Comments on: Chip & PIN terminal playing Tetris

By: Billy

Billy — Mon, 23 Jun 2008 14:13:23 +0000

LOL Classis. Striping out the internals and replacing, the only problem it the merchant might get all the details but the transaction will not go through because its a fake.;)

The interceptor method is much better proof of concept because not only will the attacker recieve the details but also the transaction will go through aswell.

By: victor pedro

victor pedro — Sat, 31 May 2008 13:31:18 +0000

They have to insert another flea(chip)(sim) into a terminal of payment and have him(her,it) to connect it bluetooth on a portable pc and like that when a customer pay with that card, they receive all to give them of the card of credit and even the secret code!!!
Do you know the equipment which they were able to use?

By: victor pedro

victor pedro — Sat, 31 May 2008 13:20:44 +0000

Hello all, you know this technique?

http://www.zdnet.fr/actualites/internet/0,39020774,39363071,00.htm

And what material(equipment) and flea(chip) they are to use?

By: Rich

Rich — Mon, 14 Jan 2008 18:35:56 +0000

The bank ought to send a text message to my mobile whenever a transaction is made on my card.

That way, if I’m in say a restaurant I expect to get a text message shortly after paying the bill (or perhaps next day). If I don’t get the text message, I can be suspicious of the card reader.

And if I get a text message but wasn’t expecting one, I can call the bank about the transaction immediately.

By: Saar Drimer

Saar Drimer — Sun, 06 Jan 2008 14:40:24 +0000

Victor,

A POS terminal as many others, is just a small computer you can program to do anything you want with the hardware it has, Playing Tetris, for instance, so, there is nothing amazing on this.

Indeed, this technically un-amazing. It is amazing, however, that a device designed to protect our money fails in this way.

At the end, no matter the security, the cardholder should use an extra feature called “common sense”, to avoid fake terminals and suspicious sites.

Common sense should not play into this (your common sense is different than mine and anyone else’s, I am sure). In order to detect a fake terminal you need to be a trained professional and know exactly what to look for. Are you suggesting training all cardholders? Are you suggesting furthering the liability onto customers for the detection of tampering? This liability should be with the banks because only they can do something to improve the security.

I have personally seen several terminals glued with tape onto a mounting plate (one at Marks and Spencer; I’ve taken pictures), and others that are either old or have stickers and holes on them. Except me, I wonder how many people used the “common sense” you suggest and have refused to use those. But doing what I do, I notice these things though I can’t expect everyone else to.

By: Victor Barrantes

Victor Barrantes — Fri, 04 Jan 2008 17:42:44 +0000

A POS terminal as many others, is just a small computer you can program to do anything you want with the hardware it has, Playing Tetris, for instance, so, there is nothing amazing on this.
Of course, you can also make a more complex program to steal the card info and make whatever you like with the stolen data.
At the end, no matter the security, the cardholder should use an extra feature called “common sense”, to avoid fake terminals and suspicious sites.

By: Steven J. Murdoch

Steven J. Murdoch — Fri, 04 Jan 2008 17:25:58 +0000

@Phillip

Yes, I’ve also been thinking about using a phone in Chip and PIN transactions. The key idea is to allow the cardholder to see the transaction they are about to authorize, on a device controlled by them – their phone. In the current EMV system the smartcard doesn’t have a display and the terminal is potentially compromised. The open question is how to get transaction information from the bank to the phone, without harming usability.

Since I work for them, I obviously like the Cronto system. As all standard phones come with cameras, the encrypted and authenticated transaction can be encoded in a 2D-barcode. This achieves both mutual authentication and transaction authorization. So far this has been targeted at online transactions, but should work at POS too.

Another option is two-channel, such as sending the transaction in a SMS. This is also targeted at online transactions, but at POS the dependence on mobile phone signal and prompt SMS delivery could be a hindrance. Masabi have a good summary of various two-factor authentication systems, including their two-channel proposal.

Once phones eventually come with NFC capability, this could be used for POS transactions too. It is currently being trialled.

By: Philip Andreae

Philip Andreae — Fri, 04 Jan 2008 16:01:40 +0000

Interesting discussion. As a veteran of the debate I’d like to add to the discussion
On the complaince side the following are what i know everyone globally is suppose to certify their Electronic Payment devices to.

EMV level 1 and 2 should deal with making sure the device does what EMV says it should.

PCI PED defines tamper resistance and other security features designed to protect the integrity of a PIN transaction.

Then there is PCI DSS dealing with things like encryption, password, firewalls and confidentiality.

But none of these address, as so aptly described by Lindsay Johnson | May 25th, 2007 at 00:48 UTC, the real issue.

When we designed EMV we once spoke of implementing a method for terminal authentication. In the end we excluded such a concept from EMV. Others have piloted schemes that support terminal authentication but acquirers resist given the cost and complexity of deploying such a solutions.

The bottom line question is how is the consuemr to know that the machine is a fake.

Why not use the Mobile phone as the secure device and since it is the consumer that is paying let him be responsible to know that his device has not been tampered with therefore the stuff the bank put inside is still ok. From a risk perspective we will have to deal with the issue of lost and stolen phones. We could implement biometrics as a security device on the phone even voice recognition or accept PIN for now. And frankly I’d love to think much more about this if anyone is interesed please reach out. +1 416 628 513

By: Lindsay Johnson

Lindsay Johnson — Fri, 25 May 2007 00:48:13 +0000

Tamper evidence/tamper proof/tamper resistance etc are irrelevant in this experiment. Checking with PIN Pad and terminal vendors and their processes are also irrelevant. Accounting forensics to trace transactions is also irrelevant. Think about it like this - take this fake device to a market or street fair. Start selling some fad, gadget or novelty and accept card payment for it. Customer puts in card details and gets goods and leaves content. The “merchant” now has their card details including PIN. It was never sent to a bank for processing (hence no transactional trail). This merchant then disappears and sets up the same scam some where else. The flaw is that PIN only validates the cardholder - it doesn’t validate the device. We’re so used to thinking of fraud being perpetrated by cardholders we’re forgetting the fraud is increasing being perpetrated via dodgy merchants. The fake terminal doesn’t even have to look like a genuine vendors device. Cardholders cannot be expected to be aware of every model and vendor device in the market - there is an inherent trust that any device must be a genuine device. Hence why tamper resistance and evidence etc is irrelevant in this circumstance - you could mock up an iPOD with a card reader and keypad and am sure you’d get cardholders to enter the card and PIN. Device validation must be addressed.

By: TillMonkey

TillMonkey — Tue, 27 Mar 2007 16:40:18 +0000

“the merchant will not notice (until he sees his account statement)”.

Trust me; it will often not be until a good while after that :)