FTA: A fraudulent chip can listen for that query and pre-empt the real chip with its own answer: a “yes” signal regardless of whatever random PIN the fraudster has entered. “The attacker intercepts the PIN query and replies that it’s correct, whatever the code is,”
Wait, what? How is that the protocol? There's no two way validation at all? The chip just says "yes"?!
Can anyone with knowledge of details confirm? This seems isomorphic to my ears with "the PIN is just security theater".
In this case the fault lies with the bank. The chip can authenticate the transaction and also optionally cryptographically sign it as verified. The bank should check the last step but most/some don't because a lot of the first wave of terminals that went out didn't have full/proper implementation, therefore they only relied on the chip saying "yeah it looks good", instead of "yeah it looks good, btw here is my signature on this transaction which you can pass to the bank to verify that it really is kosher".
So it is more an issue of the bank accepting partially verified transactions on large dollar amounts.
There's nothing wrong with the smart card system and the crypto protocols developed around them. The problem is that the applications that have been bodged onto the smart card since it was invented (in the 70s) have all been garbage. The banks and payment networks just aren't qualified to implement these things, and they don't have any reason to because they've managed to externalize the cost of fraud onto the individual customers and the merchants.
> According to their paper, at least some chip-and-PIN card readers now send a command to verify a PIN before the user even enters it to check if the card responds with a spoofed “verified” signal.
Trivial to detect and control, e.g. have a discrete button on the card that you press exactly when you enter your pin that enables the spoofed response. There are probably more sophisticated methods.
Hopefully they've done more than just that though. Hopefully.
On the bright side, this only affects offline PIN verification. Cards which are configured to require online PIN verification should be more secure. They will send a (triple DES encrypted) PIN block to the terminal, which sends it to the issuer, which decrypts and verifies it.
I share your amazement. That said, apparently the functional security was "how could you put a system physically between the card and the reader?" which seems silly. The chip is capable of signing the response with the secret key of the card, why wouldn't it do that?
Here's a good write-up of SDA (very vulnerable to the yes-card) and DDA (not vulnerable to the yes-card if authenticated online, but still vulnerable if authenticated offline due to a bad protocol):
This is technically old news - as the article states, it has since been resolved. Edit: I guess they're shedding new light on how they performed the hack.
Another thing, in context of USA, is that the authentication being done isn't much of a vulnerability as this only applies to offline chip transactions. In the USA (I believe) and here in Canada, all transactions are online, which means the pin will be rejected by your financial institute's back end systems in these scenarios.
Edit: Many Canadian financial institutes still use the weakest data authentication (SDA) because all transactions go online - spoofing a card PIN verification response doesn't fool the back-end system. Visa and Mastercard both have mandates to have newly issued cards be provisioned on chips with CDA (I believe, could be DDA which would still be susceptible to this attack).
Edit 2: When I say "offline", I mean at a point of sale machine - the POS does not reach out to the payment network to perform an "online" transaction where the PIN and card are validated by the back-end systems.
Edit 3: The article doesn't give EMVCo any credit for actually solving the issue before any real world hack was known to exist.
I'm not sure I'd describe it as "resolved". They've deployed a couple of countermeasures that take advantage of bugs in this particular implementation of the exploit (it doesn't detect parity errors in the card-to-reader transmissions and replies yes to the PIN authentication command even if it's sent at the wrong time). Those bugs can easily be fixed, and the first trick is probably very familiar to most folks acquainted with Funcards.
Well, that explains why the implementation seems brain-dead, it's because they wanted offline transactions. I'm not sure why they thought offline transactions would be a good idea given the near impossibility to do it securely (given enough incentive someone will completely reverse-engineer the chip), but the whole situation seems fairly ridiculous.
That's amazing. They were able to MITM the chip-and-pin chip by taking it out and attaching it to another hobbyist chip that's capable of spoofing the response, and the whole thing when put back in the card was only a slight bulge bigger than the original.
