Researchers Expose New Credit Card Fraud Risk

An anonymous reader writes "Researchers from the University of Cambridge have discovered flaws in the card payment systems used by millions of customers worldwide. Ross Anderson, Saar Drimer, and Steven Murdoch demonstrated how a simple paper clip can be used to capture account numbers and PINs from so-called 'tamper-proof' equipment. In their paper (PDF), they warn how with a little technical skill and off-the-shelf electronics, fraudsters could empty customers' accounts. British television featured a demonstration of the attack on BBC Newsnight."

Is anyone here really surprised?

[suso]

Proprietary software AND hardware companies basically cannot be trusted. I've encountered countless amounts of commercial software, hardware products and services where the company states that they are very secure, but when investigating things myself, I find that its trivial to circumvent their security. You can read about some of the read about some of the poor security I've discovered recently with web hosting providers [suso.org]. Consumers deserve better than this and its all of our responsibilities to make all people aware of these problems. Ironically, this news program itself doesn't understand the value of open disclousure. I guess I can understand that as its human nature to want to hide things for fear of liability. But its not like they were doing something that's not so obvious that someone determined enough could figure out.

First rule of security in my book: Someone who wants something bad enough, they will be able to circumvent nearly anything in order to get it. So its a matter of how badly they want it. Since its money in question, I'd say that a variety of organizations and people want it pretty bad.

They're looking in the wrong place

[blhack]

The huge security hole in the credit card system is the users. I flipped out at one of our vendors when they STORED my credit card number in their database, and just went ahead an charged it next time I was in the store.
People will gladly give their credit card number over the phone to a shady pizza shop, just to get a 15 dollar pizza delivered to their door.
We could build the most secure credit card system in the world, but the problem is that it has to be simple enough for idiots to use.

Re:Get rid of the damn things!

[ShadowsHawk]

There are plenty of merchants that will not accept a $50 let alone a $100.

Re:Get rid of the damn things!

[Anonymous Coward]

The data mining industry is so ingrained in our society that even if people started using $100 bills to pay for major purchases, the serial numbers on the bills would probably be scanned for tracking information. The only way you are going to get privacy in your monetary transactions is with a national privacy overhaul with penalties for data mining without permission. Since the government is one of the entities doing the data mining, this is probably not going to happen anytime soon.

Why isn't it a PIN = SecurID + PIN

[apenzott]

The PIN needs to be a moving target and much longer than 4 digits. Note that stateside that most automatic car washes are using at least 5 digit numbers to authenticate the sale as sold by the gas pump. (Example: SecurID or one-time pad.)

(offtopic)
My biggest pet peeve is why are account numbers (on checks) in the clear while the same is basically true of PIN numbers (without any added "salt")

For checks I would like to see the account number + check number translated a 16 to 20 digit hash of which only the bank knows how to decipher to the correct account and check number?
(/offtopic)

Tough Interview

[Crazy Man on Fire]

Wow. The interview at the end of that piece has me floored. Imagine if industry people and politicians in the US were subjected to this sort of probing interview and actually responded. The interviewer had the representative from the credit card companies on the ropes the entire interview. Props to the BBC for doing some serious journalism.

Most will for large-ticket items

[davidwr]

While it's true they don't have to do business with you, most stores will accept a $50 rather than lose out on a $55 purchase. Ditto a $100 and lose out on a $101 purchase.

It boils down to risk:
Most people passing funny money will want to get change rather than goods they can only resell at diminished value.

Also, many merchants use basic anti-counterfeit measures when accepting $20s and higher. Granted these measures have a high miss rate but they do catch amateurs.

Jail Time?

[Frosty Piss]

British television featured a demonstration of the attack on BBC Newsnight."

I'll bet that would land you in jail over here (USA) ...

I can build an atomic weapon with a paper clip

[wsanders]

>> "As described in some detail in our paper, the basic attack tool is a paper clip. In order to record and analyze transactions a couple hundred pounds' worth of equipment is required, in addition to some digital design experience."

OK, a paper clip. PLUS A BUNCH OF OTHER STUFF.

Well, shoot, I could probably build an atomic weapon with a paper clip. PLUS A BUNCH OF OTHER STUFF.

Another hole in the sieve?

[syousef]

Credit cards are so incredibly insecure that the only reason people use them is that the banks so far have been willing to cover the costs of fraud (in most cases and as long as the card holder hasn't contributed to it through negligence).

This is just one more flaw.

Re:Get rid of the damn things!

