Much of this is based on an originating conversation with Rangor, Father Of George.
Consider a criminal retailer or retail employee whose desire is to obtain people's card details and pins for fradulent use.
The first thing to try will be to subvert or replace the existing card reader: the card readers in shops don't have any kind of identification or authentication from the point of view of the card owner - you put your card in (or you give it to the retailer and they take it away from you and insert in or swipe it or whatever - there's no standardisation there either) - and then that or another machine asks you for your pin. There's no standard interface, although admittedly even if there was it would be trivial to spoof. Unless your card can tell whether it is connected to a genuine card reader, you are more reliant on the honesty of the shopkeeper than you ever were: a spoofed card with a null signature might be used for purchases, but a spoofed card with a known pin can be used to withdraw hundreds of currency units per day from cash machines anywhere, especially ones away from cameras.
Anyway, you don't even need to do anything to the machine, you just need a couple of cameras yourself: one to scan the card numbers on the way to the reader and one to look over the customer's shoulder and record the pin. Or use the inbuilt record of card numbers and use an accomplice who stands in the queue and notes the pins. If the card reader is able to access information about the card holder from the card (date of birth and the like) then Mr Bad doesn't really need the pin: statistical analysis will have been done on the most frequently used pin numbers anyway, patterns like 1234 and the DD-MM of the card holder's date of birth will have significant usage which makes guessing the pin trivial in an economically significant number of cases. If x% of people use a simple combination of the elements of their date of birth as their pin, then all you need is their card number: if you collect a million numbers and try them all once, enough will succeed to make it all worthwhile. The x in x% doesn't need to be very high. If at first you don't succeed, try another. If you do succeed, go crazy.. No notifications of failed authentication attempts are provided to the card holder, even if they're kept: the card issuers will be canny enough to look for authentication failure patterns, but these could be masked by hiding them within enough successful transactions. What are the thresholds? Are small transactions even checked? Is that why sometimes transactions are seemingly randomly declined, because an attempt is being made to brute-force the pin? While I'm asking questions, what encryptiopn is used anyway? What OS are these devices running? Are the keys hardcoded into the device's hardware or software? What is to stop transactions being recorded and replayed?
A classic man-in-the-middle technique would be the "first-fail": the keyboard (which you should remember may not even be the same device that read the card) is presented to the customer to enter their pin. But the device fails the pin and asks the customer to retry. This time it works. In this scenario, the device has been subverted by the retailer: the first pin entry is simply logged, and the second is passed onto the network for authentication: don't tell me that in a world full of people installing linux on toasters this is impossible. A much easier variant of this: a small transaction is recorded by a "device" but the device was cooked up by the retailers evil nephew or niece: it simply reads the card details (all the smart stuff too) and the pin you enter, then it say PIN OK. You never get charged for the transaction, but why would you notice? EFTPOS transactions can take weeks to go through. The card isn't authenticating the reader, so the card holder has no way of knowing where she just put her pin.. The value of card details and pin to our unscrupulous retailer are far greater than the 1.42 currency units of the transaction which the cardholder gets for free. If they ask you to reenter your pin on another machine ("sometimes we have to use the old one") then leave the shop and call the police.
Oh, there are lots more problems with the current implementation of chip 'n' pin. Sometimes you read cash machines are safe - where were they when all the examples of criminals installing fake cash machines or fake covers over existing machines were in the news? These have to be sunken into the wall of a bank before they appear authentic, and they still worked, and cash machines now routinely warn people to watch for spoofed interfaces. The machine in the shop into which you enter your pin is presented to you: it might be on a cord (connected to something you can't see anyway) or wireless, it might have your card in it and it might not: you know nothing about it, and have no means of knowing what it is doing with the pin you enter into it.
An unsubtle but effective approach for criminals too lazy to invest in card-spoofing technology would be to determine the customer's pin using one of the techniques above, and then pickpocket (or mug) the customer. Ouch. Or, if there's a facility to enter the card number manually when the card can't be read (and I think there is) then simply submit transactions using the card reader: open for a month, collect lots of numbers and pins, then spend a week hammering those accounts and disappear with the moolah before the complaints come in.
All the hype about 'identity fraud' ignores the fact that fraud via impersonation is much older than bank accounts, and fully punishable by existing laws. Attempts to make it seem an unchecked menace which can only be solved by chips, pins and ID cards are simply fraudulent themselves. As the shopkeepers are being compliant there must be something in it for them, a reduced charge probably, but there's nothing in it for the cardholders except increased risk: the banks and shops are happy though so nobody cares.
My advice is to always use cash at places like markets, firework shops, and the like where the retailer has only a temporary presence. This doesn't protect against corrupt employees, so if you're worried (you're extremely unlikely to suffer any personal losses from this kind of fraud) then use cash as much as possible, then, except in retailers you trust and where you can visually authenticate the card reader.
There are a lot of other interesting things the banks and retailers keep quiet: automatic reauthentication within a set time, retailer flow rates, and the fact that supermarkets hit the "override pay" button which authenticates the transaction whether you have the money in your account or not: for them it is very bad business to turn customers away leaving checkouts clogged up with their suddenly unwanted shopping, and since they get their money anyway they're happy. The card holder gets charged so the bank is happy. The customer is fucked off, but that's tough..
One of the other consequences of chip 'n' pin is the transference of the liability of fraudulent transactions supported by signature alone from the card issuer to the retailer: this means if the shop lets you sign instead of using your pin then they don't get reimbursed if it's a stolen card. This doesn't apply to chip 'n' signature cards, which the banks are being very quiet about: these tell the retailer to rely on signature alone and intended for groups like blind people. If you're uncomfortable with using chip 'n' pin you might think about asking your bank for one, but banks are insisting that people applying for chip and signature prove that they are registered disabled.
Tuesday, February 14, 2006
Chip And Pin
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment