Link to comment
Share on other sites
4
HOLA445
Redcellar

Redcellar

Posted
Posted (edited)

Dunno if I'm allowed to post a link to the research paper, but it makes very interesting reading. It even gives you the parts list and diagram of how to put it all together.... very thorough research and very scary reading.

Basically your PIN isnt verified against the card and the communication between the terminal and the card is intercepted so the card thinks the PIN isnt needed and the terminal gets back the correct response code that the PIN was correct.

You probably aren't ;)

Actually its under GPL so everyone in the world who wants a copy aleady has one. Hardware schematics and software all under GPL. What a guy.

Plus he is sponsored by google!!!

"My research is sponsored by Google and I am a recipient of the Google European Fellowship in Mobile Security. In the previous year I have done the MPhil in Advanced Computer Science within the Computer Laboratory."

link to research:

My linkhttp://www.cl.cam.ac.uk/~osc22/scd/

http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf

Worth a read if you are interested in security, or your 'trusted' cards, ahem, lol.

Edit: and actually it wasn't this guy that discovered it. Others in the same lab published a paper earlier in the year. This chap actually provided the hardware for the rest of us to implement it.

Edited by Redcellar
Link to comment
Share on other sites
5
HOLA446
6
HOLA447
7
HOLA448
Redcellar

Redcellar

Posted
Posted (edited)

I saw a programme on the BBC a while ago about chip/pin being flawed: the reporter had her card cloned and the pin was somehow switched to 0000 and used by the 'fraudsters' at the Univ. of Cambridge iirc.

EDIT here it is:

http://www.bbc.co.uk...d_pin_syst.html

EDIT2 (summary):

o Prof: "we think this is one of the biggest flaws that has ever been uncovered against payment systems"

o Handheld terminal is tricked into thinking the correct pin was entered (pin is stored on card).

o The card thinks the transaction was authorised by signature.

The trick doesn't quite work that way. You don't get to change the PIN. If you tamper with the card it would know it and stop working.

But it does allow you to enter any four digits and the tool sends a signal pretending to be the card, saying that the 'correct' PIN was entered. It's pretty much that simple. The card does the checking so if you stick something between it and the reader you can just send the signal that the correct PIN was entered.

But the real crime is that the banks are saying, if your card transaction says pin entered, then you are liable. They aren't recognising that the system they implemented is flawed. Of course now this has gone public I think the small claims courts may think differently.

Edited by Redcellar
Link to comment
Share on other sites
8
HOLA449
Scunnered

Scunnered

Posted
Posted (edited)

Ross Anderson is mentioned in this article from February, with a bit more detail on the flaw:

http://www.telegraph...-customers.html

I think he and his collaborators have discovered a number of attacks on chip and pin, amongst other things. The thing is that they try to tell the banks about the security flaws and they don't get any response (maybe because the banks don't want to admit the possibility that there's anything wrong). So they put the information in the public domain and the banks protest furiously. In this instance they've got someone saying

We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us'.

The thing is that usually the academics have tried to tell them about the problems before publishing their results, but have been ignored.

Edited by Scunnered
Link to comment
Share on other sites
9
HOLA4410
Number79

Number79

Posted
Posted

The trick doesn't quite work that way. You don't get to change the PIN. If you tamper with the card it would know it and stop working.

But it does allow you to enter any four digits and the tool sends a signal pretending to be the card, saying that the 'correct' PIN was entered. It's pretty much that simple. The card does the checking so if you stick something between it and the reader you can just send the signal that the correct PIN was entered.

It is not unlike getting free films from sky with a 9v battery when the box thinks that it is connected to a phone line.

Link to comment
Share on other sites
10
HOLA4411
11
HOLA4412
Redcellar

Redcellar

Posted
Posted

I think he and his collaborators have discovered a number of attacks on chip and pin, amongst other things. The thing is that they try to tell the banks about the security flaws and they don't get any response (maybe because the banks don't want to admit the possibility that there's anything wrong). So they put the information in the public domain and the banks protest furiously. In this instance they've got someone saying

The thing is that usually the academics have tried to tell them about the problems before publishing their results, but have been ignored.

It would cost tens or even hundreds of millions to fix, so they hoped it would go away :rolleyes:

The academics even told them in 2009. They had a year to realise that it was completely messed up, school boy errors, and do something about it. But hey, it's the banks. They can just point the finger at the punter and hope they are ignorant enough to foot the bill.

Link to comment
Share on other sites
12
HOLA4413
13
HOLA4414
14
HOLA4415
15
HOLA4416
Redcellar

Redcellar

Posted
Posted

Is it too hard for the checkout person to ask for the card to be handed over then have them insert it?

