Security

Chip and PIN: The technology is no longer secure

Chip and PIN transaction systems were thought to be secure. The only way to bypass the technology required a stolen card and knowing the PIN. That is no longer the case.

Chip and PIN transaction systems were thought to be secure. The only way to bypass the technology required a stolen card and knowing the PIN. That is no longer the case.

--------------------------------------------------------------------------------------------------------------

I first learned about Chip and PIN Security when writing a piece about counterfeit credit/debit cards. The point of the article was to shed light on how cybercriminals steal financial information and ultimately our money. I presented a technology called MagnePrint as one possible solution. Several TechRepublic members mentioned another technology that they thought was better called chip and PIN.

Chip and PIN Security

Chip and PIN systems were created to prevent skimming. Replacing the magnetic strip with an embedded microchip supposedly eliminates that possibility. In fact, many consider chip and PIN security a strong two-factor authentication. Here's what a card with an embedded chip looks like (courtesy of Wikipedia):

Several members also mentioned that chip and PIN technology is prevalent in Europe and why cybercriminals are more focused on stealing credit/debit card information in the United States. This article goes far enough to say that adoption of Chip and PIN technology in the United States is inevitable for that very reason.

How it works

Customers do not see much difference when using a chipped card. It works like this:

  1. At the checkout counter,  a customer places his or her card in a Pin Entry Device (PED).
  2. The PED accesses the chip on the card.
  3. The card is then verified by the financial institution providing the card.
  4. Once the card is proven authentic, the customer enters the PIN.
  5. The PED verifies that the entered PIN matches the PIN cached on the chip.
  6. If it is a match, the transaction goes through.

So, what's the problem? Quite simply, it's the cost. The article mentions that:

"The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud."

Not quite perfect

I have been studying chip and PIN technology for awhile now. It obviously makes it more difficult to obtain a person's financial information. But, it's not perfect. My first inkling of this came from watching the BBC news report Chip and PIN ‘security risk'.

Basically, the PED hardware is compromised, allowing the criminal to obtain the card's financial information and PIN digitally. For whatever reason, the transaction traffic to and from the PED was not encrypted. Still the PED has to be physically altered for this attack to work, making it a risky endeavor.

New flaw

The same University of Cambridge research team that uncovered the PED hardware flaw recently discovered a new problem with chip and PIN technology. Professor Ross Anderson, a member of the team points out the seriousness:

"We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years."

Susan Watts of the BBC, presented a documentary about the research called New flaws in chip and PIN systems revealed. Unbelievably, a transaction can be completed without knowing the PIN. To explain, let's step through the attack process:

  1. The attacker obtains a stolen credit/debit card.
  2. Next, the stolen card is inserted into the attacker's card reader which is connected to a notebook.
  3. Also connected to the notebook, is some hardware that interfaces with a fake card via a cable.
  4. The criminal starts the payment process by inserting the fake card into the store's PED.
  5. The PED accesses the chip to verify the card's authenticity.
  6. Next, the PED asks the attacker for the PIN via the display screen.
  7. The criminal enters any 4 numbers, it doesn't matter.
  8. The software/hardware developed by the researchers then somehow fools the PED into believing the correct PIN was entered and a signature authorized the purchase.

If you get a chance, watch the video in the documentary. It shows a simulated transaction and the Cambridge researchers explain how they accomplished the attack. The following illustration and picture depicts the equipment used to implement the attack (courtesy of the University of Cambridge research team):

If I understand correctly, the PIN exchange only involves the card's chip and the PED. That information was leveraged by the researchers to create a Man-in-the-Middle attack. The research team's paper Chip and PIN is broken (pdf) mentions:

"A man-in-the-middle device, which can intercept and modify the communications between card and terminal (PED), can trick the terminal into believing that PIN verification succeeded without actually sending the PIN to the card.

A dummy PIN must be entered, but the attack allows anyone to be accepted. The card will then believe that the terminal did not support PIN verification, and has either skipped cardholder verification or used a signature instead. Because the dummy PIN is never sent to the card, the PIN retry counter is not altered."

What's next

One of the reasons I have been following chip and PIN technology, is to see if and when it will be adopted in the United States. I asked Professor Anderson about this and his response was:

"I'll be talking about EMV (chip and PIN standard) at the Federal Reserve Bank's conference in New York on April 1st. I'll be arguing the Fed should insist that the EMV specification be fixed before they allow its introduction in the United States.

The vendors are keen enough to sell the technology in the USA, where the card payment market is worth billions. If the result is a much improved EMV 5.0, then it will presumably come here to Europe in due course."

