Security

Chip and PIN: The technology is no longer secure

Chip and PIN transaction systems were thought to be secure. The only way to bypass the technology required a stolen card and knowing the PIN. That is no longer the case.

Chip and PIN transaction systems were thought to be secure. The only way to bypass the technology required a stolen card and knowing the PIN. That is no longer the case.

--------------------------------------------------------------------------------------------------------------

I first learned about Chip and PIN Security when writing a piece about counterfeit credit/debit cards. The point of the article was to shed light on how cybercriminals steal financial information and ultimately our money. I presented a technology called MagnePrint as one possible solution. Several TechRepublic members mentioned another technology that they thought was better called chip and PIN.

Chip and PIN Security

Chip and PIN systems were created to prevent skimming. Replacing the magnetic strip with an embedded microchip supposedly eliminates that possibility. In fact, many consider chip and PIN security a strong two-factor authentication. Here's what a card with an embedded chip looks like (courtesy of Wikipedia):

Several members also mentioned that chip and PIN technology is prevalent in Europe and why cybercriminals are more focused on stealing credit/debit card information in the United States. This article goes far enough to say that adoption of Chip and PIN technology in the United States is inevitable for that very reason.

How it works

Customers do not see much difference when using a chipped card. It works like this:

  1. At the checkout counter,  a customer places his or her card in a Pin Entry Device (PED).
  2. The PED accesses the chip on the card.
  3. The card is then verified by the financial institution providing the card.
  4. Once the card is proven authentic, the customer enters the PIN.
  5. The PED verifies that the entered PIN matches the PIN cached on the chip.
  6. If it is a match, the transaction goes through.

So, what's the problem? Quite simply, it's the cost. The article mentions that:

"The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud."

Not quite perfect

I have been studying chip and PIN technology for awhile now. It obviously makes it more difficult to obtain a person's financial information. But, it's not perfect. My first inkling of this came from watching the BBC news report Chip and PIN ‘security risk'.

Basically, the PED hardware is compromised, allowing the criminal to obtain the card's financial information and PIN digitally. For whatever reason, the transaction traffic to and from the PED was not encrypted. Still the PED has to be physically altered for this attack to work, making it a risky endeavor.

New flaw

The same University of Cambridge research team that uncovered the PED hardware flaw recently discovered a new problem with chip and PIN technology. Professor Ross Anderson, a member of the team points out the seriousness:

"We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years."

Susan Watts of the BBC, presented a documentary about the research called New flaws in chip and PIN systems revealed. Unbelievably, a transaction can be completed without knowing the PIN. To explain, let's step through the attack process:

  1. The attacker obtains a stolen credit/debit card.
  2. Next, the stolen card is inserted into the attacker's card reader which is connected to a notebook.
  3. Also connected to the notebook, is some hardware that interfaces with a fake card via a cable.
  4. The criminal starts the payment process by inserting the fake card into the store's PED.
  5. The PED accesses the chip to verify the card's authenticity.
  6. Next, the PED asks the attacker for the PIN via the display screen.
  7. The criminal enters any 4 numbers, it doesn't matter.
  8. The software/hardware developed by the researchers then somehow fools the PED into believing the correct PIN was entered and a signature authorized the purchase.

If you get a chance, watch the video in the documentary. It shows a simulated transaction and the Cambridge researchers explain how they accomplished the attack. The following illustration and picture depicts the equipment used to implement the attack (courtesy of the University of Cambridge research team):

If I understand correctly, the PIN exchange only involves the card's chip and the PED. That information was leveraged by the researchers to create a Man-in-the-Middle attack. The research team's paper Chip and PIN is broken (pdf) mentions:

"A man-in-the-middle device, which can intercept and modify the communications between card and terminal (PED), can trick the terminal into believing that PIN verification succeeded without actually sending the PIN to the card.

A dummy PIN must be entered, but the attack allows anyone to be accepted. The card will then believe that the terminal did not support PIN verification, and has either skipped cardholder verification or used a signature instead. Because the dummy PIN is never sent to the card, the PIN retry counter is not altered."

What's next

One of the reasons I have been following chip and PIN technology, is to see if and when it will be adopted in the United States. I asked Professor Anderson about this and his response was:

"I'll be talking about EMV (chip and PIN standard) at the Federal Reserve Bank's conference in New York on April 1st. I'll be arguing the Fed should insist that the EMV specification be fixed before they allow its introduction in the United States.

The vendors are keen enough to sell the technology in the USA, where the card payment market is worth billions. If the result is a much improved EMV 5.0, then it will presumably come here to Europe in due course."

One other area of concern that I found interesting is the transition credit/debit card. If the chip and PIN system gains traction, not every merchant will have the correct PED immediately. According to the researcher team's report, this opens another attack avenue.

If the chip and PIN card includes a magnetic strip as a fall back method for making purchases, the card can still be cloned and the information may remain valid when that person obtains the official chip and PIN card.

Final thoughts

I am not sure where I read this, but it has a lot of "street cred":

"The whole purpose behind security is to make it more difficult so thieves will go somewhere else as well as eliminating amateurs. Still no matter what you develop, there's going to be someone who's going to find a way around it."

I would like to thank Professor Anderson for taking the time to make a complex subject less so.

Update: A member was kind enough to point me to where I found the above quote. Here is the link to the Claes Bell article. I also edited the post, changing PEN to the correct acronym PED, my apologies.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

174 comments
Strawk
Strawk

Step 8 in your outline of the attack process is both misleading and incorrect. I am wondering if you did that on purpose out of a sense of not giving the details away to potential criminals. That would be surprising as the Cambridge paper, that you have conveniently linked to, describes it rather well. When an arbitrary PIN is entered at the PED this is not given to the authentic chip and pin card. The PIN OK code is sent to the PED by the MITM. The PED, which is now under the illusion that a correct pin was actually used sends the "GENERATE AC" command to the chip and pin card. The chip and pin card now assumes a signature was used rather than a pin and completes a response to that command. Nowhere is there a check about the inconsistency between the PED's and chip and pin card's understanding of how the transaction was done. THere was also a hint of misunderstanding in the BBC documentary right at the end. The PIN is never sent to the issuing bank. Therefore, the bank cannot check if the PIN given was valid or not.

pcousin
pcousin

i think magneprint is a very good alternative to chip&pin. WE have deployed magneprint in our 1000 atm network here in santiago chile (bci bank), we have eliminate fraud with skimming cards.

marckee
marckee

Were they using online (immediately seeks authentication) or offline (seeks authentication later)? Some European countries tend to use more offline authentication (whereas North America uses more online) so I would figure one would just need to fool the PED to get away with a fraudulent transaction. Would this work if an online authentication is needed? I had the unfortunate experience of learning there are two PINs on a chip & PIN card (at least that's what the 2nd level support at my bank told me.) The first PIN is for online authentication while the 2nd was for offline authentication. They are supposed to be kept in sync but somehow I was able to get mine out of sync (as the bank lacked the proper procedures when I was changing PINs.) It left me in Paris with 100 Euros of chocolate in my hands and a chip & PIN card which would not pass the offline authentication.

mirry101
mirry101

I live in the Uk and we use the described chip and pin technology, what i find really weird about the discussed flaw is: how exactly would the attacker explain connecting a store's pin reader to his own computer. It still remains a safe way of payment but its does have a weakness. it prints out the card information along with its expiry date on the merchant's copy of the card receipt. staff working at the store can then read the last three digits on the back of the card and if they live in a small town like I do, obtain the card owner's address and no one can stop you in the internet shops. Fraud 101

tundraroamer
tundraroamer

Why not embed a current image of your smiling face on the chip? Run the card, your face shows up and the cashier has to verify it's you. Additionally, you could also use a pin number. Some logistical problems with getting your image on the chip but a few ideas are very possible. The image would have to be updated with each card renewal.