They say nearly 600k Euros were charged, but given the sophistication of the attack, I wouldn't be surprised if we hear later that it was in use at different locations as well, and we just aren't hearing about it because they haven't caught those people yet. They only caught these ones because they kept going back to the same locations.
Don't keep purchasing at the same merchants; that's like Carder 101!
Regardless, this whole "ask the card if the PIN was right" protocol is just dumb. Surely they could have e.g. had the card sign a challenge in a way it could only do if given the right PIN? That gets slightly more complicated when revoking old PINs or issuing new ones, but it would still be possible. For all we heard about the wonders of C'n'P, this seems to fall short. If you're going to the expense of chipping all those cards and replacing all those terminals, at least get the software right.
It's a clever hack, but shouldn't people have thought of this before they developed the whole protocol? How can any random chip answer a "true" response to the pin request? Shouldn't it have some sort of authorization built-in? Maybe public / private key with a bunch of implicitly trusted public keys?
As I say that, I guess this relies on having a network connection which cannot be assumed when you're developing a POS. Hmm.
Makes me wonder if carder community has systems to protect from and/or punish idiots with poor OPSEC. It takes only one such idiot to ruin a perfectly good attack vector.
I'm dealing with development on some of this right now for US based POS customers and so far everything I've been told is that the US isn't even going to attempt to utilize the PIN entry capabilities, so we're still using signature validation in case of fraud. I'm not sure how this is any better than MSRs. The whole spoofing PIN validation thing doesn't even come into play because it's not even going to be checked.
I've left the back of my credit-card unsigned for 2+ years, and in that entire time, and north of 500+ transactions with a signature, I've been asked for identification less than 10 times.
I wonder if there has been a single person challenged on a signature in the last 5+ years with a credit card if they even made the slightest attempt to sign in a fashion similar to what's on the back of the card?
It's much better than MSRs because online transactions aren't vulnerable to skimming / replay. This eliminates the ability to clone cards using an ATM skimmer or over-the-wire stolen track data, which by my understanding is one of the primary identity theft attacks against US cards.
This "yes-card" attack relied on having physically stolen the original card (not skimmed) and only worked against offline transactions using SDA, which, as far as I know, aren't supposed to happen in the US.
As long as merchants continue to accept magstripes the security benefit isn't really there, but, in the ideal world where they accept only chip-and-sig, it's still much more secure than MSR even without the added protection of a PIN.
Going for signature instead of pin is BRILLIANT ... for the banks, because any fraud is charged out of merchants pocket - he didnt verify card owner identity at the time of the transaction. Good luck asking every single customer for ID at the supermarket checkout.
Whole point of PIN was to move responsibility over to VISA and banks. This is why they kept claiming every transaction with chip&pin card is 100% valid and there is no chance of fraud.
Reading this article gave me LOL. Their super fraud prevention is asking the card for multiple pin verification before client enters real PIN, so if the card validates random bad PINs reader can flag fraud. This will stop scammers for ... one week? until they start programming shims to only validate one particular PIN making the card act like the real one.
Do banks in the US transmit the signature to the bank when you sign on an electronic pad? Can the signature be retrieved later on if you query a transaction?
Noteworthy: For the Cambridge researchers, the French attack is an “I-told-you-so” moment. Five years ago, EMVCo and the UK Cards Association both dismissed their attack as improbable or impossible.
no, afaik this article talks about super thin shim glued on top of real chip on real card
but I guess you could use cards you linked IF you drill them, cut real chip from real card, place it in drilled hole, cover hole so its not visible, print card over with authentic looking color scheme/logo, stamp number, sounds like a lot of work
Let's not lose sight of one thing -- this doesn't make chip-and-pin less secure than swipe-and-sign, it just makes it no more secure, in the worst case.
It's not just about security though, it's also about liability. Chip-and-pin may have different liability rules than have been established for signatures. If so, then a hacked chip-and-pin system may be no less secure for the consumer, but it may be much more costly.
I was under the impression that the card created a cryptographic signature on the transaction, and the card had to receive the correct pin before it would sign it. Which is why you have to leave the card in the reader until the total is completed. Is this really not the case? Or does the card still cryptographically sign the transaction, but doesn't process the PIN first (other than answering valid/invalid)?
> "They also note that other protections have been added to the system at the network level, which they decline to detail for fear of tipping off criminals."
Security by obscurity. That's always a good plan. I'm sure that folks who went through all this trouble to design this hack wouldn't ever be able to find that information. </sarcasm>
pretty lame if the card can just say "yes" no matter what PIN is entered.
Away from being a proprietary tech, I'm not sure why fingerprinting the magnetic stripe never took off. It seems so much simpler, and if you cannot rearrange iron at the molecular level impossible to replicate.
Probably it's lack of infrastructure buy-in. And personally, I find the misuse of the word biometric in the white paper off-putting, along with the lack of detail on the basis for the technique. The fingerprint is somehow related to the magnetic particle distribution--how stable is it against weak magnetic fields, or against heat?
If you really can reliably get magnetic signatures, it would be really hard to clone cards.
Edit: the particles won't really change, but their magnetic states feasibly could
[+] [-] ajross|10 years ago|reply
Wait, what? How is that the protocol? There's no two way validation at all? The chip just says "yes"?!
Can anyone with knowledge of details confirm? This seems isomorphic to my ears with "the PIN is just security theater".
[+] [-] bravo22|10 years ago|reply
So it is more an issue of the bank accepting partially verified transactions on large dollar amounts.
[+] [-] cnvogel|10 years ago|reply
From https://www.cl.cam.ac.uk/research/security/banking/nopin/oak... page 446 (last page), T: Terminal, M: "Man in the Middle":
[+] [-] thrownaway2424|10 years ago|reply
[+] [-] IshKebab|10 years ago|reply
> According to their paper, at least some chip-and-PIN card readers now send a command to verify a PIN before the user even enters it to check if the card responds with a spoofed “verified” signal.
Trivial to detect and control, e.g. have a discrete button on the card that you press exactly when you enter your pin that enables the spoofed response. There are probably more sophisticated methods.
Hopefully they've done more than just that though. Hopefully.
[+] [-] dlubarov|10 years ago|reply
[+] [-] bardworx|10 years ago|reply
This explains this hack as well.
https://m.youtube.com/watch?v=Ks0SOn8hjG8
[+] [-] ChuckMcM|10 years ago|reply
[+] [-] bri3d|10 years ago|reply
https://www.lightbluetouchpaper.org/2009/08/25/defending-aga...
[+] [-] deutronium|10 years ago|reply
http://www.smartcardalliance.org/publications-emv-faq/#q14
[+] [-] awqrre|10 years ago|reply
[+] [-] JimmaDaRustla|10 years ago|reply
Another thing, in context of USA, is that the authentication being done isn't much of a vulnerability as this only applies to offline chip transactions. In the USA (I believe) and here in Canada, all transactions are online, which means the pin will be rejected by your financial institute's back end systems in these scenarios.
These types of hacks have since been corrected using what is called CDA (Combined Data Authentication). Blurb on SDA/DDA/CDA here: http://www.cryptomathic.com/hubfs/docs/cryptomathic_white_pa...
Edit: Many Canadian financial institutes still use the weakest data authentication (SDA) because all transactions go online - spoofing a card PIN verification response doesn't fool the back-end system. Visa and Mastercard both have mandates to have newly issued cards be provisioned on chips with CDA (I believe, could be DDA which would still be susceptible to this attack).
Edit 2: When I say "offline", I mean at a point of sale machine - the POS does not reach out to the payment network to perform an "online" transaction where the PIN and card are validated by the back-end systems.
Edit 3: The article doesn't give EMVCo any credit for actually solving the issue before any real world hack was known to exist.
[+] [-] makomk|10 years ago|reply
[+] [-] kbenson|10 years ago|reply
[+] [-] cjhopman|10 years ago|reply
Edit: clarification, there are sort of three types of transactions--
[+] [-] kbenson|10 years ago|reply
They say nearly 600k Euros were charged, but given the sophistication of the attack, I wouldn't be surprised if we hear later that it was in use at different locations as well, and we just aren't hearing about it because they haven't caught those people yet. They only caught these ones because they kept going back to the same locations.
