We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
CHIP & SIGNATURE vice CHIP & PIN
Options
Comments
-
chattychappy wrote: »Yes, agreed. But right now, I think this presumption thing is still a problem - I don't know how often cardholders actually win the day.
It was only back in February, and I've not heard of it being tested in court yet, but to me the paper written by Cambridge academics describing the attack in detail here:
http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf
...is a pretty damning piece of evidence that blows apart any presumption of Chip n Pin security, and should win the day in court. I strongly suspect that citing this in correspondence would result in the card provider backing down before it reached court.
As you can see from the equipment shown in the paper, the technical know-how and equipment required for this attack is not significantly greater than say an ATM card-skimmer, and that has become widespread enough to demonstrate it's not unlikely.So a court only has to decide which is most likely: a scam such as you describe, or the customer fibbing/being negligent/being in cahoots.
You seem to have misunderstood the attack - ANY chip and pin card can be used, including one taken in a burglary as long as it hasn't been canceled yet, the thief does not need to know the PIN, yet the transaction would be processed through the system as having been "PIN verified".So my argument is that although the PIN system is probably more secure (a typical card pickpocketed, dropped, or taken as part of a burglary can't be used whereas in the past it could be)0 -
Point taken, but I stand by my claim that it will still be easier for a bank to claim to a court that on a balance of probabilities a chip'n'pin transaction showing "PIN verified" is genuine when it wasn't, than when a signature card is used with a signature when it wasn't (ie forged). But it would depend on the circumstances of the case.
You can't simply cite an academic paper. In the case of expert witnesses, the court would likely have to grant permission to admit the Cambridge paper as expert evidence and unless both sides agreed on the evidence, then the bank would be entitled to bring in their own expert witnesses.0 -
Degenerate wrote: »It has now been demonstrated that chip & pin security can be broken by a "man in the middle" attack carried out using relatively inexpensive card reader kit concealed in a rucksack and wired to a dummy card inserted into the retail terminal. The researchers demonstrated how this enabled them to place a supposedly "PIN verified" transaction on the card they had concealed in the rucksack, whilst typing any random 4 digits into the retail terminal and not needing to know the real PIN.
Now this cat is out of the bag, any bank that tries to use the PIN verification to place liability back onto the victim doesn't have a leg to stand on. Indeed, as they know it's been broken, they will be opening themselves to further potential liability if they try to stitch up their customers in this way.
And all that proves is that a 'cloned' card can be used which we all knew anyway.
The bank can tell if the 'real' card was used together with the 'real' pin therefore security overall has improved significantly and should be applauded.
As previously stated the only difference now is that banks will not pay out when they identify that the 'real' card and pin were used whereas previously they may have had to through a lack of contrary evidence ergo fraud has been reduced for this type of crime. Individuals now have to take more responsibility for what they do with their cards and Pin number.
You would be amazed at how many people believe their card to have been cloned and used fraudulently when in fact it is a family member using the real card with the real pin.0 -
Well said!Hanky_Panky wrote: »And all that proves is that a 'cloned' card can be used which we all knew anyway.
The bank can tell if the 'real' card was used together with the 'real' pin therefore security overall has improved significantly and should be applauded.
As previously stated the only difference now is that banks will not pay out when they identify that the 'real' card and pin were used whereas previously they may have had to through a lack of contrary evidence ergo fraud has been reduced for this type of crime. Individuals now have to take more responsibility for what they do with their cards and Pin number.
You would be amazed at how many people believe their card to have been cloned and used fraudulently when in fact it is a family member using the real card with the real pin.0 -
Hanky_Panky wrote: »And all that proves is that a 'cloned' card can be used which we all knew anyway.
The bank can tell if the 'real' card was used together with the 'real' pin therefore security overall has improved significantly and should be applauded.
Nothing of the sort. The hack does not involve a cloned card. It uses the original card, but kit in the middle that tricks the system into thinking it has verified by PIN, whilst the chip on the card generates an authorization code thinking it is a signature transaction.0 -
chattychappy wrote: »Point taken, but I stand by my claim that it will still be easier for a bank to claim to a court that on a balance of probabilities a chip'n'pin transaction showing "PIN verified" is genuine when it wasn't, than when a signature card is used with a signature when it wasn't (ie forged). But it would depend on the circumstances of the case.
It's easier to forge a signature than carry out this hack, but still the hack is within the realms of what an organized criminal gang could easily accomplish. There have already been enough similar card fraud conspiracies uncovered that no court could reasonably rule it out, "on balance of probabilities" or not.
