New card security problem?

July 20th, 2006 at 16:59 UTC by Ross Anderson

Yesterday my wife received through the post a pre-approved unsolicited gold mastercard with a credit limit of over a thousand pounds. The issuer was Debenhams and the rationale was that she has a store card anyway – if she doesn’t want to use the credit card she is invited to cut the credit card in half and throw it away. (Although US banks do this all the time and UK banks aren’t supposed to, I’ll leave to the lawyers whether their marketing tactics test the limits of banking regulation.)

My point is this: the average customer has no idea how to ‘cut up’ a card now that it’s got a chip in it. Bisecting the plastic using scissors leaves the chip functional, so someone who fishes it out of the trash might use a yescard to clone it, even if they don’t know the PIN. (Of course the PIN mailer might be in the same bin.)

Here at the Lab we do have access to the means to destroy chips (HNO3, HF) but you really don’t want that stuff at home. Putting 240V through it will stop it working – but as this melts the bonding wires, an able attacker might depackage and rebond the chip.

My own suggestion would be to bisect the whole chip package using a pair of tin snips. If you don’t have those in your toolbox a hacksaw should do. This isn’t foolproof as there exist labs that can retrieve data from chip fragments, but it’s probably good enough to keep out the hackers.

It does seem a bit off, though, that card issuers now put people to the trouble of devising a means of the secure disposal of electronic waste, when consumers mostly have neither the knowledge nor the tools to do so properly

Entry filed under: Banking security, Hardware & signals, Legal issues, Security engineering

17 comments Add your own

  • 1. Sergei Skorobogatov  |  July 20th, 2006 at 17:12 UTC

    Everyone now has a microwave oven at home. Never tried, but I believe that cooking a card for 5-10 seconds will do the job.
    Alternative way would be manufacturing a special card killers: something that has a smartcard connector and applies a negative 12 volts across the power supply and I/O lines. This will make the card unusable. As banks use well protected smartcards, data extraction will be too expensive for an attacker

  • 2. Martin Kochanski  |  July 20th, 2006 at 17:37 UTC

    The chip fell out of one of my cards the other day, so I suppose I could experiment. Wonderful though microwaves are for erasing DVDs, I’m wondering whether the chip wouldn’t be too small for anything exciting to happen with microwaves.

    Putting the chip on the Aga would work (or on an electric hotplate?) but would it poison me in the process?

  • 3. Nicko van Someren  |  July 20th, 2006 at 17:40 UTC

    I recently purchased a new paper shredder from Comet (my old one died of indigestion). It’s a cheap, cross-cut shredder rated to handle half a dozen sheets of 80gm^-2 paper at a time but the packaging it also stated it could handle credit cards and CDs. While I’ve not tried a CD in it, it made short work of a recently expired charge card which had a chip in it and the shred strip width is such that the chip in the card stood little chance of survival.

    Of course there is still no excuse for sending a credit card to someone who has not asked for it. It also begs a number of questions about who is liable for the charges on the card, since I expect Debenhams would be hard pressed to find anything signed by your wife accepting responsibility.

  • 4. dk  |  July 20th, 2006 at 18:29 UTC

    How about a hammer?

  • 5. quincunx  |  July 20th, 2006 at 20:55 UTC

    Hmm, did we invent fire yet?

  • 6. Ian Brown  |  July 20th, 2006 at 22:28 UTC

    Desk scissors chopped up a card chip quite reasonably for me :)

  • 7. Chris Walsh  |  July 20th, 2006 at 23:23 UTC

    Google “CD shredder”. I assure you, they work just as well on credit cards :^)

  • 8. NIk  |  July 21st, 2006 at 09:22 UTC

    The problem with most off-the-shelf cheap shredders is that the fragment size is at least 4-5mm wide, which means the chip itself may well survive intact. Sure, it’s a lot more difficult to exploit, but there is still a risk.

    Perhaps there might be a route to force the banks to handle it under the new raft of enviromental disposal regulation (WEEE etc)?

  • 9. kalsius@gmail.com  |  July 21st, 2006 at 11:17 UTC

    Surely disposal isn’t the only problem… If I don’t know I am supposed to be receiving a credit card with a pre approved limt which presumably is ready to use then I can’t alert anyone if I don’t receive it in a reasonable amount of time…

    If I want something I should initiate the transaction and then be able to provide assurance from my end that the transaction completes. In this case someone who possibly managed to get hold of this mail (I know plenty of people who throw this type of mail away without evening opening it) then there is no secondary measure which allows me to say “Hey I should have received my card and I haven’t, maybe I should chase this up”

    If UK banks aren’t supposed to do this, its for a really good reason.

  • 10. Kal  |  July 21st, 2006 at 11:19 UTC

    Can someone edit the above Name field, ctrl+v mistakes!!!

    (Done – Ross)

  • 11. Tim Kerby  |  July 21st, 2006 at 12:44 UTC

    My methods, should work individually or in combination

    1 – Microwave for 30 seconds with a glass of water in the microwave at full power. The water stops you destroying the microwave and the extra time means you dont have the card at any of the null points in the standing waves that form in microwaves

    2 – Hammer – cut out the chip and bash to a powder

    3 – Fire – Put it on a good hot log fire, or even on an old baking tray on your barbeque. Toast slowly until done!

