Chip and pin fraud danger revealed
Yesterday, 09:05 pm

A team of computer researchers say they have uncovered flaws in the Chip and Pin system which are being exploited by fraudsters to use stolen cards. Skip related content
Related photos / videos

The group from the University of Cambridge's Computer Laboratory found that criminals can insert a "wedge" between the stolen card and terminal, tricking it into believing the pin has been correctly verified, when in fact any pin can be used for the transaction to go through. The card meanwhile thinks it was authorised by signature.

Dr Steven Murdoch said: "We have tested this attack against cards issued by most major UK banks. All have been found to be vulnerable."
The discovery is likely to place some question marks over the existing Chip and Pin design and its security.

Victims of this type of fraud may encounter problems obtaining refunds from their banks as the receipt produced states "Verified by Pin".

Professor Ross Anderson said: "Over the past five years, thousands of cardholders have had stolen Chip and Pin cards used by criminals. The banks often tell customers that their pin
was used and so it's their fault.

"Yet we've shown that it's easy to use a card without knowing the pin - and the receipt will say the transaction was 'Verified by Pin' even though it wasn't."
"This is not just a failure of bank technology. It's a failure of bank regulation. The ombudsman supported the banks and the regulators have refused to do anything.

They were just too eager to believe the banks."

Source:

http://uk.news.yahoo.com/21/20100211...d-e1d36ba.html

Paper he
http://www.cl.cam.ac.uk/research/sec...chipbroken.pdf

It's a clever attack. The card believes that the transation was
authenticated by signature while the terminal believes that the
transaction was authenticated by pin. Neither side can tell that the
other side believes something different. Only two messages between the
terminal and the card have to be intercepted and changed.

So with a few hundred pounds of hardware a crook can get valid
"Authenticated by PIN" transactions from a stolen card without ever
having to know the PIN of the card.

Ironically, the attack is made easier against an honest merchant because
we're now all trained NOT to give the card to the merchant. So the fact
that the crook is about to plug in a fake card with wires running up his
sleeve won't be easy to spot.

Tim.



--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://www.woodall.me.uk/

"brightside S9" wrote in message
...
On Fri, 12 Feb 2010 09:51:39 -0000, "Dave"
wrote:

Chip and pin fraud danger revealed
Yesterday, 09:05 pm

A team of computer researchers say they have uncovered flaws in the Chip
and Pin system which are being exploited by fraudsters to use stolen
cards. Skip related content
Related photos / videos

The group from the University of Cambridge's Computer Laboratory found
that criminals can insert a "wedge" between the stolen card and terminal,
tricking it into believing the pin has been correctly verified, when in
fact any pin can be used for the transaction to go through. The card
meanwhile thinks it was authorised by signature.

Dr Steven Murdoch said: "We have tested this attack against cards issued
by most major UK banks. All have been found to be vulnerable."
The discovery is likely to place some question marks over the existing
Chip and Pin design and its security.

Victims of this type of fraud may encounter problems obtaining refunds
from their banks as the receipt produced states "Verified by Pin".

Professor Ross Anderson said: "Over the past five years, thousands of
cardholders have had stolen Chip and Pin cards used by criminals. The
banks often tell customers that their pin
was used and so it's their fault.

"Yet we've shown that it's easy to use a card without knowing the pin -
and the receipt will say the transaction was 'Verified by Pin' even though
it wasn't."
"This is not just a failure of bank technology. It's a failure of bank
regulation. The ombudsman supported the banks and the regulators have
refused to do anything.

They were just too eager to believe the banks."

Source:

http://uk.news.yahoo.com/21/20100211...d-e1d36ba.html



According to the BBC report on Newsnight, see
http://www.bbc.co.uk/blogs/newsnight..._pin_syst.html
"In November last year the law changed, placing the onus firmly on the
banks to prove that a customer has been negligent in any dispute".

So it is not true to say that the regulators have done nothing, but it
seems to me that the banks can easily prove you *must have been*
negligent, in some way or other, if the bank says a transaction was
verified by pin.

That is not proof. This is what the Banks used to say and the regulator
told that that it is not enough. They have to have more than this.

tim

brightside S9 wrote:

On Fri, 12 Feb 2010 11:01:21 -0000, "tim...."
wrote:
"brightside S9" wrote
According to the BBC report on Newsnight, see

http://www.bbc.co.uk/blogs/newsnight..._pin_syst.html
"In November last year the law changed, placing the onus firmly on the
banks to prove that a customer has been negligent in any dispute".

So it is not true to say that the regulators have done nothing, but it
seems to me that the banks can easily prove you *must have been*
negligent, in some way or other, if the bank says a transaction was
verified by pin.

That is not proof. This is what the Banks used to say and the regulator
told that that it is not enough. They have to have more than this.

That's not proof of what?

Isn't it obvious from context? Proof that you must have been negligent if
the bank says a transaction was verified by PIN.

In message , brightside S9
writes
On Fri, 12 Feb 2010 09:51:39 -0000, "Dave"
wrote:

Chip and pin fraud danger revealed
Yesterday, 09:05 pm

The card meanwhile thinks it was authorised by signature.

According to the BBC report on Newsnight, see
http://www.bbc.co.uk/blogs/newsnight...w_flaws_in_chi
p_and_pin_syst.html
"In November last year the law changed, placing the onus firmly on the
banks to prove that a customer has been negligent in any dispute".

So it is not true to say that the regulators have done nothing, but it
seems to me that the banks can easily prove you *must have been*
negligent, in some way or other, if the bank says a transaction was
verified by pin.

Now we know how it could be done, that is one of the banks' 'excuses'
exposed.

And: "The card, meanwhile, thinks it was authorised by signature".

So much for signature authorisation, which is a 95% rubber-stamp
exercise anyway.
--
Gordon H
Remove "invalid" to reply

In message , Tim
Woodall writes

Ironically, the attack is made easier against an honest merchant because
we're now all trained NOT to give the card to the merchant. So the fact
that the crook is about to plug in a fake card with wires running up his
sleeve won't be easy to spot.

Tim.

It will be rather amusing when the till operator takes the fake card out
of the machine and tries to swipe it, as often happens.
"Oops! Sorry Sir, have I torn your jacket"?
--
Gordon H
Remove "invalid" to reply

On Feb 13, 10:09*am, Gordon H
wrote:
In message , Tim
Woodall writes

Ironically, the attack is made easier against an honest merchant because
we're now all trained NOT to give the card to the merchant. So the fact
that the crook is about to plug in a fake card with wires running up his
sleeve won't be easy to spot.

Tim.

It will be rather amusing when the till operator takes the fake card out
of the machine and tries to swipe it, as often happens.
"Oops! * * Sorry Sir, have I torn your jacket"?

You do it at a terminal where you have to insert the card at the
bottom, so that staff cannot easily access the card anyway and your
hand would cover the wires. Or there are even better places where
there is glass wall between the employee and the terminal.

On Feb 13, 10:05*am, Gordon H
wrote:
In message , brightside S9
writes



On Fri, 12 Feb 2010 09:51:39 -0000, "Dave"
wrote:

Chip and pin fraud danger revealed
Yesterday, 09:05 pm

The card meanwhile thinks it was authorised by signature.

According to the BBC report on Newsnight, see
http://www.bbc.co.uk/blogs/newsnight...w_flaws_in_chi
p_and_pin_syst.html
"In November last year the law changed, placing the onus firmly on the
banks to prove that a customer has been negligent in any dispute".

So it is not true to say that the regulators have done nothing, but it
seems to me that the banks can easily prove you *must *have been*
negligent, in some way or other, if the bank says a transaction was
verified by pin.

Now we know how it could be done, that is one of the banks' 'excuses'
exposed.

And: *"The card, meanwhile, thinks it was authorised by signature".

So much for signature authorisation, which is a 95% rubber-stamp
exercise anyway.

The the consumer's point the important thing is that you have a
chance of proving that a fake signature is not yours. There are
probably individual characteristics in entering PINs (timing, pressure
out on the buttons), but these are not recorded.

The chip and pin bank card system is so seriously flawed that millions of customers are dangerously exposed to criminals, it was claimed last night.

Security experts say there is a one in five chance that a terminal in a shop or garage will not spot a 'cloned' card.

It means criminals who copy people's cards can go on shopping sprees and spend thousands of pounds.

The alarming gap in security is being blamed on the issuing banks, for choosing the cheapest version of the new cards.

Banks in France and some other countries are already using a more secure system.

Some experts warned soon after the launch of the system in February that criminals could clone the new cards using equipment readily available over the Internet and costing only some £300 or £400.

Last month the Daily Mail revealed that criminals had stolen more than £1million after using copied cards to withdraw money from cash machines abroad.

This is because repeated transactions at these terminals no longer register with banks' head offices as a suspicious pattern of withdrawals.

Now it emerges that there may be a similar absence of protection on transactions in this country.

The reason is that more than 140 million credit, debit and charge cards issued in the UK over the last few years use a technology known as SDA, which stands for 'static data authentication'.

This is the cheapest option that could have been chosen by the big five banks, which made profits of £33billion last year, and other card issuers.

Banks abroad, however, prefer the safer option of the DDA system, which stands for 'dynamic data authentication'.

Of the 6.2billion transactions on a credit, debit or charge card carried out every year in this country, one in five happens 'offline', meaning the chip and pin terminal does not connect to the cardholder's bank.

Crucially, an offline terminal cannot detect a cloned SDA card, but could spot a copied DDA one.

It is only if the transaction goes 'online' that a fraudster would be caught using an illegal SDA card.

Newsagents and small shops are particularly vulnerable, say the experts.

A spokesman for Association for Payment Clearing Services, which speaks for the banks on plastic cards, admitted yesterday: "Chip and pin security is fallible."

Industry 'doesn't want to talk about it'

One card security expert said: "It is something that the industry knows about but does not want to talk about.

"Many people think it is very easy to clone. One person did come out and say it but he was shunned by the rest of the banking industry."

A spokesman for Carte Bancaire, France's equivalent of APACS, said the extra security from an upgrade to DDA was 'the logical next step'. The £1.1billion switch to chip and pin - the biggest change on the high street since decimalisation in 1971 - was billed as the answer to Britain's card fraud crisis.

But last month, at a secret meeting, card experts showed the big bank's security experts just how easy it is to clone the new cards.

One banking insider, who was at the meeting led by the technology management consultancy Consult Hyperion, said: "A number of volunteers in the audience were asked to hand over their cards for the demonstration.

"It would only take around £300 or £400 to put together the right sort of technology to clone these chips. Large numbers of people already have the know-how."

Criminal gangs can use a number of methods to electronically obtain information from the card of an unsuspecting account-holder and copy it on to a blank card.

There are also a number of scams to discover the cardholder's PIN.

One of the most common is 'shoulder-surfing' - standing close behind someone at an ATM terminal and watching which keys they use.

Jan Dart, head of technology at Aconite, a consultancy specialis-ing in card technology, confirmed that SDA cards can be cloned.

He said SDA cards were 'better than nothing' but more reliable security was readily available.

The APACS spokesman insisted that there was no evidence of any cloned SDA card fraud in the UK.

He said: "DDA is kept under consideration and if it looks like cards are under attack then the decision to upgrade will be taken."