You can submit any evidence you want, it's up to the other party to tear it to shreds, not for the court to pre-judge it. If they contest it with experts, the banks only rack up the court costs, which will be paid by them when they lose because the evidence is irrefutable. This isn't just a theoretical hack, it has been demonstrated in real life.You can't simply cite an academic paper. In the case of expert witnesses, the court would likely have to grant permission to admit the Cambridge paper as expert evidence and unless both sides agreed on the evidence, then the bank would be entitled to bring in their own expert witnesses.0 -
Degenerate wrote: »Nothing of the sort. The hack does not involve a cloned card. It uses the original card, but kit in the middle that tricks the system into thinking it has verified by PIN, whilst the chip on the card generates an authorization code thinking it is a signature transaction.
To quote the paper - 'The attack we present in this paper only applies to offline PIN cardholder verification' and 'However, the vast majority of UK point-of-sale terminals maintain a permanent online connection, so yes cards could normally be detected.'
So there we have it - chip and pin is more secure than chip and signature - later in the paper it even confirms that chip and sig can easily be forged.
To my knowledge (which may be out of date so happy to be informed correctly) there have been zero instances of anyone creating a 'cloned' chip card. All current clones rely on mag strip cloning.0 -
Degenerate wrote: »You can submit any evidence you want, it's up to the other party to tear it to shreds, not for the court to pre-judge it. If they contest it with experts, the banks only rack up the court costs, which will be paid by them when they lose because the evidence is irrefutable. This isn't just a theoretical hack, it has been demonstrated in real life.
Sorry, evidence must be admissible, that is not the same as pre-judging it. In my day job (lawyer) I've dealt with expert witnesses - including scientists and submission of published work. My background is in IT. There is a protocol behind introducing expert reports. Even if you win a case, it is RARE to get ALL your costs back. You may get none of your costs back if you rejected a reasonable offer to settle.
I accept completely the technology can be hacked. No problems there. BUT, it's not enough to prove that the technology can been compromised because the case wouldn't be fought over that. The court would have to decide that in the circumstances of the case that compromised technology was the most likely explanation for the disputed transaction. The court might well accept that the transaction MIGHT have been as the result of a hack, but could still find in favour of the bank if they thought this was unlikely in the case in front of them. Again, I mean "unlikely" in this case, not "unlikely" in principle.
This is where our disagreement is. You think that you can bring the Cambridge report to court and the bank wouldn't have a leg to stand on. But the case wouldn't be fought over that.
My guess is that if the bank suspect the technology was compromised in a particular case or the amount is small, they would always settle.0 -
Hanky_Panky wrote: »To quote the paper - 'The attack we present in this paper only applies to offline PIN cardholder verification' and 'However, the vast majority of UK point-of-sale terminals maintain a permanent online connection, so yes cards could normally be detected.'
You took that out of the context where is was discussing the limitations of previous methods of attack. Later in the same paragraph:
'However the attack presented in this paper does not rely on the yes card attack; it is entirely independent of card authentication, whether by SDA or DDA.'
They've completely defeated it.To my knowledge (which may be out of date so happy to be informed correctly) there have been zero instances of anyone creating a 'cloned' chip card. All current clones rely on mag strip cloning.
How many times do I have to repeat the fact that this attack does not involve a cloned card?0 -
chattychappy wrote: »Sorry, evidence must be admissible, that is not the same as pre-judging it. In my day job (lawyer) I've dealt with expert witnesses - including scientists and submission of published work. My background is in IT. There is a protocol behind introducing expert reports.
Ok, clearly you have some knowledge here. Would you care you explain the circumstances where a peer-reviewed research paper written by world experts in their field at Cambridge University might be ruled inadmissible?
Well, I think the situation of a bank trying to use a proven insecure technology to pin liability for fraud on a consumer would be likely to influence the judge's decision on costs, don't you?Even if you win a case, it is RARE to get ALL your costs back. You may get none of your costs back if you rejected a reasonable offer to settle.
You've moved the goalposts of the debate. The same arguments could be made about a disputed signature transaction - it's not enough to prove the signature can be forged, it has to be judged whether it was likely in the specific case - but you started with the premise that signatures can be disputed but PIN authorizations are very difficult to dispute. PIN verification is now a proven insecure system just like signatures were.I accept completely the technology can be hacked. No problems there. BUT, it's not enough to prove that the technology can been compromised because the case wouldn't be fought over that. The court would have to decide that in the circumstances of the case that compromised technology was the most likely explanation for the disputed transaction. The court might well accept that the transaction MIGHT have been as the result of a hack, but could still find in favour of the bank if they thought this was unlikely in the case in front of them. Again, I mean "unlikely" in this case, not "unlikely" in principle.
This is where our disagreement is. You think that you can bring the Cambridge report to court and the bank wouldn't have a leg to stand on. But the case wouldn't be fought over that.
In that much I think we can agree. It's not in their interests to establish a precedent against their system, when they can continue to use the illusion of security to bluff their customers into taking the hit.My guess is that if the bank suspect the technology was compromised in a particular case or the amount is small, they would always settle.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards