MSE News: Chip and Pin fraud danger uncovered

edited 12 February 2010 at 11:42AM in Credit Cards
30 replies 5K views
Former_MSE_NatashaFormer_MSE_Natasha Former MSE
672 Posts
edited 12 February 2010 at 11:42AM in Credit Cards
This is the discussion thread for the following MSE News Story:

"A team of computer researchers claim to have uncovered flaws that fraudsters are using on stolen plastic ..."

OfficialStamp.gif

These threads have been merged to avoid duplication. Thanks to James for the original post.
«13

Replies

  • edited 11 February 2010 at 6:42PM
    JamesJames Forumite
    2K Posts
    Part of the Furniture 1,000 Posts Combo Breaker
    ✭✭✭✭
    edited 11 February 2010 at 6:42PM
    Chip-and-PIN readers can be tricked into accepting transactions without a valid personal identification number

    Full article (click here).

    From the BBC (click here).

    (on Newsnight tonight, 11 Feb at 10.30pm)
  • davidgmmafandavidgmmafan Forumite
    1.5K Posts
    Part of the Furniture 1,000 Posts Combo Breaker
    ✭✭✭
    "It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal"

    Good to see they're not complacent at all and are taking this seriously. Look I used to work in a bank and cloned cards were used abroad to take more than the daily cash withdrawaw limit out. I've no idea how they did this but I sudder to think how much this costs the industry altogether.
    Mixed Martial Arts is the greatest sport known to mankind and anyone who says it is 'a bar room brawl' has never trained in it and has no idea what they are talking about.
  • edited 12 February 2010 at 4:19PM
    Premier_2Premier_2 Forumite
    15.1K Posts
    10,000 Posts Combo Breaker
    ✭✭✭✭✭
    edited 12 February 2010 at 4:19PM
    ...The UK Cards Association has dismissed the claim, saying that while the research shows it is possible in theory, this does not mean it is possible in reality.
    A spokeswoman says: "We believe this complicated method will never present a real threat.
    "It requires possession of a customer's card and unfortunately there are much simpler ways to commit fraud under these circumstances at much less risk to the criminal."
    Or a cloned card, which as the BBC article confirms is easy to produce if you know how.

    If all a fraudster needs in addition is a "wedge" ilo the PIN, I think they will prefer the "wedge" every time assuming the risk of someone spotting them using a "wedge" is small.
    "Now to trolling as a concept. .... Personally, I've always found it a little sad that people choose to spend such a large proportion of their lives in this way but they do, and we have to deal with it." - MSE Forum Manager 6th July 2010
  • Alex_LSAlex_LS Forumite
    197 Posts
    Premier wrote: »
    Or a cloned card, which as the BBC article confirms is easy to produce if you know how.

    Nope. It is not easy at all to produce a cloned card, and nobody (including the Cambridge guys) has even remotely suggested it's been done so far. In fact, Cambridge confirm a genuine card must be used to perpetrate this. That's because only the genuine card holds the key required to generate a correct cryptogram. Copied cards do not hold this key.
  • JamesJames Forumite
    2K Posts
    Part of the Furniture 1,000 Posts Combo Breaker
    ✭✭✭✭
    You can get an exact duplicate Chipped Card. I know I've had them and I forwarded them to the Cambridge Research Lab.

    It's pretty simple to deter crooks using a stolen credit card, or even using a cloned card. How you may ask?

    Well the answer is for the Chip or Mag Strip to carry information that the Cardholder on their Instruction to their Card Issuer submits their Thumbprint rather than or in addition to signing a transaction slip, when completing a face-to-face transaction.

    (This BBC Video, although there's an error pretty much demonstrates the system) (click here).

    Bet this puts the wind up the crooks.
  • I sudder to think how much this costs the industry altogether.

    The problem is that it doesn't cost the industry anything if they can just say "the receipt says it was verified by PIN so it's your fault". It costs the consumers money, not the industry, because the industry can deny a fraud has taken place and blame the consumer instead. Therefore, the banks are under no incentive to change because they don't stand to lose much under the current system.

