Chip and PIN

[hongkongdragon]

http://www.chipandpin.co.uk/
I have been thinking more why chip and pin is useless, also it just introduce a bigger security issue to the credit card authentication process.

The Process
First of all, chip and pin require the user to insert their card into the retailer's reader. The user will require to press their pin number into the device, then the reader will call up a database of credit card company to get confirm that the user is indeed the authorized user (card holder). After the process is completed the card and a receipt is given back to the user. So only advantage of chip and Pin is that, since retailer doesn't check the cardholder's signature 95% of the time. This can confirm that this is the real cardholder.

The Problem
Basic attack
If the reader have been tampered by either the untrusted retailer. They can insert 3 modification into the device. Such as 1) memory storage 2) rewired the Card reading input and cache the result into the memory storage (simply rewired the circuit so you can do Man in Middle Attack), 3) Another wire to the Number pad and cache the memory storage, too.

The attacker can now read the memory storage after a whole day more month's result. Now the attacker can clone the same card, which doesn't even need to look like the original and walk to different ATM to get the money out, without the risk of the usual way of getting caught (Walk inside shops, or online purchase)

Advance Attack
The attacker can post as a maintainer (reader technician) and walk inside shops or other retails and swipe the reader. They can add a dialer module which will dial out to a different number, which holds a database that collect the results every time the reader calls credit card company to do the authentication.

What do you think?

[SirDice]

Tampered cardreaders have been done before. I know of a few cases here in Holland.

[hongkongdragon]

Originally posted here by SirDice
Tampered cardreaders have been done before. I know of a few cases here in Holland.

Is it the same Chip and PIN reader we are talking about?

[cacosapo]

this devices are called on some countries as "chupa-cabras".

they are easy to do and easy to install (attacker use to modify card reader entry, adapting clone device in the front of original reader. Client just think that is a 'diferent card reader)

But for this kind of attack, to be effective (effective = bring $$$$), attacker must clone a lot of cards. So, financial companies can trace back all fake transactions back to origin (where the chupa-cabra was installed) and catch the thief.

if you clone just one card, no one will get you.

[SirDice]

Originally posted here by hongkongdragon
Is it the same Chip and PIN reader we are talking about?

Same idea. In Holland, bankcards all have PIN numbers (to get money from ATMs and to pay in stores). The CHIP is used with small amounts of cash (no need for a PIN when paying but you need a PIN to 'upgrade' the amount of money on the card).

Creditcards aren't used very much in Holland.

[hongkongdragon]

http://news.bbc.co.uk/1/hi/business/4108433.stm

This is so unfair. He copied my work and send it to the BBC!!

[i2c]

havent read the article assume its the bloke from the cambridge university tamper reasearch that was the front page story this weekend on the Telegraph, its all old stuff its just common sense the basics of this security mechanism have been overlooked or left to trust which is inheritly bad in my mind.

anyway its bad to bring up old threads, might have been an idea to start a new one,. but then know whos...

i2c

[slarty]

Your argument is only valid if the chip & pin cards worked like the old cards.

The chip & pin cards are NOT magnetic strip cards and cannot be cloned on to cheap blanks. I'm not sure if they can be cloned at all - if so, then you need some pretty serious hardware to do so.

Granted, if your card doesn't work, the retailer just enters the card number instead - but that will be abandoned soon.

The only way then is to physically steal your card. This is less effective because:
- People generally cancel stolen cards
- You need to get the PIN for the same card you stole
- Previously, it was easy to use a stolen card as all you had to do was simulate the faint, blurred signature on the back.

Slarty

[steve.milner]

According to various events I've been to on Chip & Pin one of the major security features is that is isn't possible to clone the card based on a connections to the pads on the surface. A card can be programmed from the pad, but not enough can be read to programme another.

Thus it is possible with expensive hardware to manufacture cards from scratch but the minute an authoriastion is sought (and most retailers will set their limits to 0) the card will be declined since although it will be a correctly manufactured card, it will not vailidate against the correct card for the same number.

HTH
Steve

[hongkongdragon]

Originally posted here by slarty
Your argument is only valid if the chip & pin cards worked like the old cards.

The chip & pin cards are NOT magnetic strip cards and cannot be cloned on to cheap blanks. I'm not sure if they can be cloned at all - if so, then you need some pretty serious hardware to do so.

I just want to point out, Magnetic strip card can be clone or even modified it's data, whereas Smart Card can only be clone.