Chip and PIN system proven to be flawed
Cees Binkhorst
ceesbink at XS4ALL.NL
Wed Feb 24 23:41:13 CET 2010
REPLY TO: D66 at nic.surfnet.nl
Geld opnemen met een pincode is alléén veilig bij een ATM met óf een
debit- óf een creditcard.
Gebruik bij elke Point-of-Sale is onveilig, omdat daar softwarematig de
normale pin-transactie ongemerkt voor de gebruiker gewijzigd kan worden
in een kaart+handtekening transactie in het dataverkeer tussen de
pin-automaat en de bankcomputer.
Groet / Cees
EDRi-gram newsletter - Number 8.4, 24 February 2010
============================================================
8. Chip and PIN system proven to be flawed
============================================================
According to a research performed by a group of experts from the
Computer Laboratory, of Cambridge University, the Chip and PIN system is
flawed, allowing criminals to use stolen credit and debit cards, without
knowing the correct PIN.
The thieves can easily create a device to modify and intercept
communications between a card and a point-of-sale terminal, and making
the terminal believe the PIN was correctly verified when actually any
PIN could be introduced and the transaction would be accepted.
"The flaw is that when you put a card into a terminal, a negotiation
takes place about how the cardholder should be authenticated: using a
PIN, using a signature or not at all. This particular subprotocol is not
authenticated, so you can trick the card into thinking it's doing a
chip-and-signature transaction while the terminal thinks it's
chip-and-PIN. The upshot is that you can buy stuff using a stolen card
and a PIN of 0000 (or anything you want). We did so, on camera, using
various journalists' cards. The transactions went through fine and the
receipts say "Verified by PIN," said Professor Ross Anderson, one of the
researchers.
The attacks can be successful for cards used online (a merchant POS
contacting the bank) and offline, for any amounts of money and to bank
schemes based on EMV (Europay, MasterCard, Visa). They would not work on
ATMs and with cards that have already been cancelled by the bank.
The research conclusion is that the attacks are possible due to "a lack
of authentication on the PIN verification response, coupled with an
ambiguity in the encoding of the result of cardholder verification as
included in the TVR (Terminal Verification Results)".
The main problem is that banks refuse to refund victims of this type of
attacks because they state that a card cannot be used without the
correct PIN which, as the paper shows is not true.
"This is not just a failure of bank technology. It's a failure of bank
regulation. The ombudsman supported the banks and the regulators have
refused to do anything. They were just too eager to believe the banks,"
stated Anderson.
Chip and PIN is broken (11.02.2010)
http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
Chip and PIN is Broken (draft for the 2010 IEEE Symposium on Security
and Privacy (draft)
http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf
Cambridge researchers show that the Chip and PIN system is vulnerable to
fraud (11.02.2010)
http://www.cl.cam.ac.uk/research/security/banking/nopin/press-release.html
Chip and pin card readers fundamentally flawed (11.02.2010)
http://www.telegraph.co.uk/science/science-news/7215920/Chip-and-pin-card-readers-fundamentally-flawed.html
Chip and PIN is broken, say researchers (11.02.2010)
http://news.zdnet.co.uk/security/0,1000000189,40022674,00.htm
**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66 uwvoornaam uwachternaam
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********
More information about the D66
mailing list