Researchers Expose New Credit Card Fraud Risk

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

Re:Is anyone here really surprised?

[Pojut]

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

This reminds me of a quote (the source eludes me at the moment):

"If it can be engineered by one human, it can be reverse-engineered by another human."

Re:They're looking in the wrong place

[zippthorne]

Which is not a problem if you use virtual account numbers (what Citibank calls it. I'm sure other banks have the same thing with different names) that are only authorized for one transaction for the amount you specify.

This is a UK/Europe card system issue...

[Anonymous Coward]

What people are missing in this is that this pertains to certain card types mainly used in Europe. The type with RFID or embedded chips used for security. On standard US debit cards, there is no information sent to the card or from the card that ties to the PIN. The PIN is only seen by the pinpad component and immediately encrypted using a rotating DKPUT key algorithm before that, the card number and a sequence number are sent to be translated by a hardware security module. The pin pads themselves used by most US retailers are secure and do not pose a risk. If you tamper with most of those devices (example, the Welch Allyns used by best buy, lowe's and others) then the injected keys are erased and PIN translation fails. They normally don't remain out too long if they are tampered with since the stores will consider them broken and unusable when they don't work anymore. This is related to the system in place and used in the UK. The US system, while old, is only being updated currently to support the new double length key requirements and have not incorporated smart card support or RFID (except a few gas station chains). The most important thing in the US is to protect the card database since the data on the mag stripe can be used as a credit card. As for PIN security, don't tell others your pin, notice hidden cameras that look out of place and point at PIN pads and you should be safe. The way PIN numbers are stored at banks within a hardware security module is safe and those devices are very sensative to outside attack. They even employ motion sensors to prevent tampering in HSMs.

Re:Another hole in the sieve?

[|Cozmo|]

That's because the banks don't eat the cost of fraud, the merchants do. If I have an online store and someon uses a stolen card to buy something from me, I'm the one that gets screwed. The credit card companies reverse the charge, AND charge the merchant a fee for it happening. Then the merchant is out the money, a fee, AND the product they shipped to a thief. The lamest part is the credit card companies don't even provide you the tools to prove that a transaction is legitimate.

Re:[Encrypted account and check numbers]

[Shadow-isoHunt]

Check numbers are incrimental and of limited permutation, again making the hash easy to brute force. If the hash changes with each check, it also becomes harder for retailers to identify bad checks based on account number. You're going to end up turning away legitimate customers money, and gain no security. By the time the check hits the bank, the fraud has been done. Also, "once extracted is verified to the name printed on the check"? Depending on your bank, this is already done. I signed a check with my right hand instead of left once(couldn't hold the pen because I messed my hand up), and I got a call a few days later about it. I'm with WaMu.

Re:Tough Interview

[BovineSpirit]

Jeremy Paxman is famous for being a tough questioner. His most notorious interview [youtube.com] was with a slimy politician who later led the Tories to defeat against Tony Blair's Labour. I'm not sure what Paxman's personal politics are, but he certainly doesn't appreciate being messed around. Michael Howard can be sure that if one of his political opponents had weaseled around like that he would have had equally short shrift.

Re:Get rid of the damn things!

[Raistlin77]

The problem is not missing encryption between the merchant and bank, the problem is with missing encryption between the merchant and the card reader/pin entering pad. The same readers/pads are still unencrypted, even though the merchant may be encrypting the data for the transaction to/from the bank.

It's like entering your credit card information on a website for a purchase. The connection to the server may be encrypted, but the data sent from your keyboard to your pc is not, and this is the same as where the hack with the card readers/pads is occurring.

Re:Tough Interview

[hairykrishna]

For all you non-brits, this is a reference to a famous interview where Paxman famously asked Michael Howard exactly the same question 12 times in an attempt to get a straight answer: http://video.google.co.uk/videoplay?docid=5983432841587892898&q=paxman+howard&total=10&start=0&num=10&so=0&type=search&plindex=0 [google.co.uk] (3 minutes or so into the video).

