Researchers at the Computer Laboratory, University of Cambridge, have shown that Chip & Pin machines are vulnerable to attack. Chip & Pin is a popular security method used by almost all bank cards in the U.K. (IMG: J. Anderson)
Researchers at the Computer Laboratory, University of Cambridge, have shown that Chip & Pin machines are vulnerable to attack. Chip & Pin is a popular security method used by almost all bank cards in the U.K.
Ross Anderson, Stephen J. Murdoch, and Saar Drimer, recently released their research to the public proving that Chip & PIN machines are not as secure as the banking industry claims. The researchers tested two common models of PIN Entry Devices (PEDs), the Ingenico i3300 and Dione Xtreme.
Murdoch says, “We have successfully demonstrated this attack, on a real terminal borrowed from a merchant.” Using a method called "tapping," the researchers took a paperclip and needle along with a small recording device to record the data exchanged between the card and the PEDs processor. The attack was successful, recording all the information without setting off any of the common Chip & PIN security or tampering features.
In addition to recording the PIN number, the attack also records all of the information from the magnetic strip on the back of the card. With this information, an attacker can clone the card and use it to make purchases or withdraw money from ATMs that do not read chips.
Criminals are already using techniques similar to these to defraud British customers, with losses in one case alone claimed to be in eight figures. The technical sophistication required to carry out this attack is low, according to the research, and criminals have already shown they have the skills to carry out them out. The tap is not normally visible to customers, and in the case of the Ingenico PED, it could be totally enclosed by the device.
The researchers note that the Cambridge attacks call into question the system in which bank terminals are certified. APACS, the UK payments association that oversaw the introduction of Chip and PIN in 2006, along with Visa, certified the devices as secure, but the evaluators did not find the flaws identified by the Cambridge team.
APACS and Visa claimed the devices were evaluated under the Common Criteria, an international evaluation scheme administered in the UK by GCHQ (Government Communications Headquarters); yet GCHQ had not heard of the work and now says that the devices were never certified under the Common Criteria. Visa and APACS have refused to disclose the evaluation report. They also refuse to withdraw the vulnerable terminals from use. What you have here is a classic case of buck passing between the APACS and Visa. All the while, the GCHQ is claiming they knew nothing about what was going on.
While the GCHQ is unaware of what was happening, Visa and the APACS knew of these types of attacks. Defending themselves to the Cambridge research team.“The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud,” the research team pointed out.
The sentiment for the canned responses sent to the researchers was mirrored on the BBC2 news show, Newsnight. Sandra Quinn, the Director of Communications for APACS, appeared on the show and tried to spin the risks as best as she could. She reported that there are over a million Chip and PIN machines in place in Britain, then immediately said there is no break in the system.
“The important thing to stress…is that we are not talking about a break in the Chip & PIN system overall,” she said defending the Chip & PIN system from the news story on Cambridge research. If she watched the same news report that thousands of others did, it’s clear that she failed to grasp the concept of the actual story. In the same interview, she admitted that APACS was well aware of the design flaws and potential for fraud.
She tried to pitch the benefit of Chip & PIN, reporting that crime and fraud has lowered in the U.K. since its introduction. However, her own words point out that there is vulnerability. “Let’s clarify the system is not vulnerable … there is no guarantee against fraud.”
So is there a break in the system or not? Sandra Quinn went back and forth on the issue, and never really gave a clear answer to any one of the questions thrown at her. The problem most security experts agree to is while Chip & Pin has lowered crime in the U.K., this type of vulnerability has increased fraud and other crimes related to it elsewhere.
In January, Visa announced that cards are being issued including new technology that would protect against this type of fraud. According to the Cambridge researchers, there are some banks still producing cards with out the ICVV protection.
"Our investigation has exposed a system-level problem, and customers should be putting pressure on banks to reissue cards with ICVV," Saar Drimer said to the Times. "The banks would then be in a position to spot any fraudulent transaction made by a cloned card."
“The lessons we learned are not limited to banking. Other fields, from as voting machines to electronic medical record systems, suffer from the same combination of stupid mistakes, sham evaluations and obstructive authorities. Where the public are forced to rely on the security of a system, we need honest security evaluations that are published and subjected to peer review,” Ross Anderson, professor of Security Engineering at Cambridge, said.
Add your comment (no registration required)
page: 1
JamesMar 4th, 2008 - 23:33:14
Unfortunately some UK cardholders who are victim of PIN based fraud on their debit or credit cards are being held liable for the cost of the fraud. The first question asked by UK card issuers is, ' how did they get hold of your PIN'. Quite amazing because if the system can't assure PIN integrity, how can the banks shift the blame for a compromised PIN onto the cardholder? It won't be too long before a lot of UK cardholders consider binning their PIN.
Report this comment
Advertising
JamesMar 4th, 2008 - 23:33:14
Unfortunately some UK cardholders who are victim of PIN based fraud on their debit or credit cards are being held liable for the cost of the fraud.
The first question asked by UK card issuers is, ' how did they get hold of your PIN'.
Quite amazing because if the system can't assure PIN integrity, how can the banks shift the blame for a compromised PIN onto the cardholder?
It won't be too long before a lot of UK cardholders consider binning their PIN.
Report this comment