Optimised to fail: Card readers for online banking

A number of UK banks are distributing hand-held card readers for authenticating customers, in the hope of stemming the soaring levels of online banking fraud. As the underlying protocol — CAP — is secret, we reverse-engineered the system and discovered a number of security vulnerabilities. Our results have been published as “Optimised to fail: Card readers for online banking”, by Saar Drimer, Steven J. Murdoch, and Ross Anderson.

In the paper, presented today at Financial Cryptography 2009, we discuss the consequences of CAP having been optimised to reduce both the costs to the bank and the amount of typing done by customers. While the principle of CAP — two factor transaction authentication — is sound, the flawed implementation in the UK puts customers at risk of fraud, or worse.

When Chip & PIN was introduced for point-of-sale, the effective liability for fraud was shifted to customers. While the banking code says that customers are not liable unless they were negligent, it is up to the bank to define negligence. In practice, the mere fact that Chip & PIN was used is considered enough. Now that Chip & PIN is used for online banking, we may see a similar reduction of consumer protection.

Further information can be found in the paper and the talk slides.

25 thoughts on “Optimised to fail: Card readers for online banking

  1. I think the most worrying point raised in your paper (to me anyway) is the personal safety aspect of allowing muggers to quietly check whether their tortured captives are telling the truth about their PIN numbers.

    Whatever happened to the idea of a “panic PIN”?

  2. Francis is right to worry about that risk. And with the rapid collapse of the UK banking industry the banks will shortly all be nationalised, so we shall shortly hopefully have a civil servant from the Ministry of Banks mandating a new universal UK banking 2FA system, which will cost the taxpayer £4bn or so and not work, but will allow the everyday thief in the street to reduce his or her current rucksack full of competing card readers down to one single government endorsed version, greatly increasing their potential swag : tool carrying ratio.

    Of course they’ll probably endorse some sort of outdated security which would be compromised the minute they leave the security keys on a train, as part of the current “government data loss” community outreach plan. That would only matter if the system worked though, which of course it wouldn’t.

    The future is bright!

  3. The paper suggests that “UK banks have also recently changed the voluntary code of practice – the Banking Code – to make customers liable for fraud if they do not have up-to-date anti-virus and firewall software.” I have checked the Banking Code:

    http://www.bankingcode.org.uk/pdfdocs/PERSONAL_CODE_2008.PDF

    and the the only reference to anti-virus and firewall software is the suggestion that user’s should keep software up-to-date. It does not say that customers are liable for fraud if they do not take such precautions. Where was this claim derived?

    The definition of what constitutes security software is of course open to interpretation. I use Linux — does that make me secure? Moreover, the banks cannot mandate which software I should run and therefore cannot enforce such ruling.

  4. Very interesting! I deliberately don’t know my credit card PIN, because I only use it online, so I guess I’d better stop carrying it about, because of the slight risk of being murdered.

    The report seems somewhat OTT about the Banking code, for example saying “UK banks have also recently changed the voluntary code of practice – the Banking Code – to make customers liable for fraud if they do not have up-to-date anti-virus and firewall software”

    The code actually only says “Please make sure you follow the advice given below. • Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall.” Note: “advice”, not “requirement”.

    The Banking Code also recommends other things that people don’t generally do, eg: “If you don’t receive a bank
    statement … or any other expected financial information, contact us.” How many people tick off the arrival of their bank statements and phone the bank if one is late, and how would the bank react? So the code seems more like wishful thinking than a legal requirement.
    http://www.bankingcode.org.uk/pdfdocs/PERSONAL_CODE_2008.PDF

  5. @Pete Austin/Banking Code

    The relevant section of the Banking Code is 12.11:

    … If you act without reasonable care, and this causes losses, you may be responsible for them. (This may apply, for example, if you do not follow section 12.5 or 12.9 or you do not keep to your account’s terms and conditions.) …

    Where section 12.9 includes the advice about AV and firewalls that you quoted. This sounds to me very much like the banks are reserving the right not to refund disputed transactions in those cases.

    I agree that the Banking Code contains much advice that people don’t follow. The part about ticking off the arrival of statements certainly falls into this category in my opinion, but despite this fact, the code permits the bank to pass liability onto customers (it is in section 12.5, referenced from 12.11).

