not IoffL or broadband material - chip card PIN possibly compromised

bealtine

http://www.cl.cam.ac.uk/research/security/banking/ped/

PIN Entry Device (PED) vulnerabilities

by Saar Drimer, Steven J. Murdoch and Ross Anderson
Executive summary

In Chip & PIN card transactions, customers insert their card and enter their PIN into a PIN Entry Device (PED). We have demonstrated that two popular PEDs, the Ingenico i3300 and Dione Xtreme, fail to adequately protect card details and PINs. Fraudsters, with basic technical skills, can record this information and create fake cards which may be used to withdraw cash from ATMs abroad, and even some in the UK. These failures are despite the terminals being certified secure under the Visa approval scheme, and in the case of the Ingenico, the Common Criteria system. Our results expose significant failings in the entire evaluation and certification process.
Background

The UK banking industry chose to deploy Chip & PIN cards that do not encrypt the data exchanged between the card and the PED during a transaction. By tapping these communications, fraudsters can obtain the PIN and create a magnetic strip version of the card to make ATM withdrawals in the UK and abroad. We examined two of the most popular PEDs used in the UK and found that cardholders are exposed to simple and cheap attacks.

Our investigations of why this failure took place also discovered flaws in the certification system which is supposed to protect customers. Overall responsibility for certification lies with the banking industry itself and the process of evaluation is hidden from the public. Despite our findings, none of the PEDs we examined are to be removed from service.

The full results of our study are to be published at the IEEE Symposium on Security and Privacy. An extended version of our paper is available online as technical report UCAM-CL-TR-711: "Thinking inside the box: system-level failures of tamper proofing". The key findings are summarised in our press release. Our work was featured on Newsnight, BBC2, 26 February 2008. A video of the segment is also available.

Following our November 2007 notification, in February 2008, we asked APACS, GCHQ, Visa, Ingenico, and Verifone a number of questions. Ingenico did not reply. The responses we did receive are:

* APACS
* GCHQ (which referenced a press release)
* Verifone (Dione)
* Visa

[snip]

Sponge Bob

bealtine wrote: »

Fraudsters, with basic technical skills, can record this information and create fake cards which may be used to withdraw cash from ATMs abroad, and even some in the UK. These failures are despite the terminals being certified secure under the Visa approval scheme, and in the case of the Ingenico, the Common Criteria system. Our results expose significant failings in the entire evaluation and certification process.

This has been known for some time . As it happens dial up chipNpin terminals and inline Mp3 recorders are the main problem.

With BB one can run heavier crypto that is not as susceptible to listening by inline mp3 recorder.

cgarvey

Moved IoffL > Security

Cantab.

Yeah, it's time to implant a chip in everyone's right arm.

probe

The EMV credit card system security is totally compromised in Ireland with pea brain customers who can’t remember a PIN being allowed to sign for the transaction instead. Not to mention retailers grabbing the card to skim the magnetic stripe, making your card details a security risk on their (probably) poorly secured POS computer system. Might as well not have EMV cards in Ireland and go back to 1970s style mag stripe cards.

In France, where we have had smart payment cards for 15 years, and one of the lowest payment card fraud rates in the world, one is obliged to report any misuse of payment cards to one’s local police station, where a copy of the written report goes to the bank who issued the card. And in France, the communications between your EMV card chip and the bank payment processing device are encrypted.

You wouldn't let a shop assistant fiddle with your wallet or purse - why let the retailer touch your payment card or the data on it?

.probe

www.emvco.com

Capt'n Midnight

probe wrote:

In France, where we have had smart payment cards for 15 years, and one of the lowest payment card fraud rates in the world, one is obliged to report any misuse of payment cards to one’s local police station, where a copy of the written report goes to the bank who issued the card. And in France, the communications between your EMV card chip and the bank payment processing device are encrypted.

They also trialled thumb prints with cards, and fraud dropped even lower.

How much do they save per card by not using the more secure system ?
Is it even 50c per card ?

bealtine

probe wrote: »

The EMV credit card system security is totally compromised in Ireland with pea brain customers who can’t remember a PIN being allowed to sign for the transaction instead. Not to mention retailers grabbing the card to skim the magnetic stripe, making your card details a security risk on their (probably) poorly secured POS computer system. Might as well not have EMV cards in Ireland and go back to 1970s style mag stripe cards.



www.emvco.com

Well carte bleu was allegedly "cracked" 10 years ago or so by
some guy who demonstrated how easy the system was to crack.
The response of the French authorities was to arrest and jail the
hacker and silence all mention of the hack.
It was a complex enough hack but it did show that no system
is as secure as the designers think it is...complacency is the most
dangerous position of all to take.

probe

bealtine wrote: »

Well carte bleu was allegedly "cracked" 10 years ago or so by
some guy who demonstrated how easy the system was to crack.
The response of the French authorities was to arrest and jail the
hacker and silence all mention of the hack.
It was a complex enough hack but it did show that no system
is as secure as the designers think it is...complacency is the most
dangerous position of all to take.

Even with the old French "carte à puce", used in the pre-EMV era, the firmware on the cards was updatable via POS terminals and ATMs. Just like Windowsupdate, when a security breach appeared, the fix was installed on people's cards the next time they used them.

.probe

probe

Capt'n Midnight wrote: »

They also trialled thumb prints with cards, and fraud dropped even lower.

How much do they save per card by not using the more secure system ?
Is it even 50c per card ?

It is somewhere between 50c and 1€ per card for the more secure chip version - depending on volume.

Too much to bear for the Irish and British banks with their razor thin profit margins:-)

.probe

20 months old "news" item on the DDA EMV cards used on the Continent:

France promises to be the first major country to substantially roll out banking smart cards and terminals that comply with a more-secure version of EMV, the global payment standard for smart cards. France has already issued almost 700,000 cards that comply with the "dynamic data authentication" option within the EMV standard, a spokesperson for French card organization Groupement des Cartes Bancaires (CB) tells Card Technology. The CB spokesperson says member banks hope to issue 10 million DDA cards by the end of this year and 25 million by the middle of July 2007. That would be nearly half of the French banks' entire card base.

The DDA cards store an encryption key that generates a unique number, or signature, for each transaction. This signature is read by the point-of-sale terminal, which has a corresponding encryption key, so a transaction from a counterfeit card is unlikely to be approved. The DDA technology allows banks to more securely approve transactions at the terminal without having to send the transactions over the network for authorization. Most EMV cards in circulation worldwide, including those in the UK, use less-secure "static" signatures, which can be copied onto cloned cards. Unless issuers send these transactions over the processing network for online authentication, terminals might not be able to detect fraudulent cards.

Banks and credit card companies in other countries, including Germany, Sweden, Austria, and Japan, are issuing DDA cards, but none has as large a base of EMV-equipped POS terminals as France does. According to CB, 85% of the roughly 1 million POS terminals in France that accept bank-issued debit and credit cards support EMV. The card organization says its tests earlier this year show the extra time it takes for cards to create the unique signatures is "imperceptible" to cardholders. At the same time, CB says, the more-powerful smart card chips needed to generate the signatures have come down in price, so that DDA cards cost about the same as the less-secure cards in France. Two card suppliers, France-based Gemalto and Sagem Orga GmbH of Germany, both announced last week that they were supplying DDA cards to French banks. Silvio Stockmann, head of Sagem Orga's banking unit, expects eight French banks to issue DDA cards by September, up from the present five. (2006-07-05)

http://www.cardtechnology.com/article.html?id=2006070569TSQ1WX