The Unsafe Chip And PIN
by Paul McGoldrick
Whenever someone says something is foolproof, totally secure, impregnable,
etc, most engineers would just smile politely and move on to something real.
So it is with Chip and PIN, a technology that is now virtually universal
in Europe.
The process is supposed to take all the anxiety out of credit or debit card transactions in public places. The consumer's card is fitted with an RFID chip; when the time comes to pay the bill, the card can be inserted into a reader and the purchase is confirmed by the entry of the ubiquitous four-digit PIN. The double ID ensures that the card is real and that the user is real. In places like restaurants your card doesn't leave your hands: a portable, wireless reader can be taken directly to your table. All credit/debit cards issued in the last couple of years in Europe are chip-equipped. There has been some confusion with retail establishments occasionally refusing cards not so equipped, although on my last trip to Europe I had no problem with my North American cards.
But the technology may not be as secure as the inventors thought. I have always had concerns over the obviously vulnerable radio link used in the portable terminals, but that's not the first breaking point of the system. Two researchers at Cambridge University's Computer Laboratory, Steven Murdoch and Saar Drimer, have demonstrated a hacked Chip and PIN terminal on which they played Tetris (watch the video).
They achieved this by getting into the electronics and changing the functionality. A crude approach, maybe, and although the breached security of the machine means that it will no longer communicate with the merchant services bank, it very much leaves open the possibility of such a machine being used to store a card's data ID string and the PIN used by the customer. The cardholder would only know something was up when a statement fails to show the charge that was intentional and only shows a bunch of false charges.
The same technique was used by some Dutch researchers to show how insecure the voting machines used in a few European countries are. They purchased one hundred of the generic keys needed to open the machines on line and perused the crude electronics used, pulling up a full schematic of the circuitry and its Flash memories (two for redundancy). They jokingly said that they could probably make it play chess -- to which the manufacturers said, "Oh, sure, we'd like to see you try." So they did…
But now the Cambridge team have gone a stage further with the Chip and PIN terminal by demonstrating relay attacks. The system is very simple and, basically, links two transaction locations via two laptops and a communications channel. One of the crooks -- at the fake transaction -- is cued to start by the team who are observing a real transaction. Effectively, the real card (with its chip) is linked through the fake card (without a chip), as is the PIN. The fake transaction is authorized by the bank, while the real transaction (on a modified terminal) never takes place. The customer doesn't get to pay for his CDs, or whatever, but finds out next month that he was physically present when he "purchased" a $10,000 necklace for his wife.
How would you start to argue that one with the card issuer? It would be a nightmare. In the case of transactions where a PIN is used in Europe, it is now the customer who is liable for fake or fraudulent transactions -- it being assumed by the financial institution that the customer was careless with the PIN (a lot of people write it on the card with a magic marker, apparently).
This kind of fraud might be hard to put into practice, unless the crooks
have an accomplice on the selling side of the counter at the fake transaction,
but it is clear the system is vulnerable. As engineers we already knew that.
But, excuse me, while I see about modifying a Diebold voting machine into
operating as an ATM…
|