  6. @Steven, Thank you for the clarification.

    If anyone has the spare time it would be interesting to write to high street banks requesting clarification on this issue and requesting details of the software they deem appropriate for purpose.

    Specifically I would be interested in software deemed suitable for the Linux operating system.

  7. Pushing the responsibility onto users whom are quite frankly unable to perform such actions with due diligence is an appalling code of practise. The banks should be exploring technologies which allow server side verification that the client is indeed secure. To a limited extended trusted computing could be used to solve this problem. Although such technology is clearly too immature at this moment in time.

  8. Interesting paper, but I think it draws certain conclusions that can be questioned.

    1) Example 1: the paper argues that individuals are more likely to become victims of mugging due to the existence of CAP readers, and tries to motivate this with two cases. However I feel these cases don’t really proof this statement.

    In the first case (about the two French students) the paper writes “Days after the murders the police revealed that the attackers were after the students’ card PINs”. This is not what the article of the Guardian says. This article only says that the police *thinks* they were after the PINs. Taking into account that the criminals already stole a laptop and game consoles, it can be questioned whether the two students were killed because of their PINs only.

    In the second case (about the 62-year old man) the paper writes “two Manchester men murdered a 62 year old security guard after he refused to reveal his card’s PIN”. The article about this case says that not only the card’s PIN was stolen, but also cash, wallets and mobile phones. So was the man really killed for not revealing his PIN? I’m not sure.

    2) Example 2: the paper argues that buttons of a CAP reader wear down after a while and therefore CAP readers will make it easier for a criminal to guess the PIN of a certain user. This statement can be questioned as well. Much will depend on the material of the buttons (typically rubber). Additionally the PIN-buttons are not the only buttons used. In order to enter the challenge and data fields onto the CAP reader, the other buttons will be used as well. So it can certainly be questioned whether the buttons of the reader will wear down in such a way that the PIN-buttons are revealed.

    So my point is that the paper raises interesting facts, but that its conclusions based on these facts can be questioned.

  9. That’s an impressive reverse-engineering of the CAP protocol, and the point about arming muggers with these things is valid and has been brought up before in the industry (although some say it could be a good thing: in certain parts of the world they will hold you hostage until your PIN is verified, this could make the experience far less traumatic).

    And I wonder which will happen first: someone actually getting mugged by a mugger carrying a PCR, or someone attempting to defraud a bank by SAYING they were forced to hand over their PIN to a mugger carrying one of these things. That’s a much easier way to make money.

    However there does seem to be a mistake in one of the main arguments of the article. You assert that the respond and sign functions could be mixed up in a social engineering attack, and more precisely that a zero balance sign is the same thing as a respond with the same UN. This is not actually true, as far as I know. I’ve worked a couple of times with the specification and since it’s confidential I can’t really say any more: but do re-check the contents of those messages to see if you can see another difference between a respond and sign.

  10. @Nick

    Thanks for your comments. We did check the scenario described in the paper: using the output of a “Sign” operation with a zero balance, when the bank website requests a “Respond” operation. It was accepted by the site.

    I also just double-checked our data, and the protocol dump of the two operations are identical (except for the different ATC and consequently the ARQC)

    Here’s the first GENERATE_AC operation, on using “Respond” with challenge “12345678”:

    80 ae 80 00 1d
    ae
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 01 01 01 00 12 34 56 78
    61 14

    00 c0 00 00 14
    c0
    80 12 80 00 4c ac 2d d5 2f bf 7d 4d b2 06 01 0a 03 a4 a0 00
    90 00

    And here’s the first GENERATE_AC operation, on using “Sign” with reference “12345678” and amount “0.00”:

    80 ae 80 00 1d
    ae
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 00 00 00 01 01 01 00 12 34 56 78
    61 14

    00 c0 00 00 14
    c0
    80 12 80 00 4d 7d 9f 1b 59 f5 35 c2 74 06 01 0a 03 a4 a0 00
    90 00

    These are both from the Barclays CAP reader (because the Natwest ones do not accept a 0.00 as a valid transaction amount).