marckee
marckee

?The card issuers cite the enormous cost of rolling out chip and PIN technology, estimated to be around $5.5 billion, and they rest safe in the knowledge that it is the merchants in the U.S., and not the card issuers, who are responsible for the financial costs of credit card fraud.? Out of curiosity, how much money do you think the retailers in the USA spend over a 5-7 year period replacing old point-of-sale devices with new ones? This replacement is because of wear-and-tear, new features, security enhancements etc... and is part of the retailer hardware upgrade cycle and nothing new to them. The additional costs chip+pin (EMV for Europay-MasterCard-Visa - very original naming by-the-way) will add are a significant increase in the amount of certification required across the network the financial transactions flow. It's not just the cards but the point-of-sale devices, networks, software etc... All need to be certified. On another note, how much would another technology cost to implement? $5.5 billion is an enormous amount, but how much would the next great technology cost? I'm pretty sure it will be a significant figure as well.

IDmachines
IDmachines

This is not a chip and PIN attack its a device (PED) attack, the device threat succeeds with a fish for a token.

jeff
jeff

A couple of years ago I watched an article on TV (I think it was part of a documentary about Chip and Pin) about a small group of guys who came up with a method of increasing the security of Chip and Pin systems. Their idea was to use a type of 'Challenge and Response' which could work on top of the existing systems, I cannot remember the full details but it required a simple crib sheet which had the effect of scrambling the code so you effectively typed in a different PIN each time. They did patent the idea but the banks were not interested, obviously their huge profits (at the time) were sufficient for them not to worry about the amount of loss being incurred in fraudulent transactions.

C Birchall
C Birchall

I live in the UK, and I have always believed that Chip & Pin was flawed from the outset. Every time I use my card in a shop (to buy fuel, groceries, etc) I no longer hand my card over to a member of staff; I am always asked to place my card in the reader and enter my PIN - the member of staff has no idea if I am using my own card or not. For example - there is nothing stopping me handing my card to my partner, she knows my PIN number and she purchases things using my card. If a member of staff actually looked at the card they would realise something was wrong as it is plainly printed Mr ... When we in the UK used to have to sign for our purchases this was not a problem. Chip & Pin has not increased security, it has decreased it.

mbnarayn
mbnarayn

What is a PEN? I guess its PED incorrectly typed as PEN.

SecurityMoose
SecurityMoose

Experience from the UK We use C&P all the time here now and it is about as secure as it can be without 3 factor authentication. However, there are a number of rules to follow to be as secure as possible. 1. Go through Worldpay or Paypal for on-line transactions - if your supplier doesn't support it, don't use them. 2. Know where your card is at all times - the moment it disappears or you think it has been compromised, call your card company (there are agencies set up to keep track of all your cards and will do this for you upon a single notification) 3. Use reputable retail outlets with proper card readers 4. Do not let your card be taken away for swiping - the card readers are always brought to you, or are on the retail counter (the seller never sees you enter the number) 5. Use a card supplier who will text you on your mobile (cell phone) if a transaction exceeds a certain amount. 6. Use a bank who profiles your habits - if you usually take money out of a cash machine in London, say, they would alert you if there was a transaction in another country - most UK banks do this already If you are following this trend in the US I would recommend it as the first step to improved security - we tend to over-sensationalise things over here, so the research should be taken with a balanced view. don't forget , "There are lies, damn lies, and statistics" (and of course, TV shows).

emenau
emenau

.... Simply because it is safer. And don't buy expensive food or goods, then you also don't have to carry an unsafe amount of money in your pocket..

.Martin.
.Martin.

I know in Australia, that although you may have the chip on the card (and use the chip on the card), you can still sign for the purchase. doesn't that just remove nearly all the added security?

sura.jan
sura.jan

What's a problem? Is it problem of PIN card or problem of software? If it is possible not to check the PIN it means that it is not problem of the card and PIN but problem of the PED software which can be externally forced not to check the PIN = not to function! It looks like Hoax!