    Hopefully the publication of this attack will change these problems and make the banks responsible for the safety of the money we lend to them.
    Alex_LS wrote: »
    Nope. It is not easy at all to produce a cloned card, and nobody (including the Cambridge guys) has even remotely suggested it's been done so far. In fact, Cambridge confirm a genuine card must be used to perpetrate this. That's because only the genuine card holds the key required to generate a correct cryptogram. Copied cards do not hold this key.

    Did you read the paper? If you search it for "yes card" you will see they specifically refer to earlier research which shows one way how cloned cards are produced. These "yes cards" are a clone of a genuine card but modified to accept any PIN number. This attack has been known about for years now but the cloned cards only work in a limited set of circumstances -- specifically, the PIN reader must be "offline" ie not connected to the issuing bank via internet or telephone or whatever, and the card must be a SDA (static data authentication) type, which banks have now started to phase out. All cards issued prior to 2009 are SDA, however.

    The attack presented in the paper yesterday is in some ways more dangerous than the "yes card" attack, because it works even if the terminal is "online" and connected to the issuing bank, and even if the stolen card is the newer DDA (dynamic data authentication) type rather than SDA. I see nothing in the paper which says whether the attack could or could not be adapted to use a cloned card instead of a stolen card.

    Disclosure: I am a computer scientist and Ross Anderson was in fact a lecturer of mine when I took my degree.
  • Alex_LSAlex_LS Forumite
    197 Posts
    James wrote: »
    You can get an exact duplicate Chipped Card. I know I've had them and I forwarded them to the Cambridge Research Lab.

    No, you can't and no, you haven't. The cards will have copies of the static readable data but will not have the PIN or keys and hence will not be able to create the correct dynamic data such as DDA/CDA signatures or ACs. The SDA cards necessary to facilitate the production of these copies will cease to be issued in Europe by the end of 2010.
  • Alex_LSAlex_LS Forumite
    197 Posts
    Did you read the paper?
    ...
    I see nothing in the paper which says whether the attack could or could not be adapted to use a cloned card instead of a stolen card.

    Yes, I read the paper. And a 'yes card' is a completely different fish to a 'cloned card'. A clone is an identical copy, including all secret data. Yes cards contain copies of static transaction data and will fail any online verification. They are incorrectly using the term 'clone', but at least they do only use it in conjunction with the terms "magnetic stripe" or "SDA".

    The paper does make it implicitly clear that only a genuine card can be used in this attack. Only a genuine card can be used because only a genuine card will contain the correct keys to pass authentication (offline or online).
  • Alex_LS wrote: »
    No, you can't and no, you haven't. The cards will have copies of the static readable data but will not have the PIN or keys and hence will not be able to create the correct dynamic data such as DDA/CDA signatures or ACs. The SDA cards necessary to facilitate the production of these copies will cease to be issued in Europe by the end of 2010.
    So, given that cards get issued for three years, people will have SDA cards with this vulnerability until the end of 2013? It's simply not good enough.
  • bert&erniebert&ernie Forumite
    1.3K Posts
    ✭✭✭
    Alex_LS wrote: »
    No, you can't and no, you haven't. The cards will have copies of the static readable data but will not have the PIN or keys and hence will not be able to create the correct dynamic data such as DDA/CDA signatures or ACs. The SDA cards necessary to facilitate the production of these copies will cease to be issued in Europe by the end of 2010.

    I've been through this with James before: http://forums.moneysavingexpert.com/showthread.html?p=13544753#post13544753
    The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts.
This discussion has been closed.
Latest MSE News and Guides

Stoozing, sublets & summer sips

This week's MSE Forum highlights

MSE News

Martin Lewis quizzes Rishi Sunak

Watch the cost of living support Q&A here

Join the MSE Forum discussion

48 craft beers for £50 delivered

One-off bundle for newbies. Excludes Northern Ireland

MSE Deals