[+] [-] jessaustin|10 years ago|reply
Regardless, this whole "ask the card if the PIN was right" protocol is just dumb. Surely they could have e.g. had the card sign a challenge in a way it could only do if given the right PIN? That gets slightly more complicated when revoking old PINs or issuing new ones, but it would still be possible. For all we heard about the wonders of C'n'P, this seems to fall short. If you're going to the expense of chipping all those cards and replacing all those terminals, at least get the software right.
[+] [-] tejaswiy|10 years ago|reply
As I say that, I guess this relies on having a network connection which cannot be assumed when you're developing a POS. Hmm.
[+] [-] TeMPOraL|10 years ago|reply
[+] [-] Sleaker|10 years ago|reply
[+] [-] ghshephard|10 years ago|reply
I've left the back of my credit-card unsigned for 2+ years, and in that entire time, and north of 500+ transactions with a signature, I've been asked for identification less than 10 times.
I wonder if there has been a single person challenged on a signature in the last 5+ years with a credit card if they even made the slightest attempt to sign in a fashion similar to what's on the back of the card?
[+] [-] bri3d|10 years ago|reply
This "yes-card" attack relied on having physically stolen the original card (not skimmed) and only worked against offline transactions using SDA, which, as far as I know, aren't supposed to happen in the US.
As long as merchants continue to accept magstripes the security benefit isn't really there, but, in the ideal world where they accept only chip-and-sig, it's still much more secure than MSR even without the added protection of a PIN.
[+] [-] rasz_pl|10 years ago|reply
Whole point of PIN was to move responsibility over to VISA and banks. This is why they kept claiming every transaction with chip&pin card is 100% valid and there is no chance of fraud.
Reading this article gave me LOL. Their super fraud prevention is asking the card for multiple pin verification before client enters real PIN, so if the card validates random bad PINs reader can flag fraud. This will stop scammers for ... one week? until they start programming shims to only validate one particular PIN making the card act like the real one.
[+] [-] joosters|10 years ago|reply
[+] [-] amyjess|10 years ago|reply
Your signature just means you accept the terms of the cardholder's agreement.
[+] [-] 893helios|10 years ago|reply
[+] [-] klagermkii|10 years ago|reply
[+] [-] bardworx|10 years ago|reply
My biggest takeaway is that all systems are safe until the bad guys really try to break them.
[+] [-] akavel|10 years ago|reply
[+] [-] bmsleight_|10 years ago|reply
http://www.infinityusb.com/default.asp?show=store&ProductGrp...
[+] [-] rasz_pl|10 years ago|reply
but I guess you could use cards you linked IF you drill them, cut real chip from real card, place it in drilled hole, cover hole so its not visible, print card over with authentic looking color scheme/logo, stamp number, sounds like a lot of work
[+] [-] nathanb|10 years ago|reply
[+] [-] kbenson|10 years ago|reply
[+] [-] derekp7|10 years ago|reply
[+] [-] coleca|10 years ago|reply
Security by obscurity. That's always a good plan. I'm sure that folks who went through all this trouble to design this hack wouldn't ever be able to find that information. </sarcasm>
[+] [-] jgalt212|10 years ago|reply
Away from being a proprietary tech, I'm not sure why fingerprinting the magnetic stripe never took off. It seems so much simpler, and if you cannot rearrange iron at the molecular level impossible to replicate.
http://www.magtek.com/V2/media/whitePapers/2012/MagTek-WP-An...
[+] [-] rsfern|10 years ago|reply
If you really can reliably get magnetic signatures, it would be really hard to clone cards.
Edit: the particles won't really change, but their magnetic states feasibly could
[+] [-] ck2|10 years ago|reply
Besides you can just use the chipped card online without the chip or pin?
[+] [-] ljk|10 years ago|reply