One other area of concern that I found interesting is the transition credit/debit card. If the chip and PIN system gains traction, not every merchant will have the correct PED immediately. According to the researcher team's report, this opens another attack avenue.

If the chip and PIN card includes a magnetic strip as a fall back method for making purchases, the card can still be cloned and the information may remain valid when that person obtains the official chip and PIN card.

Final thoughts

I am not sure where I read this, but it has a lot of "street cred":

"The whole purpose behind security is to make it more difficult so thieves will go somewhere else as well as eliminating amateurs. Still no matter what you develop, there's going to be someone who's going to find a way around it."

I would like to thank Professor Anderson for taking the time to make a complex subject less so.

Update: A member was kind enough to point me to where I found the above quote. Here is the link to the Claes Bell article. I also edited the post, changing PEN to the correct acronym PED, my apologies.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

175 comments
johnandry
johnandry

Are RFID-Enabled Credit Cards Safer Than Magstripe Cards?

Strawk
Strawk

Step 8 in your outline of the attack process is both misleading and incorrect. I am wondering if you did that on purpose out of a sense of not giving the details away to potential criminals. That would be surprising as the Cambridge paper, that you have conveniently linked to, describes it rather well. When an arbitrary PIN is entered at the PED this is not given to the authentic chip and pin card. The PIN OK code is sent to the PED by the MITM. The PED, which is now under the illusion that a correct pin was actually used sends the "GENERATE AC" command to the chip and pin card. The chip and pin card now assumes a signature was used rather than a pin and completes a response to that command. Nowhere is there a check about the inconsistency between the PED's and chip and pin card's understanding of how the transaction was done. THere was also a hint of misunderstanding in the BBC documentary right at the end. The PIN is never sent to the issuing bank. Therefore, the bank cannot check if the PIN given was valid or not.

pcousin
pcousin

i think magneprint is a very good alternative to chip&pin. WE have deployed magneprint in our 1000 atm network here in santiago chile (bci bank), we have eliminate fraud with skimming cards.

marckee
marckee

Were they using online (immediately seeks authentication) or offline (seeks authentication later)? Some European countries tend to use more offline authentication (whereas North America uses more online) so I would figure one would just need to fool the PED to get away with a fraudulent transaction. Would this work if an online authentication is needed? I had the unfortunate experience of learning there are two PINs on a chip & PIN card (at least that's what the 2nd level support at my bank told me.) The first PIN is for online authentication while the 2nd was for offline authentication. They are supposed to be kept in sync but somehow I was able to get mine out of sync (as the bank lacked the proper procedures when I was changing PINs.) It left me in Paris with 100 Euros of chocolate in my hands and a chip & PIN card which would not pass the offline authentication.

mirry101
mirry101

I live in the Uk and we use the described chip and pin technology, what i find really weird about the discussed flaw is: how exactly would the attacker explain connecting a store's pin reader to his own computer. It still remains a safe way of payment but its does have a weakness. it prints out the card information along with its expiry date on the merchant's copy of the card receipt. staff working at the store can then read the last three digits on the back of the card and if they live in a small town like I do, obtain the card owner's address and no one can stop you in the internet shops. Fraud 101

tundraroamer
tundraroamer

Why not embed a current image of your smiling face on the chip? Run the card, your face shows up and the cashier has to verify it's you. Additionally, you could also use a pin number. Some logistical problems with getting your image on the chip but a few ideas are very possible. The image would have to be updated with each card renewal.

marckee
marckee

?The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud.? Out of curiosity, how much money do you think the retailers in the USA spend over a 5-7 year period replacing old point-of-sale devices with new ones? This replacement is because of wear-and-tear, new features, security enhancements etc... and is part of the retailer hardware upgrade cycle and nothing new to them. The additional costs chip+pin (EMV for Europay-MasterCard-Visa - very original naming by-the-way) will add are a significant increase in the amount of certification required across the network the financial transactions flow. It's not just the cards but the point-of-sale devices, networks, software etc... All need to be certified. On another note, how much would another technology cost to implement? $5.5 billion is an enormous amount, but how much would the next great technology cost? I'm pretty sure it will be a significant figure as well.

