Researchers Expose New Credit Card Fraud Risk

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

Get rid of the damn things!

The reason the security is so poor is because the banks don't give a s**t. It's the _merchants_ that are liable for fraud, even though it's almost entirely the fault of the banks! They banks only have to make it just good enough that it's easier for the merchants to take credit cards than cash - even after the exorbitant ($0.25 + 2.5%) processing fees that they charge just to move the bits around.

The powers that be LOVE us using credit cards. They can track us, and they can dupe the feeble-minded among us into spending our way into a lifetime of indentured servitude.

The failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

Re:Get rid of the damn things!

I believe this is called Security Theatre.

Re:Get rid of the damn things!

There are plenty of merchants that will not accept a $50 let alone a $100.

Re:Get rid of the damn things!

I tried paying for my university tuition with cash (I have a cash based job) and the woman there said that I can only pay online with a credit card. After explaining that I am too young to have a credit card, and that I only had cash she relented. Even then, she said that they couldn't give me any change, so I had to go and get exact change. Its bullshit, not everybody can have a credit card, plus I like the anonymity that paying via cash provides.

Re:Get rid of the damn things!

In the case of university tuition, whether he can get a debit card or not is irrelevant. Legal U.S. tender must be accepted by a creditor (the University) from the debtor (the student) to pay off a debt within the U.S. If the University required payment before it allowed the student to register for classes, then the University could require payment by credit card. However since the University extended credit to the student for the classes, it is required to accept legal tender as payment for those classes.

See http://en.wikipedia.org/wiki/Legal_tender [wikipedia.org].

Re:Most will for large-ticket items

While it's true they don't have to do business with you, most stores will accept a $50 rather than lose out on a $55 purchase. Ditto a $100 and lose out on a $101 purchase.

They're evidently not that keen. Last time I tried to make a $53 purchase with large-value bills, they refused.

The cheek of it- my $50 bills are as good as anyone else's! As was the $3 bill...

Re:Get rid of the damn things!

The data mining industry is so ingrained in our society that even if people started using $100 bills to pay for major purchases, the serial numbers on the bills would probably be scanned for tracking information. The only way you are going to get privacy in your monetary transactions is with a national privacy overhaul with penalties for data mining without permission. Since the government is one of the entities doing the data mining, this is probably not going to happen anytime soon.

Re:Get rid of the damn things!

The problem is not missing encryption between the merchant and bank, the problem is with missing encryption between the merchant and the card reader/pin entering pad. The same readers/pads are still unencrypted, even though the merchant may be encrypting the data for the transaction to/from the bank.

It's like entering your credit card information on a website for a purchase. The connection to the server may be encrypted, but the data sent from your keyboard to your pc is not, and this is the same as where the hack with the card readers/pads is occurring.

Is anyone here really surprised?

Proprietary software AND hardware companies basically cannot be trusted. I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. You can read about some of the read about some of the poor security I've discovered recently with web hosting providers [suso.org]. Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems. Ironically, this news program itself doesn't understand the value of open disclousure. I guess I can understand that as its human nature to want to hide things for fear of liability. But its not like they were doing something that's not so obvious that someone determined enough could figure out.

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

Re:Is anyone here really surprised?

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

This reminds me of a quote (the source eludes me at the moment):

"If it can be engineered by one human, it can be reverse-engineered by another human."

Re:Is anyone here really surprised?

My bank in the UK (Barclays) has issued me with a secure ID card, that I type my PIN into, and it then gives me a number to type into the online banking system.

I think it is only a matter of time before this gets transferred to shop terminals - if you need to bring something and remember something, then it makes life a lot harder for hackers.

Damn you Clippy!

Damn you to hell!

I can build an atomic weapon with a paper clip

>> "As described in some detail in our paper, the basic attack tool is a paper clip. In order to record and analyze transactions a couple hundred pounds' worth of equipment is required, in addition to some digital design experience."

OK, a paper clip. PLUS A BUNCH OF OTHER STUFF.

Well, shoot, I could probably build an atomic weapon with a paper clip. PLUS A BUNCH OF OTHER STUFF.

They're looking in the wrong place

The huge security hole in the credit card system is the users. I flipped out at one of our vendors when they STORED my credit card number in their database, and just went ahead an charged it next time I was in the store.
People will gladly give their credit card number over the phone to a shady pizza shop, just to get a 15 dollar pizza delivered to their door.
We could build the most secure credit card system in the world, but the problem is that it has to be simple enough for idiots to use.

Re:They're looking in the wrong place

Which is not a problem if you use virtual account numbers (what Citibank calls it. I'm sure other banks have the same thing with different names) that are only authorized for one transaction for the amount you specify.

Re:They're looking in the wrong place

but the problem is that it has to be simple enough for idiots to use.

Even then someone will just build a better idiot.

Paper clip?

Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs

Hmm, Macgyver must have tipped them off.

This is a UK/Europe card system issue...