337
337

We have been ustilising the sim technologies here for a while now but what we are seeing latelly is the EFTPOS machines being targeted specially both for skimming purposes and or what you've mentioned i'm guessing. In a lot of cases i bellieve it to be skimming mainly something business owners want to take note of is do not leave your POS unit on prems after hours. We have seen breakins occur where they come mod the POS device and leave without a trace the unit then does it's evil deeds (skimming i gather) and reports it back to the crook in question that or they replace your POS terminal with an allready stolen and modded one.

ct2193
ct2193

The PIN and Chip flaws aren't much different from the RFID vulnerabilities. In the U.S., passports require RFID - an already vulnerable format. The passports aren't made in the U.S. and are frequently passed through risky territory during their creation, as multiple countries make different components of the completed passports. Drivers licenses ("RealID") are in the pipe that use the same RFID concepts. License plates may end up in the U.S. with RFID built in. (Something that already exists in the U.K.) Hackers exploited some of the first batches of RFID passports and soon after RFID became a mandated component for ALL U.S. passports. Technology that looks secure, knowingly is NOT secure, and is a marketing scam to profit from overpriced "security" enhancements. If we examined security features for their resilience against hackers, rather than by brand name recognition, we'd all be better off. I'd rather deal with a non-name company who can hold their own rather than some huge company who is pushing security as just another SKU.

Tony N
Tony N

In Canada, the rollout of chip cards is well underway. According to an article I read, a major incentive for this is not so much to protect the card-holder, but, rather, the financial institutions: Under the old system the C Card Co. is on the hook if someone steals your card or fakes your card. Ie., when the thief uses the card, the forged signature is not yours! But, if the thief gets hold of your chip card and somehow knows your PIN, you have some 'splainin' to do to get out of paying for the fraud. How would the thief get your PIN? Besides the technique discussed above, the methods are the same as for bank debit card PINS. I was astonished to see a recent TV ad promoting and explaining the use of the chip cards: The cheerful shopper keyed in her PIN with every key-stroke plainly visible.

BugsInLondon
BugsInLondon

Maybe PIN is not quite as secure as it was, but it is still pretty good, and much better than what you have over the pond. Look at the 2 scenarios up there: 1. criminal uses a tampered device: professional criminal, probably part of an organisation, they'll be crims no matter what. And they have to persuade you to use their terminal, this was done here by gluing an add-on to ATMs. They are under 24h video surveillance, so that didn't last long. 2. crim gets your card because you lost it, or got burgled or mugged. In all three of those cases you would put a block on your card (free in Europe, don't know for ROW), which also enables tracing of the criminal using the card. I think the biggest danger right now is when using cards on the internet, not actual PIN fraud since physical access to the card is always required, and that's pretty hard to do without the owner noticing at one point. Biometrics are not great either, more expensive and don't always work, plus you can't lend your card (say to partner) unless authorised formally. Remember that $5.5 billion is nothing compared to the amount transacted, and your banks owe you after the mess they've created, so go ahead and join the XXIst century!

Michael Kassner
Michael Kassner

Sorry you feel that way, but you certainly are entitled to your opinion. I happen to disagree, though.

JCitizen
JCitizen

It is good to hear from folks in Chile! Hopefully the extension of the Great firewall of China didn't cause too much consternation down your way! They(PRC) come through the Satellite feeds down that way.

Michael Kassner
Michael Kassner

I was under the impression that the authentication was just between the customer entering the PIN and the PED checking to see if it matched the PIN on the chip. You bring up some interesting point, could you explain them further? Thanks.

jeff
jeff

If you watch the original BBC news article - http://news.bbc.co.uk/1/hi/sci/tech/8511710.stm - you'll see how they did it. The equipment is in the guy's rucksack, the cable travels down his sleeve and he never lets go of the dummy card. If someone wanted to perfect this hack, I'm sure they could soon streamline the hardware.

Michael Kassner
Michael Kassner

None of mine do, but don't some cards already have an ID photo on them?

