{"id":931,"date":"2008-02-27T11:20:48","date_gmt":"2008-02-27T19:20:48","guid":{"rendered":"\/?p=931"},"modified":"2008-02-27T11:25:22","modified_gmt":"2008-02-27T19:25:22","slug":"uk-chip-and-pin-vulnerable-to-simple-attack","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=931","title":{"rendered":"UK Chip and PIN vulnerable to simple attack"},"content":{"rendered":"

LightBlueTouchpaper<\/a>, a blog by security researchers at Cambridge University,\u00a0has posted details of a\u00a0study<\/a> documenting easy attacks<\/em> on the new generation of British bank cards.\u00a0\u00a0Saar Drimer explains,\u00a0“This attack can capture the card\u2019s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography”.\u00a0 Let's all heed the warning:\u00a0<\/p>\n

Steven J. Murdoch<\/a>, Ross Anderson<\/a> and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy<\/a> in May, though an extended version is available as a technical report<\/a>. A segment about this work will appear on BBC Two\u2019s Newsnight<\/a> at 22:30 tonight.<\/p>\n

We were able to demonstrate that two of the most popular PEDs in the UK \u2014 the Ingenico i3300 and Dione Xtreme \u2014 are vulnerable to a \u201ctapping attack\u201d using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED\u2019s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card\u2019s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.<\/p>\n

\"Ingenico<\/a>\u00a0\"Dione<\/a><\/p>\n

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED\u2019s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.<\/p>\n

We also found that the certification process of these PEDs is flawed. APACS<\/a> has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated<\/a><\/em>, which does not equal Common Criteria Certified<\/a><\/em> (no PEDs are CC Certified). What APACS means by \u201cEvaluated\u201d is that an approved lab has performed the \u201cevaluation\u201d, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.<\/p>\n

This process causes a race to the bottom, with PED developers able to choose labs that will approve<\/em> rather than improve<\/em> PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.<\/p>\n

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses<\/a> are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their \u201clayers of security\u201d will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.<\/p>\n

The threat is very real: tampered PEDs have already been used for fraud. See our press release<\/a> and FAQ<\/a> for basic points and the technical report<\/a> where we discuss the work in detail.<\/p><\/blockquote>\n

[Thanks to Richard Turner for the heads up.]<\/small><\/p>\n","protected":false},"excerpt":{"rendered":"

Reasearchers can capture your PIN with just a paper clip and needle.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[21,6,13,11],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/931"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=931"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/931\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}