A recently published technical paper entitled "Chip and pin is broken" by security researchers Steven Murdoch, Saar Drimer, Mike Bond and Ross Anderson reveals how criminals can use stolen payment cards without the pin using man in the middle attacks.
It does not matter if the card is stolen outright or copied, the method works either way. The publication highlights a serious security problem as banks claimed until now that the security of payment cards is protected from such acts.
The attack is very simple at its core. It takes advantage of the fact that the authentication negotiation determining which authentication method is being used is not encrypted. All it does is switch the authentication method to "chip and signature transactions" making the terminal use chip and pin authentication. The effect is that the attacker can enter any four digit ping to authorize the payment.
What should happen normally is that the pin that is entered by the customer is checked by the terminal. The transaction is only authorized if the pin check is correct. If that is not the case, the transaction is not authorized and a new request is being sent to enter the pin.
Here are the highlights of the attack:
The following video is a report by the BBC about the issue that shows some of the research including how attacks are carried out.
According to the researchers, the expertise needed to build the system is not overly high and the equipment needed for it can be purchased easily. It appears also easy to hide it so that merchants cannot detect it.
Additional information are available in the published research paper.
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Chip&PIN wasn’t introduced to increase security. It was introduced to pass the security buck to the customer. You only have to listen to the excuses above to realise the banks’ priorities. They are happy to accept the losses of fraud as an operating expense tto be passed eventually to the customer.
There have been other flaws in the system for some time – it’s only a year since my card was compromised ina dodgy supermarket reader. But try telling the banks…