Chip and PIN
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Chip and PIN

  1. #1
    Banned
    Join Date
    Feb 2004
    Posts
    29

    Chip and PIN

    http://www.chipandpin.co.uk/
    I have been thinking more why chip and pin is useless, also it just introduce a bigger security issue to the credit card authentication process.

    The Process
    First of all, chip and pin require the user to insert their card into the retailer's reader. The user will require to press their pin number into the device, then the reader will call up a database of credit card company to get confirm that the user is indeed the authorized user (card holder). After the process is completed the card and a receipt is given back to the user. So only advantage of chip and Pin is that, since retailer doesn't check the cardholder's signature 95% of the time. This can confirm that this is the real cardholder.

    The Problem
    Basic attack
    If the reader have been tampered by either the untrusted retailer. They can insert 3 modification into the device. Such as 1) memory storage 2) rewired the Card reading input and cache the result into the memory storage (simply rewired the circuit so you can do Man in Middle Attack), 3) Another wire to the Number pad and cache the memory storage, too.

    The attacker can now read the memory storage after a whole day more month's result. Now the attacker can clone the same card, which doesn't even need to look like the original and walk to different ATM to get the money out, without the risk of the usual way of getting caught (Walk inside shops, or online purchase)

    Advance Attack
    The attacker can post as a maintainer (reader technician) and walk inside shops or other retails and swipe the reader. They can add a dialer module which will dial out to a different number, which holds a database that collect the results every time the reader calls credit card company to do the authentication.

    What do you think?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Tampered cardreaders have been done before. I know of a few cases here in Holland.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Banned
    Join Date
    Feb 2004
    Posts
    29
    Originally posted here by SirDice
    Tampered cardreaders have been done before. I know of a few cases here in Holland.
    Is it the same Chip and PIN reader we are talking about?

  4. #4
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    this devices are called on some countries as "chupa-cabras".

    they are easy to do and easy to install (attacker use to modify card reader entry, adapting clone device in the front of original reader. Client just think that is a 'diferent card reader)

    But for this kind of attack, to be effective (effective = bring $$$$), attacker must clone a lot of cards. So, financial companies can trace back all fake transactions back to origin (where the chupa-cabra was installed) and catch the thief.

    if you clone just one card, no one will get you.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by hongkongdragon
    Is it the same Chip and PIN reader we are talking about?
    Same idea. In Holland, bankcards all have PIN numbers (to get money from ATMs and to pay in stores). The CHIP is used with small amounts of cash (no need for a PIN when paying but you need a PIN to 'upgrade' the amount of money on the card).

    Creditcards aren't used very much in Holland.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Banned
    Join Date
    Feb 2004
    Posts
    29
    http://news.bbc.co.uk/1/hi/business/4108433.stm

    This is so unfair. He copied my work and send it to the BBC!!

  7. #7
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    havent read the article assume its the bloke from the cambridge university tamper reasearch that was the front page story this weekend on the Telegraph, its all old stuff its just common sense the basics of this security mechanism have been overlooked or left to trust which is inheritly bad in my mind.

    anyway its bad to bring up old threads, might have been an idea to start a new one,. but then know whos...

    i2c

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Your argument is only valid if the chip & pin cards worked like the old cards.

    The chip & pin cards are NOT magnetic strip cards and cannot be cloned on to cheap blanks. I'm not sure if they can be cloned at all - if so, then you need some pretty serious hardware to do so.

    Granted, if your card doesn't work, the retailer just enters the card number instead - but that will be abandoned soon.

    The only way then is to physically steal your card. This is less effective because:
    - People generally cancel stolen cards
    - You need to get the PIN for the same card you stole
    - Previously, it was easy to use a stolen card as all you had to do was simulate the faint, blurred signature on the back.

    Slarty

  9. #9
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    According to various events I've been to on Chip & Pin one of the major security features is that is isn't possible to clone the card based on a connections to the pads on the surface. A card can be programmed from the pad, but not enough can be read to programme another.

    Thus it is possible with expensive hardware to manufacture cards from scratch but the minute an authoriastion is sought (and most retailers will set their limits to 0) the card will be declined since although it will be a correctly manufactured card, it will not vailidate against the correct card for the same number.

    HTH
    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  10. #10
    Banned
    Join Date
    Feb 2004
    Posts
    29
    Originally posted here by slarty
    Your argument is only valid if the chip & pin cards worked like the old cards.

    The chip & pin cards are NOT magnetic strip cards and cannot be cloned on to cheap blanks. I'm not sure if they can be cloned at all - if so, then you need some pretty serious hardware to do so.

    I just want to point out, Magnetic strip card can be clone or even modified it's data, whereas Smart Card can only be clone.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •