Growing epidemic of card cloning

July 26th, 2006 at 13:56 UTC by Ross Anderson

Markus points us to a story on card fraud by German TV reporter Sabine Wolf, who reported some of our recent work on how cards get cloned.She reports a number of cases in which German holidaymakers had cards cloned in Italy. In one case, a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania. These devices, which apparently first appeared in Hungary in 2003, are now becoming widespread in Europe; one model sits between a card reader and the retail terminal. (I have always refused to use my chip card at stores such as Tesco and B&Q where they want to swipe your card at the checkout terminal and have you enter your PIN at a separate PIN pad - this is particularly vulnerable to such sniffing attacks.)

According to Hungarian police, the crooks bribe the terminal maintenance technicians, or send people round stores pretending to be technicians; the Bavarian police currently have a case in which 150 German cardholders lost 600,000 Euro; the Guardia di Finanza in Genoa have a case in which they’ve recovered thousands of SMSs from phone company computers containing card data; a prosecutor in Bolzano believes that crooks hide in supermarkets overnight and wire up the terminals; and there are also cases from Sweden, France, and Britain. Customers tend to get blamed unless there’s such a large batch of similar frauds that the bank can’t fail to observe the pattern. (This liability algorithm gives the bankers every incentive not to look too hard.)

In Hungary, banks now routinely confirm all card transactions to their customers by SMS. Maybe that’s what banks here will be doing in a year or two (Barclays will already SMS you if you make an online payment to a new payee). It’s not ideal though as it keeps pushing liability to the customer. I suspect it might take an EU directive to push the liability firmly back on the banks, along the lines of the US Federal Reserve’s Regulation E.

Entry filed under: Banking security, Legal issues, News coverage

5 comments Add your own

  • 1. Clive Robinson  |  July 27th, 2006 at 13:43 UTC

    @Ross

    “In Hungary, banks now routinely confirm all card transactions to their customers by SMS.”

    There is a problem with SMS which is why you have to be carefull how you use it for Two Factor or any other security system.

    Basically as far as the Mobile Phone Operators (MPOs) are concerned it is a secondary service (at best). They most certainly do not offer any gaurenty of delivery let alone timelyness of delivery.

    There are two main reasons for this,

    1, The MPO network does not know (or care) where your phone is at any one time (only that it is on or off).

    2, The MPO network is very very expensive to impliment therefore they are as economical as possible with it’s usage.

    When you send an SMS it only gets delivered there and then if,

    A, your phone is where it was last registered on the network (ie turned it on or made a phone call or other primary service action).

    B, The network is not congested with other (primary) trafic.

    So if you send an SMS from Waterloo station (London) at rush hour to say you are “on your way home” there is quite a good chance you will get home before the message does on some MPO networks if you live within the Greater London Area.

    Back in 2000 I ran up against this problem when designing a Two Factor Authentication scheam. After some cursing and subsiquent investigation I had sufficiently quantified the problem to work out a couple of solutions.

    The first, Ignore the problem and send the next OTP to the phone when the user logs in with the previous OTP. Therfore as they are unlikley to log on / log off / log on again in a short period of time the chances are it will work most of the time.

    Unfortunatly this system failed due to “lost” SMS’s and the fact that users (managment types) did have a habit of logon / logoff / logon. Investigation showed that they often loged on to get one bit of info logged off and then loged on again to get a second piece of info (it was likened to the Boss-Secretary Intercom issue which is well known to P.A.s etc).

    The first scheam also had the very major disadvantage that the OTP sat on the users phone without any kind of security, therfore it was not to difficult to steal / delete without getting caught if you had access to the users phone.

    The Second solution proved to be a good deal more reliable as it also provided feed back to the system of the state of the users phone (not the MPO’s network). Basically you sent the SMS waited a short period of time then phoned the mobile. If the phone rang after a short period the system new that the phone was on. If you got voice mail or unobtainable then you where fairly confident the phone was not likley to get the SMS.

    This had the advantage that the system could send the SMS when the user tried to log on and could give a status message after a few moments if the SMS was unlikley to have been delivered.

    The reason for phoning after the SMS is to get around the issue of busy MPO networks, for some reason due to their design if your mobile is in primary use (ie a call is in progress) the network will deliver any backed up secondary traffic (which is why you often here SMS’s comming in in the back ground when you take a call in your car).

    It also gave rise to an idea for a third method of doing Two Factor that did not use SMS. Assume you have access to a local area exchange code (all to yourself) so you have +4420 7123 XXXX as your phone number range. When a user logs in you ring the users mobile phone randomly from one of the XXXX lines the user then types the last four digits of the displayed number in as the OTP at the prompt.

    This might work well for a large organisation such as a bank but would be prohibitivly costly for small organisations.

  • 2. .$author.  |  July 28th, 2006 at 09:07 UTC

    [...] Card Cloning & PIN Theft Epidemic Remember Shell - Chip & PIN cards compromised? Here’s the latests: In one case, a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania. Full story - click here. And why you should be concerned: It is now extremely difficult for customers to prove their innocence unless their case corresponds with patterns already recognised by the banks. Full story- click here. PIN = Access to cash. PIN = Liability Shift. Signing = No access to cash & NO liability shift. Chip & Signature - you know it makes sense! [...]

  • 3. Nick Towner  |  July 28th, 2006 at 09:38 UTC

    Interesting that both the banks and the thieves use SMS.

    Because SMS messages use telephone numbers for addressing, people tend to assume these addresses are as reliable as calling line ID for phone calls. This is not so: faking the sender is quite easy.

    If you discover a sniffer using SMS, the destination phone number will probably be insufficient to catch them - it will be an anonymous prepaid (or stolen). But you could copy the originating phone number and send fake data which will set the alarm off when they try to pick up the money.

    The thieves can also exploit this by faking the messages from banks to their customers. At the very least, this would lead to call centre overload.

    Note on the previous comment: after the 7 July bombs in London, network overload made mobile phone calls almost impossible, but SMS text messages were still getting through. So in practice it can be a very good service too!

  • 4. Richard Clayton  |  July 28th, 2006 at 19:04 UTC

    After the tube bombings, the situation with the mobile networks was complex. This Mayor of London blog entry gives the details.

    The bottom line is that there was a distinct increase in calls (250% on Vodaphone) and also in texts (doubled) and a lot more mobile-to-mobile calls than usual. However, very significant was that the City of London police (without consultation) got O2 to implement an emergency blocking system (ACCOLC) which may have caused over a million call attempts by the public to fail.

    Hence I don’t think the conclusions about SMSs and calls are valid. In particular at overload times (New Year) SMSs can be delayed for several hours. This was widely reported (eg here in the Sally Geeson murder case where a Cambridge student was abducted and killed on 31 Dec 2004.

  • 5. .$author.  |  July 29th, 2006 at 10:14 UTC

    [...] Re: Chip & PIN again "a sniffer in a chip and PIN terminal at a skilift in Livigno sent holidaymakers’ card and PIN details by SMS to Romania." Click here for story [...]

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed

Calendar

July 2006
M T W T F S S
« Jun   Aug »
 12
3456789
10111213141516
17181920212223
24252627282930
31