PDA

View Full Version : So Much For Chip & PIN Security



Jim Koepke
12-08-2015, 6:07 PM
Looks like there is already a hack for these.

http://boingboing.net/2015/11/26/tiny-open-source-gadget-simula.html

jtk

Phil Stone
12-08-2015, 6:27 PM
Seems to be specifically due to poor security practices by American Express.



Looks like there is already a hack for these.

http://boingboing.net/2015/11/26/tiny-open-source-gadget-simula.html

jtk

Brian Elfert
12-08-2015, 9:18 PM
This has NOTHING to do with chip and pin. This uses the magnetic stripe. This is NOT about bypassing chip security.

Mike Henderson
12-08-2015, 9:19 PM
Seems to be specifically due to poor security practices by American Express.

Yep. And in the US, the chip cards don't use a PIN - you have to sign for the sale. I think there's a couple of reasons for this.

1. The card companies are afraid you will not remember the PIN and therefore will not use their card.

2. The processing people charge more to process a transaction with a signature than with a PIN.

However, people seem to be able to remember a PIN - for example the PIN to get into their smart phone or their bank debit card. So if the user can set the PIN on their card(s), they can certainly remember it.

Mike

Myk Rian
12-08-2015, 9:25 PM
I wonder if Amex has a response to this.
90% of the merchants we go to don't use the chip anyway. At least not yet.

John K Jordan
12-08-2015, 9:31 PM
In every place we visit in Europe, EVERYONE uses the chip cards and PIN. From boat tickets in Venice to pizza in Switzerland.

JKJ

Gerry Grzadzinski
12-08-2015, 9:33 PM
In every place we visit in Europe, EVERYONE uses the chip cards and PIN. From boat tickets in Venice to pizza in Switzerland.

JKJ

Canada as well.

The only places I've been to that use the chip are Wal Mart and Sam's Club.

Brian Elfert
12-08-2015, 9:38 PM
Target and Home Depot now accept chip cards. Many places have readers for chip cards, but they can't actually take chip cards yet.

Gerry Grzadzinski
12-08-2015, 10:32 PM
You're right. I forgot that I used the chip card to pay for my Christmas tree at HD on Saturday.

Dan Hintz
12-09-2015, 7:36 AM
This has NOTHING to do with chip and pin. This uses the magnetic stripe. This is NOT about bypassing chip security.

Yes and no. While it's a bit flip in the magnetic stripe, it's still a valid workaround to the Chip and Pin (by removing it form the equation altogether). The card is made to appear to the machine as if it's a standard non-chip card.

However, it should be noted this attack will only work for a short period of time (about a year from now). Once the requirement for ALL machines to accept chip-and-pin cards goes into effect, this trick will fail. Essentially, the machine will assume it's an old card that needs to be replaced by the issuer.

John K Jordan
12-09-2015, 8:09 AM
I don't understand what good the chip card is without the PIN. I thought the real reason for the chip cards was to tie a secret PIN to an encrypted chip that couldn't be copied easily like a magnetic strip.

A stolen card cannot be used if the PIN is required. Anyone can use anyone's card if the PIN is not required.

It seems to me that the only value of using the chip without a PIN is it eliminates the physical motion of sliding the card through the slot at the right speed. And just when I got good at that...

JKJ

Stewie Simpson
12-09-2015, 9:58 AM
I don't understand what good the chip card is without the PIN. I thought the real reason for the chip cards was to tie a secret PIN to an encrypted chip that couldn't be copied easily like a magnetic strip.

A stolen card cannot be used if the PIN is required. Anyone can use anyone's card if the PIN is not required.

It seems to me that the only value of using the chip without a PIN is it eliminates the physical motion of sliding the card through the slot at the right speed. And just when I got good at that...

JKJ

http://www.visa.com.au/personal/security/chipcards.shtml

Matt Meiser
12-09-2015, 10:00 AM
Because the chip is a lot harder to replicate than the magnetic strip. Its very easy to read the data off a magnetic strip of a real card and store it, then later write it onto the strip of another card. Stolen physical cards aren't the big issue.

Brian Elfert
12-09-2015, 10:07 AM
The chip generates a different number sequence for every transaction. If somebody hacks the system and gets that number it will do them no good. No, it doesn't help if someone actually steals your card, but the majority of the fraud has been criminals hacking into computer systems to get credit card numbers in large numbers.

Brian Elfert
12-09-2015, 10:12 AM
Yes and no. While it's a bit flip in the magnetic stripe, it's still a valid workaround to the Chip and Pin (by removing it form the equation altogether). The card is made to appear to the machine as if it's a standard non-chip card.


Sure, but the OP's post made it sound like someone had managed to hack the actual chip itself which they have not.

