Comments on: Chip & PIN terminals vulnerable to simple attacks http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/ Security Research, Computer Laboratory, University of Cambridge Thu, 18 Mar 2010 14:52:57 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Billy http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-29372 Billy Mon, 23 Jun 2008 14:16:27 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-29372 Another great way of exploting the week banking testing. Banks should have done extensive black box, white box and custom attacking scenario testing, however it has failed again. Keep it up lads ;) Another great way of exploting the week banking testing. Banks should have done extensive black box, white box and custom attacking scenario testing, however it has failed again.

Keep it up lads ;)

]]> By: mentioned in the Telegraph http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28833 mentioned in the Telegraph Wed, 09 Apr 2008 08:41:04 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28833 http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/04/08/cmfraud08.xml&CMP=ILC-mostviewedbox http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/04/08/cmfraud08.xml&CMP=ILC-mostviewedbox

]]> By: Clive Page http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28525 Clive Page Thu, 13 Mar 2008 21:39:58 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28525 These attacks seem to be increasing in frequency. Our local paper said that over 700 people had lost money from an attack which appeared to have taken place at a filling station near Markyate, Bedfordshire. The problem is that it takes typically a month for people to get credit card statements; by the time the banks and police detected the common element to these frauds, but the thieves had vanished. One obvious way to stop it would be to make it harder to extract cash from the world-wide credit card system. I assume that if I wanted to set up in business I would have to provide my bank with lots of references before it would allow me to take customer's orders via credit card. But overseas it seems that fraudsters can easily get such facilities. Maybe they can here too. But if money obtained from a customer's credit card transaction had to be held in a bank's escrow account for a full month after the debit, then it would allow enough time for most fraud to be detected and traced back to the receiving account. Provided banks gave a reasonable rate of interest on these amounts in escrow, the merchants could hardly object. It only needs the networks such as Visa or Mastercard to insist on such measures for all their agent banks worldwide for this, and many similar types of fraud to be suppressed. These attacks seem to be increasing in frequency. Our local paper said that over 700 people had lost money from an attack which appeared to have taken place at a filling station near Markyate, Bedfordshire. The problem is that it takes typically a month for people to get credit card statements; by the time the banks and police detected the common element to these frauds, but the thieves had vanished.

One obvious way to stop it would be to make it harder to extract cash from the world-wide credit card system. I assume that if I wanted to set up in business I would have to provide my bank with lots of references before it would allow me to take customer’s orders via credit card. But overseas it seems that fraudsters can easily get such facilities. Maybe they can here too. But if money obtained from a customer’s credit card transaction had to be held in a bank’s escrow account for a full month after the debit, then it would allow enough time for most fraud to be detected and traced back to the receiving account. Provided banks gave a reasonable rate of interest on these amounts in escrow, the merchants could hardly object. It only needs the networks such as Visa or Mastercard to insist on such measures for all their agent banks worldwide for this, and many similar types of fraud to be suppressed.

]]> By: Dave Walker http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28492 Dave Walker Wed, 12 Mar 2008 11:01:35 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28492 What amazes me, is that the boards inside these devices aren't even potted. I'd have thought that there would have been some kind of requirement in place, when Chip and PIN was introduced, for PEDs to conform to something akin to FIPS 140-2 Level 3... What amazes me, is that the boards inside these devices aren’t even potted. I’d have thought that there would have been some kind of requirement in place, when Chip and PIN was introduced, for PEDs to conform to something akin to FIPS 140-2 Level 3…

]]> By: Peter http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28491 Peter Wed, 12 Mar 2008 06:42:52 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28491 BBC news says card fraud rises; but fraud in the UK still lower than before C+P. http://news.bbc.co.uk/1/hi/business/7289856.stm BBC news says card fraud rises; but fraud in the UK still lower than before C+P.
http://news.bbc.co.uk/1/hi/business/7289856.stm

]]> By: Gary Hinson http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28483 Gary Hinson Sun, 09 Mar 2008 20:52:20 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28483 I'm an ex-pat Brit living in NZ so missed the program but the written hints about tapping the PED data stream seem clear enough to me. You've picked up on some fundamental design flaws. Interesting that it sounds like the flaws may affect the whole UK chip-and-pin system. I wonder if the recent news about cooling EEPROMs or DRAMs (presumably) using a freezer spray to capture volatile keys would be another way to defeat the tamper-resistance on smartcards? If I drop a card in liquid nitrogen, will I be able to get the lid off and probe it, or even slice it an pop it straight in a handy electron microscope maybe? It's just conjecture on my part since I no longer have access to liquid N2 or a handy electron microscope. Kind regards, Gary PS Removing the magstripe facility worldwide would do more for card security than the other measures suggested. I’m an ex-pat Brit living in NZ so missed the program but the written hints about tapping the PED data stream seem clear enough to me. You’ve picked up on some fundamental design flaws. Interesting that it sounds like the flaws may affect the whole UK chip-and-pin system.