IDmachines
IDmachines

This is not a chip and PIN attack its a device (PED) attack, the device threat succeeds with a fish for a token.

jeff
jeff

A couple of years ago I watched an article on TV (I think it was part of a documentary about Chip and Pin) about a small group of guys who came up with a method of increasing the security of Chip and Pin systems. Their idea was to use a type of 'Challenge and Response' which could work on top of the existing systems, I cannot remember the full details but it required a simple crib sheet which had the effect of scrambling the code so you effectively typed in a different PIN each time. They did patent the idea but the banks were not interested, obviously their huge profits (at the time) were sufficient for them not to worry about the amount of loss being incurred in fraudulent transactions.

C Birchall
C Birchall

I live in the UK, and I have always believed that Chip & Pin was flawed from the outset. Every time I use my card in a shop (to buy fuel, groceries, etc) I no longer hand my card over to a member of staff; I am always asked to place my card in the reader and enter my PIN - the member of staff has no idea if I am using my own card or not. For example - there is nothing stopping me handing my card to my partner, she knows my PIN number and she purchases things using my card. If a member of staff actually looked at the card they would realise something was wrong as it is plainly printed Mr ... When we in the UK used to have to sign for our purchases this was not a problem. Chip & Pin has not increased security, it has decreased it.

mbnarayn
mbnarayn

What is a PEN? I guess its PED incorrectly typed as PEN.

SecurityMoose
SecurityMoose

Experience from the UK We use C&P all the time here now and it is about as secure as it can be without 3 factor authentication. However, there are a number of rules to follow to be as secure as possible. 1. Go through Worldpay or Paypal for on-line transactions - if your supplier doesn't support it, don't use them. 2. Know where your card is at all times - the moment it disappears or you think it has been compromised, call your card company (there are agencies set up to keep track of all your cards and will do this for you upon a single notification) 3. Use reputable retail outlets with proper card readers 4. Do not let your card be taken away for swiping - the card readers are always brought to you, or are on the retail counter (the seller never sees you enter the number) 5. Use a card supplier who will text you on your mobile (cell phone) if a transaction exceeds a certain amount. 6. Use a bank who profiles your habits - if you usually take money out of a cash machine in London, say, they would alert you if there was a transaction in another country - most UK banks do this already If you are following this trend in the US I would recommend it as the first step to improved security - we tend to over-sensationalise things over here, so the research should be taken with a balanced view. don't forget , "There are lies, damn lies, and statistics" (and of course, TV shows).

emenau
emenau

.... Simply because it is safer. And don't buy expensive food or goods, then you also don't have to carry an unsafe amount of money in your pocket..

.Martin.
.Martin.

I know in Australia, that although you may have the chip on the card (and use the chip on the card), you can still sign for the purchase. doesn't that just remove nearly all the added security?

sura.jan
sura.jan

What's a problem? Is it problem of PIN card or problem of software? If it is possible not to check the PIN it means that it is not problem of the card and PIN but problem of the PED software which can be externally forced not to check the PIN = not to function! It looks like Hoax!

337
337

We have been ustilising the sim technologies here for a while now but what we are seeing latelly is the EFTPOS machines being targeted specially both for skimming purposes and or what you've mentioned i'm guessing. In a lot of cases i bellieve it to be skimming mainly something business owners want to take note of is do not leave your POS unit on prems after hours. We have seen breakins occur where they come mod the POS device and leave without a trace the unit then does it's evil deeds (skimming i gather) and reports it back to the crook in question that or they replace your POS terminal with an allready stolen and modded one.

ct2193
ct2193

The PIN and Chip flaws aren't much different from the RFID vulnerabilities. In the U.S., passports require RFID - an already vulnerable format. The passports aren't made in the U.S. and are frequently passed through risky territory during their creation, as multiple countries make different components of the completed passports. Drivers licenses ("RealID") are in the pipe that use the same RFID concepts. License plates may end up in the U.S. with RFID built in. (Something that already exists in the U.K.) Hackers exploited some of the first batches of RFID passports and soon after RFID became a mandated component for ALL U.S. passports. Technology that looks secure, knowingly is NOT secure, and is a marketing scam to profit from overpriced "security" enhancements. If we examined security features for their resilience against hackers, rather than by brand name recognition, we'd all be better off. I'd rather deal with a non-name company who can hold their own rather than some huge company who is pushing security as just another SKU.

Tony N
Tony N

In Canada, the rollout of chip cards is well underway. According to an article I read, a major incentive for this is not so much to protect the card-holder, but, rather, the financial institutions: Under the old system the C Card Co. is on the hook if someone steals your card or fakes your card. Ie., when the thief uses the card, the forged signature is not yours! But, if the thief gets hold of your chip card and somehow knows your PIN, you have some 'splainin' to do to get out of paying for the fraud. How would the thief get your PIN? Besides the technique discussed above, the methods are the same as for bank debit card PINS. I was astonished to see a recent TV ad promoting and explaining the use of the chip cards: The cheerful shopper keyed in her PIN with every key-stroke plainly visible.