Considering that I don't think even 25% of merchants have chip card readers yet I don't think this is a big deal. There are many large chains that still don't have chip card readers up and running. A local chain installed new credit card terminals along with a new POS system last summer. They still don't have the chip readers working. (Didn't have credit card terminals at all before.) I find it hard to believe that anyone would install a new POS system in 2015 and not be able to immediately accept chip cards.

Myk Rian
12-09-2015, 12:29 PM
However, it should be noted this attack will only work for a short period of time (about a year from now).
And a LOT of damage can be done in that time. We had a card jacked a few years ago. In 1 1/2 days there was $14,000 charged to it from 4 widespread Michigan cities.
How the heck can you spend $685 at CVS? How about 3 identical purchases at Meijer for $357.68?
The CC company ate the entire bill.

Mike Henderson
12-09-2015, 1:17 PM
I don't understand what good the chip card is without the PIN. I thought the real reason for the chip cards was to tie a secret PIN to an encrypted chip that couldn't be copied easily like a magnetic strip.

A stolen card cannot be used if the PIN is required. Anyone can use anyone's card if the PIN is not required.

It seems to me that the only value of using the chip without a PIN is it eliminates the physical motion of sliding the card through the slot at the right speed. And just when I got good at that...

JKJ
The issue in credit card fraud is not stolen credit cards - it's stolen credit card numbers. Very, very few fraudulent credit card transactions are due to stolen physical cards.

What the thieves do is get credit card numbers - which you, the card user, gives out to many people. A company where you actually did scan your card many store your credit card number. If they're hacked, your CC number is out there. And you give it to many companies when you do an Internet transaction. [And just a side note: the transmission of your card info is very secure as long as https is used.] But the Internet company stores your card number and then it gets hacked.

Once the hacker has your cc number, they can write that number on the magnetic strip of any card. They then take that card and swipe it at the store. While there's a number embossed on the face of that card, the number the machine read is not that number. And that's why some stores require the clerk to see your card and enter the last four digits - to check if the number embossed is the same as the number read.

The advantage of the chip card is that the hacker cannot replicate the chip and what it does. If they have your physical card they can use it, but you will probably notice the card missing and report it fairly quickly. The company will then disallow the card. So chip cards do add quite a bit of security for physical transactions, as long as the chip is used. And starting this year, if a store does not have a chip reader and the card is bogus, they eat the loss and not the cc company. Puts a big incentive on the store to upgrade. One or two fraudulent transactions can pay for a new reader.

So the hackers are now going on line. They take your cc number and use it to make online purchases. One defense against this is the CVC on the back of the card. If you don't have the physical card, you don't have the CVC.

Mike

Brian Elfert
12-09-2015, 4:39 PM
The silly thing about the CVC code is I don't believe Amazon requires it. How can the world's largest online retailer not require such a basic security item?

Brian Henderson
12-09-2015, 4:49 PM
The silly thing about the CVC code is I don't believe Amazon requires it. How can the world's largest online retailer not require such a basic security item?

Seriously, it isn't hard at all to get the CVC code, any retailer that handles your card for a transaction can get it. And the chip and pin is pointless because all anyone has to do is get your credit card number and they can make online purchases all day long.

Garth Almgren
12-09-2015, 6:46 PM
A local chain installed new credit card terminals along with a new POS system last summer. They still don't have the chip readers working. (Didn't have credit card terminals at all before.) I find it hard to believe that anyone would install a new POS system in 2015 and not be able to immediately accept chip cards.
Same deal with my local Ace - they have newer readers installed that accept both chip and swipe, but I found out a few weekends ago when I tried to use a chipped card that the chip hardware isn't enabled yet, even though the slot is there. :confused:

Garth Almgren
12-09-2015, 6:50 PM
In every place we visit in Europe, EVERYONE uses the chip cards and PIN. From boat tickets in Venice to pizza in Switzerland.
When my wife and I went to Australia in 2011, every place we went to that took cards expected Chip+PIN, but luckily still had the hardware to take our antiquated mag stripe cards. We did have to explain to several people that we didn't have a PIN and would have to sign for it instead.

Brian Elfert
12-09-2015, 9:53 PM
Seriously, it isn't hard at all to get the CVC code, any retailer that handles your card for a transaction can get it. And the chip and pin is pointless because all anyone has to do is get your credit card number and they can make online purchases all day long.

The whole point of chips is to prevent massive data breaches like what happened at Target, Home Depot, and other retailers. Yes, someone could still write down your card number and other information off your card, but the majority of the time your card never leaves your possession to make a purchase. Sit down restaurants are still an exception, but they will probably be bringing card readers to the table within a few years.

CVC may be a very basic form of security, but it is better than nothing. It stops the people who simply make up random card numbers and try to make purchases.