    I can only assume that the UK implementation (which I think was standardized by APACS) differs in some way from the global specification.

  11. No you are right, I just looked into this a bit deeper and there has been an update to the spec to deliberately remove the setting of the field that would have made the two modes of operation different. It’s always easy to be wise after the event: but it would have seemed sensible to have at least one field different between the two modes of operation, even if it were hard coded to different values. I stand corrected, good spot!

  12. This is all quite horrifying. I was worried enough about Chip & Pin but this takes it to a whole new level.

    I assume that complaining to the banks is likely to be met with a form response about how they care for our security etc etc. Any suggestions as to who better to raise this with? Banking Ombudsman?

  13. @Vicky

    APACS, who are the official spokesman for the banks, said that they were already aware of the vulnerabilities. Barclays claimed their system was infallible! You still might get something different from the customer care representatives, rather than their PR side.

    The BBA, like APACS, represent the bank and not the customer, so are unlikely to help. The Financial Ombudsman Service have a narrow remit in settling disputes, so don’t seem appropriate. They also have been the subject of substantial criticism.

    Probably your best approach is the Financial Services Authority, who are at least accountable to parliament. They are having their own problems at the moment though. Your MP is also in a good position to apply pressure to the right people.

  14. @Steven: Thanks very much for the pointers. I’m sure that having more voices adding to the pile of complaints can’t hurt.

  15. Indeed, best-read in ages! I think I am just losing faith in our online banking security! This is all scary and something must be done about it SOONER rather than later!
    Our great authors, in Page 2, where you talked about the real-time MITM attack and where you wrote this: “This class of attack can be resisted by cryptographically binding the one-time code to the data of the transaction being attempted – transaction authentication. A robust way to do this is to provide the customer with an electronic signature device with a trustworthy display on which she could verify the transaction data, a trusted path to authorise a digital signature, and a tamper-resistant store for
    the signing key.”,
    Is there any chance that you could possibly forward me to where I can find some more details on how to encounter the real-time MITM attack, please?
    Thanks in advance!

  16. I’ve read the Paper with the title of “the Man-in-the-Middle Defence” by Ross Anderson and Mike Bond and it seems very help and very rich-in-content!
    Still any help on how to encounter the real-time MITM attack would be much appreciated!

  17. Guys, look around you. UK is not the only country ro use CAP, and it’s no even new!
    In France, we use CHIP&PIN for more than 20 years…
    As a result there is less fraud, and there is no case of assault for PIN, yet.

  18. While on the subject of online banking, has anyone in the group looked at the Rapport software that RBS is advising their customers to install? Several other banks are doing the same.

    http://www.rbs.co.uk/global/f/security/security-advice/protect-yourself/computer/rapport.ashx?DCMP=OTC-rapportFURL

    Can the security claims for Rapport can be demonstrated?
    Does this product introduce more security risks than it claims to solve?

    Here’s the supplier’s web page about the product.
    http://www.trusteer.com/the-problem

    David

  19. Jad’ | April 21st, 2009 at 13:20 UTC said ” In France, we use CHIP&PIN for more than 20 years… As a result there is less fraud, and there is no case of assault for PIN, yet.”

    Hi Jad, April 12, 2002, 4 men broke into my house while I was sleeping. They stayed for about an hour, asking me for my pin-codes and choosing what they wanted to take from me.

    Let me tell you something you might not have heard of. I told them that they can take all my cards but I cant give them the pincodes since they (my american cards) didn’t have pin-codes. They took many things with them (cash, laptops, mobile phones, jewelries) but they left all my american cards. This incident was reported with the gendarme in my area.

    The gendarme and police told me that thieves often assault cardholders for the cards and the pin-codes.

  20. Hi everyone – Thanks for the revealing paper and great comments. Does anyone know if the CHIP and PIN are being used here in the US?

  21. To avoid the frauds in the banking & making online banking more & more secure this thing has to be happen.There should not be any trouble having CHIP & PIN.It will certainly raise confidence in the mind of user about security of his banking.

Leave a Reply to Pete Austin Cancel reply

Your email address will not be published. Required fields are marked *