BugsInLondon
BugsInLondon

Maybe PIN is not quite as secure as it was, but it is still pretty good, and much better than what you have over the pond. Look at the 2 scenarios up there: 1. criminal uses a tampered device: professional criminal, probably part of an organisation, they'll be crims no matter what. And they have to persuade you to use their terminal, this was done here by gluing an add-on to ATMs. They are under 24h video surveillance, so that didn't last long. 2. crim gets your card because you lost it, or got burgled or mugged. In all three of those cases you would put a block on your card (free in Europe, don't know for ROW), which also enables tracing of the criminal using the card. I think the biggest danger right now is when using cards on the internet, not actual PIN fraud since physical access to the card is always required, and that's pretty hard to do without the owner noticing at one point. Biometrics are not great either, more expensive and don't always work, plus you can't lend your card (say to partner) unless authorised formally. Remember that $5.5 billion is nothing compared to the amount transacted, and your banks owe you after the mess they've created, so go ahead and join the XXIst century!

gnorton100
gnorton100

KISS (Keep It Simple Stupid). Simply reverse steps 5 and 6, and send the PIN (encrypted) along with the verification request. If the entered PIN doesn't match the PIN stored on the card issuer's server, the request is denied.

LoBlack
LoBlack

My husband is a CML (Certified Master Locksmith) and I am apprenticing under him in the industry. Your final thoughts about security being only a deterrent is the first lesson all locksmiths are taught. I am in the IT industry now and have been for 13 years and this lesson seems to hold true for anything security related. As long as we don't get arrogant about the systems we develop we should all be able to keep up with the changes presented. I look at it this way when you build a better mouse trap you may catch some better mice at first, but there will always be a smarter mouse out there who finds a way to the cheese.

c.walters
c.walters

We need to use all three options of the multi factor authentication: 1) What you know (pin-code or password) 2) What you have (a card with a secure chip) 3) What you are (e.g. a fingerprint + a photo of yourself printed on the card) As a customer I'm willing to pick up part of the bill! (The finger print must be digitalized and be put in the chip; a special device must verify your finger print at the cashier)

matthew.r.looman
matthew.r.looman

I don't have a chip card, but the majority of places I use my magstripe card require me to sign on a digital pad. Electronic validation of written signatures is possible, so why is this not a viable alternative? Could existing hardware be upgraded with software or firmware to enable a signature verification?

newcreationxavier
newcreationxavier

my-oh-my...that is d.a.n.g.e.r.o.u.s! We are in trouble men?! Let's hope we can figure a more difficult way to hamper attacks on users of this tech.

jon_saxon
jon_saxon

At first I was told not to use my debit/credit card as a credit card because it was insecure as it didn't require a PIN or signature. Then I was told that I shouldn't use my debit/credit card as a debit card because that was insecure and the PIN and card could be duplicated with little effort. Now you tell me the next "new thing" is insecure before it even gets deployed! Frankly, I am wondering if anybody can reasonably secure anything at this point. Are we eventually going to have to rely on a kind of "one-time-use" payment system that seemed to pop up several years ago only to quickly disappear? If it costs billions to deploy a "secure transaction" system we had better make it last more than a few weeks. Businesses can't afford to buy a new system ever other year.

Mark Johnson
Mark Johnson

Given a choice of PIN or signature verification I know that I prefer to use EMV to prevent fraudulent transactions. It is also useful to note that the Cambridge researchers appear to have exploited a fall-back mechanism that exists because EMV is not mandatory, and therefore the protocol has to cope with MSR cards without embedded PIN. EMV has reduced in-store fraud by about 40% but merely shifted it outside the EMV zone. That makes it clear that the fraudsters think that EMV is the tougher nut to crack.

francois.lachance
francois.lachance

I don't know about the USA, but in Canada, where I have owned at least one card with a chip for a few years already, adoption with the merchants is very low. The problem is that the card I use will always allow itself to being used the old traditional way, with the mag-stripe. I see merchants with the right equipment, but the kids behind the counter don't want to be bothered with the "extra" work and just swipe. This is all a numbers game. I assume that it is still cheaper to incur the losses than force all merchants to upgrade their card readers to enable the use of the chip and PIN. People will typically do what's easiest, even if that means they are less secure in long run.

Editor's Picks