Mike Henderson
12-10-2015, 12:22 AM
The silly thing about the CVC code is I don't believe Amazon requires it. How can the world's largest online retailer not require such a basic security item?
I'd have to do a test, but you enter your card data at Amazon as part of your profile. It may be that they require the CVC when you enter that data.

Of course, once you become a regular buyer, they know your card is valid. It would only be someone who opens a new account, or wants to add a card to an existing account, and they may ask for the CVC at that time.

Mike

Mike Henderson
12-10-2015, 12:30 AM
And the chip and pin is pointless because all anyone has to do is get your credit card number and they can make online purchases all day long.
Yep, so far there's not a good solution for the online purchase situation, except the CVC. And a lot of places don't ask for it.

One thing my credit card company does is have a skinny application for my smart phone. Whenever any purchase is made with my card - or my wife's card (that includes online purchases with just the card number) - I get an immediate notification of the purchase. I've had situations where I gave my card to the waiter and I got a notification before he brought me the slip to sign. If someone had my cc number and started making purchases with it, I'd know immediately and could notify the cc company through the app to turn the card off.

I really like having that level of monitoring.

Mike

Brian Henderson
12-10-2015, 3:08 AM
The whole point of chips is to prevent massive data breaches like what happened at Target, Home Depot, and other retailers. Yes, someone could still write down your card number and other information off your card, but the majority of the time your card never leaves your possession to make a purchase. Sit down restaurants are still an exception, but they will probably be bringing card readers to the table within a few years.

CVC may be a very basic form of security, but it is better than nothing. It stops the people who simply make up random card numbers and try to make purchases.

Virtually no physical retailers, at least around here, have the chip readers activated. For a lot of retailers, if you are using credit as opposed to debit, they insist on swiping the card on the register instead of on the keypad so you do have to hand them the card, at which point they can easily see the CVC. It's not that hard. And like I said, once you have that, you can get online with the credit card number and the CVC and make all the purchases you want, the chip means absolutely nothing.

Curt Harms
12-10-2015, 8:32 AM
Yep, so far there's not a good solution for the online purchase situation, except the CVC. And a lot of places don't ask for it.

One thing my credit card company does is have a skinny application for my smart phone. Whenever any purchase is made with my card - or my wife's card (that includes online purchases with just the card number) - I get an immediate notification of the purchase. I've had situations where I gave my card to the waiter and I got a notification before he brought me the slip to sign. If someone had my cc number and started making purchases with it, I'd know immediately and could notify the cc company through the app to turn the card off.

I really like having that level of monitoring.

Mike


That IS a great feature.

Lee Schierer
12-10-2015, 8:42 AM
Virtually no physical retailers, at least around here, have the chip readers activated. For a lot of retailers, if you are using credit as opposed to debit, they insist on swiping the card on the register instead of on the keypad so you do have to hand them the card, at which point they can easily see the CVC. It's not that hard. And like I said, once you have that, you can get online with the credit card number and the CVC and make all the purchases you want, the chip means absolutely nothing.

So how many people do you know that can memorize a 16 digit card number plus an expiration date and CVC number in the amount of time it takes to swipe a card through a cash register.

Mike Henderson
12-10-2015, 9:42 AM
That IS a great feature.
Just FYI, I have the card with Chase Bank but I think other cc companies offer the same thing.

BTW, what I mean by "skinny" is that the app only tells you what transactions you made. You can't do anything else with the app, such as make a payment, change your password, etc. Just look at your transactions. And I like that. I go into their web site to do anything else.

Mike

Mike Henderson
12-10-2015, 10:01 AM
Virtually no physical retailers, at least around here, have the chip readers activated. For a lot of retailers, if you are using credit as opposed to debit, they insist on swiping the card on the register instead of on the keypad so you do have to hand them the card, at which point they can easily see the CVC. It's not that hard. And like I said, once you have that, you can get online with the credit card number and the CVC and make all the purchases you want, the chip means absolutely nothing.
Perhaps the reason they want to swipe the card is that they can check to see that the number swiped is the same as the number on the card. Most systems show the last 4 digits when you swipe a card (if not the whole number).

But I agree with Lee - the last place I worry about getting my card info stolen is in a place like that. That system (memorizing the numbers) is too slow and expensive (even if someone could memorize all that information). Customers come fast and each one presents a cc. There's not much time to stop and write all that info down between customers. And if you have a memory like that, you can probably find more lucrative ways to make money from it than stealing cc data.

There have been instances of employees stealing cc numbers but they have to have a device where they scan the card and the number is stored in the device. So as long as you can see the handling of the card, you're pretty safe.

Mike

Pat Barry
12-10-2015, 2:32 PM
There have been instances of employees stealing cc numbers but they have to have a device where they scan the card and the number is stored in the device. So as long as you can see the handling of the card, you're pretty safe.
Mike
Paying for a meal at a restaurant always make me think for a second about my CC security? Always a lot of trust involved when you send the waitress to the back room to charge your account with your CC.

Mike Henderson
12-10-2015, 2:57 PM
Paying for a meal at a restaurant always make me think for a second about my CC security? Always a lot of trust involved when you send the waitress to the back room to charge your account with your CC.
For a waiter to steal credit card numbers, s/he would have to have some device to scan the card. It could be a device that attaches to a smart phone.

But if you've ever worked in a restaurant, there's not much that's secret between the workers. A lot of people would have to be in on the theft and that's not likely to happen. It'd be very difficult to get that many people to hide an illegal act. And the boss would definitely not be a part of it.

I won't say it can't happen, but I don't think it's very common either.

Mike

[I'll pass along a credit card story: A friend of mine did a lot of entertainment and used an American Express Card. One day, while traveling in another city, his card was rejected. When he looked closely at "his" card, he discovered it was not his card, it was someone else's card. The restaurant he had entertained in a day or so earlier had given his bill to another table and he got the other person's bill. Neither really looked at the bill or the cards and just signed and put the cards in their wallet. The other guy discovered the error, called AMEX and they cancelled the cards. It did get all straightened out in time.]

Dan Hintz
12-10-2015, 6:06 PM
There have been instances of employees stealing cc numbers but they have to have a device where they scan the card and the number is stored in the device. So as long as you can see the handling of the card, you're pretty safe.

Tell that to the millions of people who have had their CC info stolen while slipping it into an ATM, gas pump, etc. that all had swipe scanners on them. It looks normal, but your card is read twice with one swipe/insertion... once by the illegal reader, and finally by the legal reader. At first glance, most wouldn't know there was anything wrong with the device.

So, I wouldn't say even watching your card get swiped means it's safe, as there's plenty of evidence it's not.

Mike Henderson
12-10-2015, 7:19 PM
Tell that to the millions of people who have had their CC info stolen while slipping it into an ATM, gas pump, etc. that all had swipe scanners on them. It looks normal, but your card is read twice with one swipe/insertion... once by the illegal reader, and finally by the legal reader. At first glance, most wouldn't know there was anything wrong with the device.

So, I wouldn't say even watching your card get swiped means it's safe, as there's plenty of evidence it's not.
That's very true, Dan. But the comment was about a clerk at a major store who would take the card and scan it on the register. It's pretty unlikely that the register would have one of those devices on it.

I'm certainly aware of those devices but didn't discuss them. Certainly, people need to be aware of those devices.

Mike

Brian Elfert
12-11-2015, 2:44 AM
I'd have to do a test, but you enter your card data at Amazon as part of your profile. It may be that they require the CVC when you enter that data.

Of course, once you become a regular buyer, they know your card is valid. It would only be someone who opens a new account, or wants to add a card to an existing account, and they may ask for the CVC at that time.


I just added a new card to my Amazon account within the past week and I am pretty sure I did not have to enter the CVC.

Gas stations locally have gone to putting security seals on both the card readers themselves and the actual door of the gas pump to help ensure a skimmer is not present. Enterprising thieves will probably just make copies of the security seals at some point. Skimmers will no longer be of any real value with chip cards, but gas stations have until 2017 to add chip card readers to pumps.

Dan Hintz
12-11-2015, 7:21 AM
That's very true, Dan. But the comment was about a clerk at a major store who would take the card and scan it on the register. It's pretty unlikely that the register would have one of those devices on it.

Don't be so sure, Mike. There was a story just a year or two ago of a bar/pub in New York that had to "release" an employee back into the wild after the police came calling. It seems he installed a skimmer on the POS terminal near the kitchen. Managed to nab every server's transaction for several weeks (a month or more?) before the CC companies saw the explosion in fraud all tied to this one spot. The guy was a moron for doing it that way, but it does point out that hiding in plain sight is often a good way to go for those types.

Dan Hintz
02-08-2016, 11:14 AM
Given the recent discussion of RFID-blocking covers, I thought this paper would be a good read for all involved in either discussion:
http://sec.cs.ucl.ac.uk/users/smurdoch/papers/oakland14chipandskim.pdf

It's well written, with a sampling of real-world examples of how the Chip and Pin solution isn't the panacea the creators thought it would be. The paper concentrates more on real-world problems/solutions rather than mathematical theory, but understanding the fine details is easier if you have a background in crypto. Still, anyone with a modicum of technical background should be able to enjoy the paper in its entirety.

This is just one of many, many, many papers I sift through on a weekly basis.