www.VUE DES ISLES.com
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Flaws in chip and pin system revealed

+2
kat
GD
6 posters

Go down

Flaws in chip and pin system revealed Empty Flaws in chip and pin system revealed

Post by GD Thu 11 Feb 2010, 8:42 pm

Most of us do not think twice about paying for something in a high street shop by keying in our pin. It is easy, fast and in most cases it works.
But scratch a little under the surface and there are persistent reports of people who say they have been the subject of fraud of one kind or another on their credit or debit card.
Now a team of computer scientists at Cambridge University has found a flaw in chip and pin so serious they think it shows that the whole system needs a re-write.
Over the past few years, the Cambridge team has uncovered a series of weaknesses in the system, which has been running since 2004.
Shockingly simple
Two years ago, we featured one on Newsnight showing that criminals could tap into the communications between a pin terminal and a customer's card, and read off sufficient information to create a cloned card.
Now, the same team has found a way round the chip and pin system that is so simple it has shocked even them:
Flaws in chip and pin system revealed Bbc226type
"We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," Professor Ross Anderson from the Cambridge University Computer Laboratory said.
"This is a flaw in a system that's used by hundreds of millions of people, by tens of thousands of banks by millions of merchants," he added.
In essence the Cambridge researchers have discovered a way to carry out transactions without needing to know a card's pin.
Small kit
So how does the attack work?
We obviously do not want to give out too much detail, but in simple terms, a stolen card sits in an off-the-shelf card reader, inside a backpack.
This allows it to communicate with a chip, running software written by the team and controlled from a laptop.
All of this is hooked up to a fake card, which slots into the actual shop terminal.
The kit would not have to be big - the Cambridge team is already working on miniaturising it all into a unit the size of a remote control.
It is called a "man in the middle" attack because the software is tricking the terminal into thinking the pin has been verified.
"Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature," Dr Saar Drimer, one of the Cambridge team, explained.
"At the end the receipt says 'verified by pin' so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin."
Credit and debit cards attacked
We got permission from Cambridge University to try out the attack in one of their cafeterias.
The team tried out four common cards - two credit cards, issued by HSBC and John Lewis, and two debit cards, issued by Barclays and the Co-operative Bank.
There was no particular reason for choosing these cards, they just happened to be the ones in the Newsnight team's wallets.
Using the cards, Dr Drimer keyed in 0000 as the pin. Since there is no need for the criminal to know the actual pin associated with the card, any combination should work.
It did work, and the printout stated that the purchase had been "verified by pin".
Following the attack we approached the Co-Operative Bank, Barclays and HSBC - which also administers the John Lewis card - for comment.
All three stressed that this was an industry-wide issue, not specific to any particular to any provider, that their cards were no different to those offered by any other provider or bank, and each referred us to the banking trade association for further comment.
Low sophistication
The Cambridge researchers have a standard approach when they uncover this kind of flaw. They tell the authorities straight away, suggest fixes, and then publish.
In the last few weeks, they have told the relevant official bodies.
In reality, though, how easy would it be for someone without a PhD in computer science to carry out this attack?
"Even small scale criminal systems have better equipment than what we have. The amount of technical sophistication needed to carry out this attack is really quite low," Dr Steven Murdoch, one of the team, told Newsnight.
"In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do," he added.
So is this kind of attack already happening in the real world?
According to Phil Jones of the Consumers Association, chip and pin has helped to bring down instances of card crime, but many cases remain unexplained.
"It's very difficult to quantify exactly how big this problem is," he said. "What we do know from our investigations is that say around 14% of consumers on a representative basis have said they have suffered some kind of financial loss which they believe is through fraud.
"The percentage of that which is actually from this type of potential problem with chip and pin is something that is a lot less clear. What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."
Onus on banks
So whose job is it to sort this out?
In November last year the law changed, placing the onus firmly on the banks to prove that a customer has been negligent in any dispute.
In the UK, it is the Financial Services Authority (FSA), which has responsibility for overseeing how that new law works into practice, though they say it is up to the industry itself to decide how best to comply.
Newsnight understands that behind the scenes some of the banks are already working on fixing this flaw.
But they obviously have not all fixed it yet, because the banks did not alert any of us to the purchases we made using the Cambridge attack, our cards and a PIN of 0000.
Data trail
Every time you use a card, data on the transaction is generated along the way.
The Cambridge team thinks that customers would be better protected if banks were forced to produce this entire audit trail in disputed transactions.
However, in practice, banks often ask customers to destroy their card, and therefore its chip, as soon as they report a problem.
Stephen Mason, a lawyer who has represented consumers in cases involving banks and disputed card transactions, told Newsnight that digital evidence is increasingly important:
"Just because 'verified by pin' is printed on a piece of paper that comes out of a machine, it proves nothing.
It's for the bank to prove that it was verified by pin - and that statement is actually totally irrelevant."
The chip and pin system has a 700-odd page manual, but the Cambridge team says it has so many holes in it, the whole thing should be re-written.
"The first thing that banks should do is fix this vulnerability. There are ways they could upgrade the chip and pin system that would prevent this attack working for most of all the transactions that happen in the UK, not all but most," Dr Murdoch said.
They should also look back at previous transactions where the customer said their pin had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud," he added.
Watch Susan Watts' full report on Newsnight on Thursday at 10.30pm on BBC Two, then afterwards on the BBC iPlayer and Newsnight website.
GD
GD