[geekoid]

This is a manufacturing design problem.
These boxes can be made to make this attack nearly impossible.
But it would cost another 5 bucks to manufacture it.

Hell, if the designed them so the case was steel, and as thin as an iPhone this problem goes away because:
a) it would take serious effort even AFTER you knew what to do. Raises the risk.
b) You couldn't attach something to it without it being noticed.

As far as the software goes, encrypt the data.

Doesn't apply to US card systems

[33tango]

US Cards do not have the pin stored on the card. That's like keeping your password in your top desk drawer. This attack will not affect US Cardholders. Could you accomplish the same thing? Yes, but much more difficultly. And that's what security really is about, making a target so difficult thieves go elsewhere.

Re:[Encrypted account and check numbers]

[apenzott]

Given that a one way hash can't really be reversed, that idea doesn't make much sense in the way that you posted it. A one way hash at first makes sense, except in reality it doesn't, as currently deployed. The numbers on your check have a routing number and account number. Both are numeric values with relatively few permutations when contrasted against case sensitive alphanumeric hashing. The routing numbers of banks are also no secret. Put simply, it'd be a trivial matter to brute force the hash with the simple numeric values we use today.

OK, I'm using the wrong terminology.

Routing number keeps the same public self (we need to send the check to the correct bank for processing.)

Account number xxxxxxxx Check number yyyyy becomes zzzzzzzzzzzzzzzz.

Issuing bank has key to turn zzzzzzzzzzzzzzzz back into original component numbers and verify that z... was not some made-up number in attempt to create a "bad check" of which there is no real account number attached to. Also xxxxxxxx, once extracted is verified to the name printed on the check. After about five or more bad values of z... in a day, a human is brought into the equation to look for the underlying cause.

If check is good, then issuing bank electronically clears the bank draft with bank (or presents cash to individual) that presented the check. This allows for a pre-verification of check prior to verifying the signature (which most banks no longer do anyways.)

I won't go into recurring drafts (automatic payments) as that makes things a bit more complicated.

Re:Is anyone here really surprised?

[irongroin]

First rule of security should be: Physical access is all access.

Re:Tough Interview

[giorgiofr]

Yup! Instead, they are managed by the gov't. Isn't that great!

Re:Get rid of the damn things!

[Raistlin77]

Not everybody can have a checking account, especially if they are unfortunate or irresponsible. And which would you rather have, cash or an electronic transaction that can be reversed or check that can bounce?

Re:Get rid of the damn things!

[Mr. Underbridge]

he failure of our government to (re-)introduce a $1000 bill, in spite of massive inflation, is a deliberate scheme to make it impractical for us to use untraceable funds for any substantial purchase. And it has nothing to do with tracking terrorists or drug money, it's just to keep tabs on and control over the law abiding populous.

It might also have something to do with the fact that most people aren't crazy enough to walk around with thousands of dollars on them. In the end, it wouldn't matter, because any transaction of $10,000 or more with a bank will get reported anyway.

Besides, a suitcase full of stacks of $100 bills has more class.

Re:Get rid of the damn things!

[the brown guy]

That's great to know, but it doesn't really help in a practical sense, legally I could pay $4000 in pennies (only 4000 because I'm in Canada), but I doubt they would accept that. I have a debit card, but use that to fund my eBay addiction via paypal, and I think that the government would be wondering why an "unemployed" university student is depositing a few thousand dollars a month into his bank account.

Re:Get rid of the damn things!

[John3]

I'm pretty sure the connection between the card reader and all external devices (POS stations, authorization network) is always encrypted. That's one of the basics for certification by Visa and the rest of the industry. The vulnerability demonstrated (based on my reading of TFA) occurs totally in the card reader/pad.

banks should be liable

[nguy]

When banks deploy inadequate security, they should be liable for the distress and costs they cause their customers.

Re:Is anyone here really surprised?

[Anonymous Coward]

"...if you need to bring something and remember something, then it makes life a lot harder for hackers."

But you're already bringing your card and remembering your PIN....

Re:This is a UK/Europe card system issue...

[Anonymous Coward]

You must be kidding.

"notice hidden cameras that look out of place and point at PIN pads"
Also don't enter your PIN on "suspicious" terminals, or in "suspicious" businesses.

That just does not work. The system is putting on users a burden then can not take.

With the magnetic stripe and PIN, the only security is the PIN as the stripe can be easily copied. A better solution is chip-only cards (smart cards) where the actual secret can not be duplicated and holder must hold both the card and now the PIN. At least I know that if I have my card in hand, I am OK. The same can not be told for magnetic-stipe only cards.