What people are missing in this is that this pertains to certain card types mainly used in Europe. The type with RFID or embedded chips used for security. On standard US debit cards, there is no information sent to the card or from the card that ties to the PIN. The PIN is only seen by the pinpad component and immediately encrypted using a rotating DKPUT key algorithm before that, the card number and a sequence number are sent to be translated by a hardware security module. The pin pads themselves used by most US retailers are secure and do not pose a risk. If you tamper with most of those devices (example, the Welch Allyns used by best buy, lowe's and others) then the injected keys are erased and PIN translation fails. They normally don't remain out too long if they are tampered with since the stores will consider them broken and unusable when they don't work anymore. This is related to the system in place and used in the UK. The US system, while old, is only being updated currently to support the new double length key requirements and have not incorporated smart card support or RFID (except a few gas station chains). The most important thing in the US is to protect the card database since the data on the mag stripe can be used as a credit card. As for PIN security, don't tell others your pin, notice hidden cameras that look out of place and point at PIN pads and you should be safe. The way PIN numbers are stored at banks within a hardware security module is safe and those devices are very sensative to outside attack. They even employ motion sensors to prevent tampering in HSMs.

Why isn't it a PIN = SecurID + PIN

The PIN needs to be a moving target and much longer than 4 digits. Note that stateside that most automatic car washes are using at least 5 digit numbers to authenticate the sale as sold by the gas pump. (Example: SecurID or one-time pad.)

(offtopic)
My biggest pet peeve is why are account numbers (on checks) in the clear while the same is basically true of PIN numbers (without any added "salt")

For checks I would like to see the account number + check number translated a 16 to 20 digit hash of which only the bank knows how to decipher to the correct account and check number?
(/offtopic)

Tough Interview

Wow. The interview at the end of that piece has me floored. Imagine if industry people and politicians in the US were subjected to this sort of probing interview and actually responded. The interviewer had the representative from the credit card companies on the ropes the entire interview. Props to the BBC for doing some serious journalism.

Re:Tough Interview

KUDOS to the BBC for being a leader in all fronts of the Mass-Media. This video proves that they can do serious journalism, something that most media companies have forgotten how to do.
Short, correct and difficult to answer questions. Ask the right questions, that's all it takes.

Bravo BBC

Re:Tough Interview

Jeremy Paxman is famed for being incredibly tough on his witnesses (and contestants on University Challenge)

Yes, but did you threaten to overrule him?

Where's the crypto?

I've been wanting something much more sophisticated than a 'shared secret' that you have to give to anyone to give money. If I let random restaurant a charge me 2 bucks for a drink, I have to give them potentially full access to my accounts.

Where's my private/public cryptography? I want to carry around my own damned device with keypad and display. The display would show me *exactly* what my financial institution will think I'm authorizing, and the keypad would be used to enter the passphrase to decrypt my private key, which is never ever ever transferred outside of the devices local filesystem. It's generated by the device and the public portion uploaded in a secure manner to my financial institution. The secure manner is a complicated issue, but there are degrees of inconvenience that can be induced to do it right, and allow me to opt to allow nothing more convenient than that.

I go to a damn store or online retailer.. When ready to purchase, it somehow gets the data to my device (maybe encrypt with my public key, maybe direct connect to my device, maybe through the financial institution, whatever, the security risk in this transaction being the nature of what I'm buying, not in any way risking the actual money being transfered). I enter my passphrase (which could be as simplistic as a 4-digit pin, but at my discretion, not theirs) to signify accepting the terms my display gives me (i.e. authorized wal-mart to take 5 dollars from my account this one time, or authorize phone company to withdraw no more than 25 dollars on a monthly basis, the transaction may have tolerances and periodic, but always show me the tolerances and period and *who* I'm really authorizing to get the mony). With my private key decrypted, use it to sign the payload, then my financial institution *must* receive that cryptographically signed authorization to transfer payment. The retailer *never* has anything more than data to confirm that one transaction (or reuse for repeat data if I declare that trust, within definable thresholds). To commit 'identity theft' (horrible phrase), they would either need to compromise the financial institutions database with *write* access to replace my public key with their own (by the way, invalidating my real key so I should notice it) or steal my device physically, which I should know. The device should overwrite memory contents where the key was with random bytes every time it completes an authorization, and therefore physical theft or tampering should lead to a dead end without my passphrase.

Keypad on the card

What is really needed is that the cards have an integral keypad - so that communication between the chip and the keypad cannot be intercepted, you entering your PIN would activate the card that could then talk over an encrypted link (eg SSL) directly to the bank's computer.

OK: this would make the cards somewhat bulky and since people tend to have several cards their pockets would bulge. So why not allow people to buy their own small keypads (which they trust to not have been tampered with) that they can plug their cards into and plug the whole lot into the retailer's machine.

banks should be liable

When banks deploy inadequate security, they should be liable for the distress and costs they cause their customers.