It is one of the finest pieces of political TV ever.

Re:Get rid of the damn things!

[syzler]

In the case of university tuition, whether he can get a debit card or not is irrelevant. Legal U.S. tender must be accepted by a creditor (the University) from the debtor (the student) to pay off a debt within the U.S. If the University required payment before it allowed the student to register for classes, then the University could require payment by credit card. However since the University extended credit to the student for the classes, it is required to accept legal tender as payment for those classes.

See http://en.wikipedia.org/wiki/Legal_tender [wikipedia.org].

Re:Get rid of the damn things!

[X0563511]

It's the same in Petro (gas stations, etc) except they use something funny called DUKPT (derived unique key per transaction) - 3DES wasn't enough.

These damn pinpads have more tamper-detect on them than a chastity belt. You sneeze and it dumps it's keys.

Re:Where's the crypto?

[fullgandoo]

Actually, chip cards (EMV) do work in a manner similar to what you describe (public/private key encryption). The problem highlighted by the report is that it is possible to capture the PIN as it passes from the PIN pad before being transmitted. This part of the equation is unencrypted atleast in one model of terminals from one manufacturer. As far as I know, just about every other POS terminal as well as the keyboards on the ATMs only pass on encrypted PINs (except for older models!).

So, what do you loose if your PIN is compromised? Actually, nothing in a perfect world. That is, a world with only chip cards. The problem is that an overwhelming majority of transactions are being performed on plain old magnetic stripe cards. The amount of infrasturcture already out there prevents an overnight shifting to chip cards, and that is why every card with a chip also has a magnetic stripe.

So if you have a clear PIN and you have the data on the magentic stripe of a card, then it is trivial to reproduce the card and then use it on an ATM with the PIN to withdraw cash.

If you have a secure chip only card, then more than 90% of the world's terminals will not work for you, including just about every terminal in north America.

Re:Tough Interview

[smurfsurf]

The BBC is not managed by the government.

Banks and Security

[Accersitus]

Banks seem to think a system is secure enough as long as the number of cases where customers are exploited, are few enough. This way the bank can repay the customers with little arguing, and prevent these stories from reaching the media. In Norway there is a story that has been running in the media where a Professor at the University of Bergen and a group of students have shown that the system used by Norwegian banks to offer Banking services on the internet have flaws that can be exploited. The banks take the same route and try to claim that the system is secure and have their PR people find technical terms like calling it a theoretical attack. (Actually the attack is far from theoretical). The interesting part is how the banks just keep trying to convince the media and people in general instead of sitting down with the researchers at the University and try to find a solution. After the first case in the media, the banks worked to fix the security holes, but the researchers didn't even need a day to find a way around the new protections. Since this system is considered for a national authentication standard the appropriate minister in the Norwegian government is involved, and is siding with the professor and not the banks.

Re:Get rid of the damn things!

[Xiaotou]

I think you should re-read your own link.

From the article:
There is, however, no Federal statute mandating that a private business, a person or an organization must accept currency or coins as for payment for goods and/or services. Private businesses are free to develop their own policies on whether or not to accept cash unless there is a State law which says otherwise.

Oops.

Re:Tough Interview

[ayjay29]

>>Imagine if industry people and politicians in the US were subjected to this sort of probing interview... It's worth wathing NewsNight in the US when they cover US items (the BBC makes every program available on the web after broadcast). Sometimes Jeramy Paxman will get his teath into American politician or representative who is completly un prepared for this type of interview. It happened to someone high up in the US (can't remember who) administration in the lat Iraq conflict and he was really knocked back by the interview. Also Jeramy Paxman has been starting to get really sarcastic about some things lately, it's funny to watch. The link is here [bbc.co.uk]. Much better than the CBS news "And now some puppies will lick your face [google.com]" and the BBC news "Post apocalyptic rave".