Male
Number of posts : 10122
Location : Channel Islands
Job/hobbies : Website Forums...lol
Humor : Anything that makes me laugh
Registration date : 2008-03-06

http://www.vuedesisles.com

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by kat Fri 12 Feb 2010, 10:23 am

bring back good old cash!
kat
kat

Female
Number of posts : 1850
Location : in my garden
Job/hobbies : bbbbbbbbbbb
Registration date : 2008-03-11

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by kingcolemk Fri 12 Feb 2010, 10:31 am

Only works with a stolen card. So look after your cards !

kingcolemk

Male
Number of posts : 1040
Location : England
Registration date : 2008-12-18

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by zaina Fri 12 Feb 2010, 2:14 pm

see there moving on to the micro chip ,
zaina
zaina

Female
Number of posts : 252
Location : GUERNSEY
Humor : Do not try and bend the spoon. That's impossible. Instead... only try to realize the truth. There is no spoon. Then you'll see, that it is not the spoon that bends, it is only yourself.
Registration date : 2009-12-03

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by cockney Fri 12 Feb 2010, 9:32 pm

The banks love us to use cards which are a form of control, big brother if you like and its only going to get worse. When cash is eventually scrapped we will be at the mercy of banks and their immoral charges. We should fight to stop cash being scrapped.

cockney

Male
Number of posts : 179
Location : The English channel
Registration date : 2008-12-28

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by zaina Fri 12 Feb 2010, 10:44 pm

your right cockney
i dont know laws in guernsey but i think its not part of the EEC possibly you could fight to keep it ,
just watch who comes in to power in gsy in the next few years
and stand your ground as far as changes go ,
zaina
zaina

Female
Number of posts : 252
Location : GUERNSEY
Humor : Do not try and bend the spoon. That's impossible. Instead... only try to realize the truth. There is no spoon. Then you'll see, that it is not the spoon that bends, it is only yourself.
Registration date : 2009-12-03

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by plimmerton811 Sat 13 Feb 2010, 2:18 am

kingcolemk wrote:Only works with a stolen card. So look after your cards !

Can work with a cloned card. A crim' does not need to steal your card just copy the data at point of sale by swiping across a very small gadget.

plimmerton811

Male
Number of posts : 717
Location : Gods own country
Registration date : 2008-11-01

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by kingcolemk Sat 13 Feb 2010, 9:51 am

cloning devices usually steal the pin as well when you enter it on the rigged terminal.

kingcolemk

Male
Number of posts : 1040
Location : England
Registration date : 2008-12-18

Back to top Go down

Flaws in chip and pin system revealed Empty Re: Flaws in chip and pin system revealed

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum