Device Steals Chip & Pin Data.

James

From the BBC

"This was the first evidence of a breach of the chip-and-pin system, with the encryption of the chip having been broken.".

Article from the BBC Click here.

madtay

Like every new technology i guess, it was only a matter of time before it happened

MPH80

Fascinating - I just saw this on the BBC and came over because I *knew* James would have started a thread on it.

The thing that's confusing me is that *if* they've cracked the encryption then they can also re-encrypt onto a blank card ... so why are they only able to produce cards which can "withdraw cash in countries where chip-and-pin has yet to be introduced."

While I don't doubt there will always be attempts on the chip and pin encryption process and how it's working ... I'm uncertain that what we are looking at here is anything more than a standard tampered chip and pin terminal which captures the pin through keylogger/camera - as we've seen since the months *before* C&P came in.

As I said - if you can decrypt - you can also reencrypt - you must because you must be able to use the key. Once you can do that - it's trivial to copy the chip onto a blank card.

Don't understand the article.

But wonder how soon we'll be seeing card upgrades or DDA introduced.

Edit: In fact - I've been looking at the original press release and it says nothing about the encryption being broken:

http://www.dcpcu.org.uk/HTML/pedbust.html

That statement comes from a "security expert" and I'd be interested to know what evidence he's working off.

M.

James

How did I know you'd be first to respond.

How it's done is irrelative. The question I'd be asking is as I've said many times before is

If the Industry can't assure PIN integrity how can they possibly hold someone liable for PIN based fraud if they have no physical evidence? i.e. Their PIN written down?

I'd also ask why the Card Industry isn't telling Consumers that Chip & Signature Cards are available.

I notice the Press Release states:

With these details, criminals are able to create fake magnetic stripe cards that can be used fraudulently in countries that have yet to roll out chip and PIN.

I wish they'd explain how this is happening:

Chislehurst (April 2008)
A thief withdrew more than £10,000 from a cash machine using 49 cloned credit cards.

Article click here.

Scarborough (August 2008)
Another local man, who also wanted to remain anonymous, found out that his card had been cloned and used in Scarborough.

Article click here.

Add Luvagoose's posting #7 (another victim)

Hope you're well!

bert&ernie

There is no evidence to suggest that the encryption on the chip has been cracked. The "expert" claim in the BBC article is completely unsubstantiated and, in my view, quite misleading. It clearly "sexes up" an otherwise fairly dull story and it doesn't surprise me that the OP chose to quote that particular line.

Interestingly, his comments to the Register, although equally melodramatic, are somewhat more qualified that those reported by the BBC:

Andrew Goodwill, a director at card fraud prevention specialists The 3rd Man, said the attack made compromised PIN entry devices in stores as big a treat as the better known risk of bogus ATM machines. "Now it's not just cash machines, it's every card reader in every shop or restaurant."
"The PIN access devices are being re-engineered. It seems like crooks have broken the encryption on the chip but this is unclear," he added

I'm sure it drove a bit of extra traffic to the 3rd Man website today though.

The exploit used by these fraudsters in not new although it is further proof that it is now clearly being seen in the wild. This isn't good news, but its hardly the disaster that some would paint it as.

normanmark

James wrote: »

I'd also ask why the Card Industry isn't telling Consumers that Chip & Signature Cards are available.

Majority only offer those on a strict basis to disabled customers only.

Like most have said, there will never be a completely foolproof way to prevent all fraud. Whilst some make it more difficult than others, fraudsters will always find a new way to commit the crime.

James

David Prosser of the Independant has got it absolutely right:

Following is an extract from his article on the recent Chip & PIN Breach.

The Banking Code currently ensures customers who are cheated by fraudsters have their losses refunded in full. But the exception to this rule is that redress may not be offered in instances where consumers have been lax about the security of their PINs.

In practice, it is currently routine for the card industry to refuse to pay up in cases where a fraudster uses a PIN to steal, because there has until now been no known way to beat the system without the cardholder's knowledge, or at least some carelessness. Card providers assume this is what has happened. The rules on compensation will need to be amended accordingly.

luvagoose I've sent you a Private Message.

James

"Police in the UK have arrested a third man, believed to be the engineering brains behind a sophisticated programme to read and transmit customer PINs as they are entered at compromised Chip and PIN terminals in retailer check-outs."

Article click here:

Comment: Ok they're obtaining the PIN's Possibly from a Key Stroke Logger (Guess).

The million dollar questions are:

1. How are they obtaining the card details from the CHIP? Card details can't be obtained from the Magstrip as less than half of the Magstrip is entered into the Chip reading terminal in a shop.

2. Are they transferring this information onto another chip (reverse engineering)?

or.

3. Are they dropping it onto a Magstrip? (which the card Industry would have us believe).

Bottom line is PIN integrity cannot be assured. The jury is more than out on Chip.

Meanwhile victims of PIN based fraud are arguing the toss with their card issuers or the Financial Ombudsman Service.

normanmark

I'm guessing that as soon as the key stroke logger gets the pin, the transaction contains all the relevant details, card number, expiry date etc.

Simple duplication of the card details onto a blank one and they have the pin number logged from the pin pad.

Its not hard to work out how its done!