I wonder if the recent news about cooling EEPROMs or DRAMs (presumably) using a freezer spray to capture volatile keys would be another way to defeat the tamper-resistance on smartcards? If I drop a card in liquid nitrogen, will I be able to get the lid off and probe it, or even slice it an pop it straight in a handy electron microscope maybe? It’s just conjecture on my part since I no longer have access to liquid N2 or a handy electron microscope.

Kind regards,
Gary

PS Removing the magstripe facility worldwide would do more for card security than the other measures suggested.

]]> By: Anonymous http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28397 Anonymous Mon, 03 Mar 2008 01:31:06 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28397 The problems with Chip and Pin has been raised many times before. Sandra Quinn waffling crap etc... has been going on for years. Read this, to get a good idea. "19 December, 2004: Remember, a bad idea isn't just for Christmas" http://www.ex-parrot.com/~chris/wwwitter/20041219-remember_a_bad_idea_isnt_just_for_christmas.html I suppose Sandra Quinn would refuse to appear in a interview situation with Ross Anderson. She would only allow herself to be interviewed either before or after him, without him also being present. The problems with Chip and Pin has been raised many times before. Sandra Quinn waffling crap etc… has been going on for years.

Read this, to get a good idea.
“19 December, 2004: Remember, a bad idea isn’t just for Christmas”

http://www.ex-parrot.com/~chris/wwwitter/20041219-remember_a_bad_idea_isnt_just_for_christmas.html

I suppose Sandra Quinn would refuse to appear in a interview situation with Ross Anderson. She would only allow herself to be interviewed either before or after him, without him also being present.

]]> By: times card story http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28266 times card story Thu, 28 Feb 2008 22:12:37 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28266 http://www.timesonline.co.uk/tol/news/uk/crime/article3455652.ece http://www.timesonline.co.uk/tol/news/uk/crime/article3455652.ece

]]> By: Igor Drokov http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28259 Igor Drokov Thu, 28 Feb 2008 20:59:00 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28259 2 Old Fart: banks are already doing a, b and c to one degree or another. - As a user I find it unacceptable even at the step of requiring me to make a call for _each_ card I am planning to use abroad. - This system does not scale well as handling these holiday notification/abroad tx auth calls for _all_ customers will be expensive. 2 Old Fart: banks are already doing a, b and c to one degree or another.

- As a user I find it unacceptable even at the step of requiring me to make a call for _each_ card I am planning to use abroad.

- This system does not scale well as handling these holiday notification/abroad tx auth calls for _all_ customers will be expensive.

]]> By: Anonymous http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/comment-page-1/#comment-28257 Anonymous Thu, 28 Feb 2008 17:16:32 +0000 http://www.lightbluetouchpaper.org/2008/02/26/chip-pin-terminals-vulnerable-to-simple-attacks/#comment-28257 Reply to Anon | February 28th, 2008 You asked "This makes her a bad PR does it?" Yes I think it does. PR directors (or otherwise) who lie in the face of the clearly presented evidence are either thick or are so caught up in their own webs of spin and deceit that they have been in the job too long. I almost feel sorry for her. She came across as so deceitful. Full on fallacious testimony. We the public are getting so tired of lies and spin. The days of spin are numbered. Spin no longer washes out sins as it once did. We haven't heard the last of these weakness of these PED machines. I stand by what I said. I think Sandra Quinn should be fired or resign. Reply to Anon | February 28th, 2008

You asked “This makes her a bad PR does it?”

Yes I think it does. PR directors (or otherwise) who lie in the face of the clearly presented evidence are either thick or are so caught up in their own webs of spin and deceit that they have been in the job too long. I almost feel sorry for her. She came across as so deceitful. Full on fallacious testimony.

We the public are getting so tired of lies and spin. The days of spin are numbered. Spin no longer washes out sins as it once did.

We haven’t heard the last of these weakness of these PED machines.

I stand by what I said. I think Sandra Quinn should be fired or resign.

]]>