    4 – Seperate disposal. Remove the chip and dispose of it separately from the rest of the card. It’s small size should make it hard to find. I’ve heard of throwing them in the water at beaches, down drains and burrying them but a normal on street dustbin should do just fine

    5 – Eat it spy style. Your stomach acid should easily destroy the chip. [joking]

  • 12. Clive Robinson  |  July 22nd, 2006 at 13:14 UTC

    Actually the problem of destroying chips is very very difficult, I used to think the microwave method was good enough but it is not. Even though it destroys the chips ability to work, it is still possible to view the chip remains in a scanning electron microscope (which are available at quite low cost) and some parts will survive and I have been told that in theory it is possible to work out the data in those areas….

    The only method I know that is actually certiffied as working involves the use of a mixture of either Red Lead (lead oxide) and Aluminium dust or aluminium oxide and iron dust (thermite, also Aluminium and Iron oxide). Thermite can burn at around +2500C and higher, however you need an oxy cutting torch to get it going, unless you and a few other chemicals to start it burning easily. In practice you add others to make it stable and and help raise the temprature even more.

    A little experimentation shows that if you use aluminium powder and red lead you can start it burning easily if you use ferric chloride crystals mixed with the aluminium dust, you simply need to get the mixture wet you can set it off as I have found out by spitting or urinating on it. HEALTH WARNING wear gloves as your sweat will be enough to make the exothermic reaction start and it will give you a very very nasty burn.

    Red lead and aluminium powder can be bought from places like auto shops, and ferric chloride is available from your local friendly Maplin or Tandy as it is used as copper clad PCB etchant. If you want to buy in bulk BDH (British Drugs House) used to sell all of them in very high purity at quite low cost in 500g upwards quantities.

  • 13. Markus Kuhn  |  July 23rd, 2006 at 18:49 UTC

    When Barclays Bank sent me my last banking card, their cover letter advised me to cut up the old card and to make sure that I also cut with scissors right through the centre of the chip. I suspect that most customers will read “centre of the chip” as “centre of the contact area”, but that difference may not matter since for all smartcard chips that I ever depackaged, the two locations were the same.

    Cutting through the contact area is very likely to damage connectivity for at least some of the pads by either damaging the bonding wire or the little PCB tracks on the back of the contact pads. Such damage could be fixed with a reasonable success rate with modest means (conductive ink, probing needles, fine soldering iron, etc.). If you actually manage to break the chip into two or more parts, the effort necessary to access its EEPROM content would certainly be very formidable and impressive, and probably cost substantially more than the fraud one could commit with it. Most importantly, the substantial work needed to access memory on a fractured die is not easily repeated. Honest work at that skill level simply pays more.

    I tried and did indeed manage quite easily to cleave my die into at least three fragments with normal office scissors, but then, I may be a bit more familiar with the anatomy of a smartcard than the average Barclays customer. So this single experiment is no meaningful indicator for the success rate of the method recommended by Barclays. No doubt, a proper paper is yet to be written about an experiment in which 200 random bank customers are given a chip card, some old scissors, and asked to follow simple instructions in a cover letter for cutting up the card.

    On a related note: I was once told that in the early 1990s, German Telecom noticed that in some areas there had suddenly been surges in complaints about defect pre-paid phone cards for which customers wanted to have a refund. German Telecom started to routinely depackage returned cards and discovered that some customers had fully used the cards, then melted the bonding-wire contacts by ironing the card, and finally claimed at the post office that the defect card had never worked and asked for a full refund.

  • 14. LumpyTrumpet  |  July 24th, 2006 at 21:17 UTC

    I’ve always disposed of old/unwanted cards by cutting them up and disposing of the pieces in separate bins, emptied at different times.

    Let geography do the work….?

  • 15. Mark George  |  July 25th, 2006 at 12:09 UTC

    I’m amazed that the problem of disabling a card’s smartness is causing so much agitation.

    I do it with my bare hands. It takes about three seconds and no special tools. I should point out that a reasonable length thumb-nail is an advantage. Simply press at the centre of the contact area (invariably coincident with the centre of the chip IME) with a thumb-nail and flex the card over the nail with the two forefingers. A small crack will normally be felt and heard as the chip fractures. If your credit limit is so high that you live in mortal fear of a nerd with an electron microscope, a vast array of skills and incredible luck; the process may be repeated for the two remaining parts by rotating the card through 90° and listening to two further cracks.

    It may be that the biometrics, on any future identity card that I may be coerced into carying, will never be readable.

  • 16. Pippin  |  July 25th, 2006 at 17:08 UTC

    In that situation, I would probably chop the card in half (or quarters) the tranditional way using scissors, put the pieces back in the envelope, selotape it shut, write “RETURN TO SENDER” in large letters on the outside and put it back in the post.

  • 17. Mike Bond  |  August 1st, 2006 at 14:40 UTC

    Maybe a good solution exists at the protocol level? Card issuers can send out scripting messages to alter various card functionality, and block and unblock applications.

    Simply continue to use your card after it has allegedly expired, and with a bit of luck a card block message will get sent to it. Problem solved.

    My modus operandi is to hoard my old cards. Stick em in a small safe if you can be bothered, or just amalgomate them in as another risk insured against if and when your house is burgled. At least that way in the absence of burglary, you can be assured no dumpster-diving, trash-sifting, ploughed-field-metal-detecting, electron-microscope-scanning fraudster is going at your old cards without you at least knowing about it.

    My 2p ;-)

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

July 2006
M T W T F S S
« Jun   Aug »
 12
3456789
10111213141516
17181920212223
24252627282930
31