ec2-34-229-119-176.compute-1.amazonaws.com | ToothyWiki | ChipAndPin | RecentChanges | Login | Advent calendar | Webcomic

The current (and incoming) systems have both been demostrated insecure - both in academic type papers, and by active exploits in the wild.

Here are some of them, and some discussion about them.

Tampering with the keypads

See [newsgroup posting].

Check out [Markus Kuhn] and [Ross Anderson]'s pages. In particular, [this] is relevant. Reading stuff out of the current generation of smartcards is simple and cheap, basically. - MoonShadow

(thinking about them hacking the keypad at a shop is paranoid: there's no way to do it in respectable shops, and with dodgy shops there's already the danger of them reading the data, putting it on a fake card, signing it, and then using it happily).
You go to a restaurant. You eat your meal, and ask for the bill. The waiter serves you a bill on a nice silver plate. You put your card on the plate, and some random person who just happens to have been serving you all evening wanders up, sticks your card into some fancy-looking machine, claims it is one of the wireless card handling machines, and asks you to type in your PIN. --Admiral
I'll point out that these card cloning handhelds exist and are in use already.  It won't be terribly hard to add a keypad - and it's one thing to make a copy of a card which can then be used for telephone shopping, and quite another to make one that can withdraw from a cash point.  --Vitenka


Oh, I've just thought of another one. Most shops have CCTV cameras pointing at the till. You could tap the signal, or use some form of Tempest; or you could just hang around and browse with your back to the till while the webcam and laptop in your rucksack transmit a video feed to your accomplices waiting outside. They then proceed to pickpocket customers leaving the store, and send someone down to the ATM every so often. - MoonShadow
Now you're just being mad. None of those is really plausible, now, is it? Hacking into the back's CCTV? We're talking about real-life dangers here, not something out of 'Alias''.
Excuse me? The shoulder-surfing+pickpocketing combination is widespread in London right now. Next time you find yourself around Camden Town or Soho, check out the police warnings on the walls next to the ATMs (big posters advising you to look around and see who's watching). And there's nothing difficult about sticking a webcam in your rucksack and standing with your back to the till. Far more complicated scams are carried out successfuly on a daily basis. - MoonShadow
So you follow the advice, yes? And these webcams, are they the ones that can see through my flesh and bone as I stand in front of the keyboard while typing?
The webcam can be placed so that it's not looking through your body.  Typing onto those pads without any angle being able to see is a bit tricky (though no, no impossible - the keypad design could and should be improved to make it easier though)  Check the brazilian scam to see where they put the webcam in that one.  --Vitenka
So, facing backwards, and not looking suspicious by checking over their shoulder or looking at a palmpilot connected to the camera, they're going to find just the right angle to see the keyboard, and keep still enough to get a good picture (and not be so oblique that they can't distinguish keypresses). Uh huh.

It may sound it, but if you've seen a tempest demonstration you'd know that its not.  It takes HighSchool? electronics knowledge, a TV and a radio, and you can build something that steals the signal.  People using wireless cameras just make it easier (just roam around with a reciever) - or install your own tiny webcam near the till - you won't steal every transaction, but enough of them.  --Vitenka
So people are going to sit with these things outside Tesco, are they? And be able to read the typing, even of people who put their hands over the keyboard? And check the faces? From individual cameras? And not look bloody suspicious?  And all this from a school electronics kit [in the back of a white van]? I remain unconvinced.
Agreed, supermarkets and other fixed emplacement are much safer than smaller shops, for this sort of thing.  But um, basically, yes.  Signal quality is generally low, but you're sure to find one or two shops with ill-placed cameras that show the typing.  The tempest was mainly a rebuttal of the 'black helicopters' view.  I'm just pointing out that this is in the realms of reality, and can be done.  And it will only get easier and more efficient over time.  --Vitenka
So, from a fuzzy picture they're going to be able to work out the number typed by someone taking care not to be overseen? It's in the realms of reality in the way the neutron bomb is: theorietically possible, but it'll never actually be used. If I started worrying about things this likely I'd never go out of the house. There's a line somewhere where you have to say 'that's unlikely enough that I'll not worry about it'. I mean you could get hit by a meteorite bearing proof of life on Mars. But you probably won't.
*shrug* People have been doing things on a similar level of complexity with ATMs for years. Why stop now, just when you can do so much more, so much less traceably, with a stolen card and pin, and there are so many more points of attack to choose from? - MoonShadow

Other Countries

Quick question - does anyone know whether there have been major problems with this sort of system elsewhere?  It has been up and running in some countries at least for years - I saw it operational in France back in '97.  Do the French have a great problem with credit card fraud as a result?  I don't know... --MJ
I had heard that it was no better with the new system than it had been with the old, and I do know that France had to switch to a second new system after the first set of chips were shown to be truly truly crap.  (As in, use JTAG? to read out the details)  Amusingly, I just googled to find some stats, and accidentally found pages detailing how to exploit the system instead.  So no hard figures from me.  Again, RossAnderson is the source of all things ranty about this ;)  --Vitenka
According to a number of news sites, PeterFairbrother? has commented that while fraud decreased in France and Belgium at first, it has subsequently risen to its previous levels as people simply cross borders with stolen cards and use them in shops with incompatible systems, causing a fallback to the old methods; moreover, the burden of paying for the losses has noticeably shifted from the bank to the customer, at least in France, due to banks' insistence that the new system is secure. However, all I can find is quotes - I can't seem to find an original post by PF to the effect. Will carry on looking. - MoonShadow
Dunno about relative fraud levels, but PINs are used in Italy (where I've been for the last few years) everywhere with "bancomat" cards (equivalent to switch/delta sort of thing). One effect is that no-one ever checks signatures, which are still normally required for credit cards. I've observed most Italians do tend to be cautious about who is watching when entering PINs at checkouts etc; aware of the shoulder-surfing problem. Fraud on credit cards in Italy is practically an epidemic (including corrupt bank employee problems - a friend had several thousand euro billed to his new card before he even picked it up at the bank!), to the extent that most Italians don't have them as they don't trust them. The banks frequently put a hold on my (UK) credit cards or refuse transactions, presumably becuase the patterns VISA et al use to detect fraud spread a wider net.  Fraud on bancomat cards, on the other hand, doesn't seem to be a big problem (based on experiences of Italian colleagues).  --kevquinn

For people that think shoulder-surfing is in the realms of science fiction: [1], [2], [(chapter 3)] [Brazillian ATM]
(add more here)...

Ok so it is possible to get my pin number. How is this less secure than using my signature (which is already written on the back of the  British card I have now) which nobody checks seriously anyway? It is much much simplier to nick the card (1 operation not 2) and then go into different supermarkets and getting cashback for 50 pounds a time.

Ok so you have to practise forging signatures but how is that more difficult than getting yourself a wired backback or some fancy card cloner.

Personally I can't wait until the UK catches up with the rest of the continent and stops living the 19th century world of signatures and references.-- King DJ

The point isn't that signatures are hard to forge - they certainly are not.  It is that it is possible to tell, after the event, whether or not this has been done.  Bits in a memory register have effectively no traces of how they got there.  --Vitenka

I think it would be extremely difficult to tell that I had not in fact signed the piece of paper that is kept for records if it has been forged just by looking at it. However there are always other ways of finding out. CCTV of tills etc. to prove I wasn't there to sign for it. The situation is the same in both cases: someone has fradulently indentified themselves as me and in either case it is difficult to trace looking at the data that was fraudlently proved. I see no difference between the systems on this score.

I think the point made earlier is that when someone signs a till-receipt, they have to touch the receipt. The shop then retains this, thereby providing fingerprint evidence. I'm not completely convinced on this score myself, but thought I'd clarify the argument. --CH
Gloves perhaps? My point is one does not have to be a computer wizz to be a criminal. Crime did exist before IT. -- King DJ
Yes, but there's no reason to make it easier with IT.  --Vitenka
This doesn't make it easier as the huge list of intricate and complex schemes for obtaining pin numbers listed above only go to prove. -- King DJ
Ok, in what way is: 1. purchase dodgy card reader.  2. Use it instead.  3. go to atm with the cloned card a convoluted scheme?  --Vitenka (We must be having some axiomatic clash here)
Actually, to be fair, cloning smart cards isn't going to be as simple as purchasing a dodgy reader. The point of a smart card is that it doesn't release its information to the reader - it just proves it has it. So on the face of it, you can't just read off the info necessary to make another card. Except that current implementations fall far short of the theory - MarkusKuhn? and RossAnderson, for instance, have published a wide range of papers demonstrating vulnerabilities in smartcards. To find the initial vulnerability does require a lab, but not a "multimillion pound" one - a couple of k and the ability to read existing literature on the subject is plenty 'nuff. Once found, it is typically a class break that can be automated - resulting in, yes, "off the shelf" dodgy readers. See experience with the smart cards used for pay TV for examples of people doing precisely this for much less gain than one could get from credit card cloning. Bear in mind that existing experience with credit card fraud demonstrates the presence of separate markets - one set of people typically break security and sell the results to another set of people who perform the actual criminal acts. In internet transaction fraud, for instance, this takes the form of groups of hackers obtaining credit card databases and selling the contents on to people who want to make use of them. This business model makes it worthwhile for someone to set up a lab - it becomes a relatively low risk enterprise for them. Experience in the US with dodgy individuals actually renting ATMs from companies like Diebold for a few grand a shot demonstrates how much people are willing to pay for this sort of [reward/risk combination]. - MoonShadow

Seeing as I trust that it is harder to get both my pin number and card than to get my card alone (with signature handily provided on the back) I would rather have a Dutch pin pass than a UK card.

Italy has organised crime, shock new revelation!

The question of people crossing borders to other countries to use cards from Belgium and France to other countries. Surely they aren't going to go far to use the card because that a) cuts into their profits and b) increases the time during which the card can be reported stolen.

Therefore if the UK adopts the system this will help out those countries that have already adopted the system. Yet another reason to press on post-haste!-- King DJ
Heh.  Most of the national press here would say that's a positive reason not to switch ;)  --Vitenka
True. I hate British newspapers. I get all my news from the BBC online. -- King DJ

Flimsy Chips

On a slightly different note, here's one big real flaw with them.  The damn chip contacts are too fragile.  The magnetic strip can survive almost anything (except a magnet, of course) but the chip pops out at the slightest provocation.  --Vitenka

SocialMatters Crypto ?

ec2-34-229-119-176.compute-1.amazonaws.com | ToothyWiki | ChipAndPin | RecentChanges | Login | Advent calendar | Webcomic
Edit this page | View other revisions | Recently used referrers
Last edited March 30, 2004 4:38 pm (viewing revision 18, which is the newest) (diff)