Michael Kassner
Michael Kassner

Please let me know. I would like to check that out. Thanks for commenting.

BugsInLondon
BugsInLondon

I see this as an advantage, it means I can borrow/lend cards, e.g. to get cash for an elderly relative that doesn't want to go out. You still have to KNOW the PIN. I could steal your card and sign for payment, since I am Mr no one could tell there is fraud. I forged my parents' signature for detentions when I was 12 for god's sake, how is that secure???

Michael Kassner
Michael Kassner

I guess my feeble brain was combining PIN and PED for some reason. It indeed is PED.

Michael Kassner
Michael Kassner

Sounds like good advice. I am glad members like yourself are commenting about the process and how to avoid problems.

Michael Kassner
Michael Kassner

Does the card still have a magnetic strip? If so, you are vulnerable. Yet, I see no other solution as the industry has to transition. It can not be an immediate switch over.

Michael Kassner
Michael Kassner

That it is not a hoax. The research team was just pointing out how easy it is to defeat the entire chip and PIN approach.

Michael Kassner
Michael Kassner

Thank you for that information. That is a whole new avenue. Law enforcement would so not be looking for that. It also agrees with what Professor Anderson is warning about. If you have any more information and the time, please keep us in the loop.

Michael Kassner
Michael Kassner

RFID is on my research radar as I recently received my new passport and it has a chip in it.

marckee
marckee

In Canada, starting in October 2010, if I shop with my chip + pin (EMV) card and you as a merchant do not have the necessary certified equipment to use the EMV card and thus swipe the magnetic stripe on the back - the liability will belong to the merchant. If I'm outside of Canada (and in a non-EMV country like the USA) the mag stripe will be swiped but any liability will belong to the card issuer. If as a consumer you have many EMV credit and debit / bank cards and you use the same PIN or you write your PIN on the card. You will be responsible for any fraud should someone steal your cards and use your PIN. You will be viewed as not protecting it enough. Regardless, people typically cover their hands when entering their PIN for their bank card - I'm pretty sure most of them will do it for their credit cards.

Michael Kassner
Michael Kassner

Chip and PIN is being shoved out in Europe and the UK. Professor Anderson explained that it is an attempt to move the liability to the customer.

JundongS
JundongS

maybe something similar to RSA SecureID will work better? When you pay for something all you need to do is key in your PIN+Code. If someone got hold of your token, they won't be able to use it anyway. I know some banks' online banking systems are using tokens.

Michael Kassner
Michael Kassner

I know that some friends in the UK use chip and PIN technology for on-line shopping. Do you? I am curious if this attack may somehow morph to work on that process as well.

Michael Kassner
Michael Kassner

The second video also shows how. It might be the same BBC2 video.

JCitizen
JCitizen

that was even simpler, but I'm sorry I don't have the link right now. I believe another Michael Kassner story shed light on it. In that one the cracker just tapped his finger to foil the concept.

Ocie3
Ocie3

offers -- or they used to offer -- the option of having a photograph of the card's user on the card (not necessarily the person who is paying the bill) but, if memory serves, it cost $25. As I recall, the photo could be made from film, since the option was offered when digital cameras were affordable only by a professional photographer ([i]ca.[/i] $3,000 for 5 megapixels). I don't recall whether the photo would have been digitized before adding it to the card.

marckee
marckee

He is suggesting PED devices used for magnetic stripe technologies can also be attacked. And it's not an attack on the chip + PIN card itself, technically. I think you need to point out clearly to your readers that processing any credit card transaction requires many components. These include: EMV / mag stripe card + PED + acquirer network + etc... Attacks can occur anywhere along this transaction processing path. For example, Heartland was compromised and this wouldn't have been prevented by chip+pin but shouldn't be used as a reason against chip+pin either. It's simply an attack somewhere down the transaction pipeline. You highlighted an attack on PED in a chip + pin environment, he's merely pointing out this type of attack could occur in a mag stripe world too.