Even the plonkers on the till would notice if it had wires hanging out of it.

Or is that too easy?

You can't trust them either. Their are common scams involving staff ringing up goods and then cancelling payment for 'friends'. A credit card rip off would work the same. Guy works in electrical store could turn a blind eye to dodgy gear being used.

The system was supposed to ensure you kept control of your card at all times and therefore all transactions. It was supposed to be impossible to cloan cards or use stolen cards. Now it's not. Back to square one.

Link to comment
Share on other sites
16
HOLA4417
RufflesTheGuineaPig

RufflesTheGuineaPig

Posted
Posted
Is it too hard for the checkout person to ask for the card to be handed over then have them insert it?

Even the plonkers on the till would notice if it had wires hanging out of it.

Or is that too easy?

The pin-pad has to be in a location that the consumer can use it, and supposedly conceal their pin when they enter it.

Often this is out of easy sight for the cashier.

In addition, you now have self-service checkouts at supermarkets slowly replacing cashiers.

Link to comment
Share on other sites
17
HOLA4418
tinker

tinker

Posted
Posted

Maybe I'm old fashioned but I thought a signature was quite a good 'PIN'.

The banks are shocking, there was a whistleblower who outed HSBOS for all the mortgage fraud who was sidelined and then dismissed for trying to make things better. Then we have to bail out the banks.

I was shocked to see the CCTV of that poor Bristol girl who was murdered; in the supermarket CCTV basically having a bird's eye view of customers at the checkout.

Link to comment
Share on other sites
18
HOLA4419
ChumpusRex

ChumpusRex

Posted
Posted

It would cost tens or even hundreds of millions to fix, so they hoped it would go away :rolleyes:

There is a trivial fix for this problem that will work in the vast majority of cases (the exception being smallish transactions which are processed offline - e.g. on-aircraft sales, where the card machine isn't able to verify the card with the bank at the time of the transaction).

This hack works by intercepting the communication between the card reader and the card. The device tells the card that the reader has no PIN pad, and that signature is required; while telling the reader that the card is a PIN card (except the device will accept any PIN).

The receipt from the reader, and the records at the bank will show 'card verified by PIN'. But the attack is trivially detectable and blockable.

When the terminal checks in with the bank it sends all the details of the transaction, but also includes an encrypted copy of the transaction details that were seen by the card. It is trivial for the bank to go through its records and see where the encrypted 'card's eye view' records don't match the main transaction record.

Barclays was very quick to act on this, and in 2009, a few weeks after they heard about this hack, modified their card authorization servers to specifically check whether the card's encrypted receipt matched the terminals transmission during the authorization process. The transaction would be immediately declined if they didn't match, and the card's details flagged for action by the bank's security team.

Link to comment
Share on other sites
19
HOLA4420
pandora's box

pandora's box

Posted
Posted

There is a trivial fix for this problem that will work in the vast majority of cases (the exception being smallish transactions which are processed offline - e.g. on-aircraft sales, where the card machine isn't able to verify the card with the bank at the time of the transaction).

This hack works by intercepting the communication between the card reader and the card. The device tells the card that the reader has no PIN pad, and that signature is required; while telling the reader that the card is a PIN card (except the device will accept any PIN).

The receipt from the reader, and the records at the bank will show 'card verified by PIN'. But the attack is trivially detectable and blockable.

When the terminal checks in with the bank it sends all the details of the transaction, but also includes an encrypted copy of the transaction details that were seen by the card. It is trivial for the bank to go through its records and see where the encrypted 'card's eye view' records don't match the main transaction record.

Barclays was very quick to act on this, and in 2009, a few weeks after they heard about this hack, modified their card authorization servers to specifically check whether the card's encrypted receipt matched the terminals transmission during the authorization process. The transaction would be immediately declined if they didn't match, and the card's details flagged for action by the bank's security team.

Most chip and pin transactions are approved instantaneously. Are you saying the banks have verified each of these transactions?

Link to comment
Share on other sites
20
HOLA4421
21
HOLA4422
22
HOLA4423
23
HOLA4424
lulu

lulu

Posted
Posted

OK. there are big ticket items for which you use the card. But for normal day-to-day shopping - what's wrong with cash?

Remember that everytime you pay with a card - you give your money to the banks and the card company!

I try to use cash for whatever purchases I can - and that is for most things. I do not trust the banks to be anything more than the whole Tescoclubcard et al scheme where they monitor everything and anything that I buy. At some point along the line the government will start to monitor each purchase (If they do not already) and I dont like the idea that they can track just exactly what I chose to spend my money on.

Link to comment
Share on other sites
24
HOLA4425

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.




×
×
  • Create New...

Important Information

  I accept