Michael Kassner
Michael Kassner

I see is the magnetic strip. I am under the impression that I would want to get a new card and PIN after it switches to just chip and PIN. If I understand correctly, the magnetic strip will allow an attacker to obtain your sensitive information and PIN. So if that does not change your card is vulnerable.

Mark Johnson
Mark Johnson

This attempt is only partially working in the UK. There have been a number of court cases where UK judges have found in favour of the consumer, even when the PIN was written down. And the fraud has moved online where PINs are not used.

Mark Johnson
Mark Johnson

banking yes, but I've never come across it for online shopping. I have a chip reader about the same size as a small calculator; when completing an online payment for example, the bank will ask for a reference number generated by the reader. The reader uses the PIN, a reference (usually the receiving account number) and the amount and information on the card to generate a reference. Essentially I have digitally signed the online request to make a payment.

Michael Kassner
Michael Kassner

I thought I addressed that in my first two paragraphs and the links I provided.

marckee
marckee

In Canada, from what I've heard, the key issues around card holder liability are: (1) Did you safeguard your PIN appropriately? - it's not written on the card or in your wallet? (2) Is your PIN easy to guess? - Is it your, your wife's or kid's birthday? Something someone can guess at? (3) Have you used the same PIN on your cards? - Thus if one becomes compromised, all will be compromised. The position will change from, "Your credit card has been the victim of fraud," to, "They used your PIN - you must have made it easy to figure out." Basically you're guilty and thus liable is the starting point rather than a presumption of innocence. I definitely feel stronger consumer protection components are needed.

JCitizen
JCitizen

card holder liability thing. I get a feeling that after the inevitable court wranglings end on such a concept; the user will still be held reasonably harmless. Now, if a reliable 2 factor or a third factor with a reliable biometric were the case; then maybe I'd go for that. If they get away with it, no one will ever hold a card again. We will be back to the pain-in-the-arse cash society.

marckee
marckee

I agree, the magnetic stripe will still be vulnerable. I live in Canada, my chip & PIN cards also have magnetic stripes on them - otherwise it would be a pain to go to the USA. If a Canadian retailer swipes my mag stripe after October 2010 - liability for fraud is the retailer's. If a US retailer swipes my mag stripe card I believe the card issuer will be responsible. If your card is compromised using a card-not-present (e.g., online or phone) transaction or the numbers skimmed and used in a non-chip & PIN country (e.g, USA), my understanding is the liability would not be with the consumer. Chip & PIN is really for hardening transactions within physical stores. Although, I have seen cases in the UK where 3rd party devices are used with a chip & PIN card to generate a one-time password for online purchases. This in effect switches one from a card-no-present to a card present transaction. Alternatively, for online purchases just use Paypal or BillMeLater or something like that. Interestingly enough, in the Kitchener-Waterloo chip & PIN trial, one of the objectives was to not make people feel the magnetic stripe was insecure.

Michael Kassner
Michael Kassner

For the useful information. I will check those devices out. I feel it is excellent that you are helping your children understand about security. Kudos.

Mark Johnson
Mark Johnson

I keep one at work and one at home, and take one with me when I go on business trips. Most banks have a web page where you can request a 'replacement' and in any case they are usually transferable between banks. Certainly the Barclays and Nationwide ones are identical in function. The web page 'Verfied by Visa' is useless; my daughter managed to change my password just using the 'forgotten password' feature and public information about me. Before anyone gets hot under the collar, I did set it as a challenge to her as part of the security education programme for my children.

Michael Kassner
Michael Kassner

For clearing that up. That actually seems like a more secure method. I wonder if the Zeus malware can exploit that approach?

BugsInLondon
BugsInLondon

They are completely independent, so that I can use it at work for example. There is also a third way, implemented by Visa/Mastercard, where you are redirected to a page where you confirm the purchase with another password. Not great, mind you. Problem with the "calculator" is that you can forget it!

Michael Kassner
Michael Kassner

Is the card/chip reader independent of the computer or are they linked?

Editor's Picks