Chip & PIN terminals vulnerable to simple attacks

Steven J. Murdoch, Ross Anderson and I looked at how well PIN entry devices (PEDs) protect cardholder data. Our paper will be published at the IEEE Symposium on Security and Privacy in May, though an extended version is available as a technical report. A segment about this work will appear on BBC Two’s Newsnight at 22:30 tonight.

We were able to demonstrate that two of the most popular PEDs in the UK — the Ingenico i3300 and Dione Xtreme — are vulnerable to a “tapping attack” using a paper clip, a needle and a small recording device. This allows us to record the data exchanged between the card and the PED’s processor without triggering tamper proofing mechanisms, and in clear violation of their supposed security properties. This attack can capture the card’s PIN because UK banks have opted to issue cheaper cards that do not use asymmetric cryptography to encrypt data between the card and PED.

Ingenico attack Dione attack

In addition to the PIN, as part of the transaction, the PED reads an exact replica of the magnetic strip (for backwards compatibility). Thus, if an attacker can tap the data line between the card and the PED’s processor, he gets all the information needed to create a magnetic strip card and withdraw money out of an ATM that does not read the chip.

We also found that the certification process of these PEDs is flawed. APACS has been effectively approving PEDs for the UK market as Common Criteria (CC) Evaluated, which does not equal Common Criteria Certified (no PEDs are CC Certified). What APACS means by “Evaluated” is that an approved lab has performed the “evaluation”, but unlike CC Certified products, the reports are kept secret, and governmental Certification Bodies do not do quality control.

This process causes a race to the bottom, with PED developers able to choose labs that will approve rather than improve PEDs, at the lowest price. Clearly, the certification process needs to be more open to the cardholders, who suffer from the fraud. It also needs to be fixed such that defective devices are refused certification.

We notified APACS, Visa, and the PED manufactures of our results in mid-November 2007 and responses arrived only in the last week or so (Visa chose to respond only a few minutes ago!) The responses are the usual claims that our demonstrations can only be done in lab conditions, that criminals are not that sophisticated, the threat to cardholder data is minimal, and that their “layers of security” will detect fraud. There is no evidence to support these claims. APACS state that the PEDs we examined will not be de-certified or removed, and the same for the labs who certified them and would not even tell us who they are.

The threat is very real: tampered PEDs have already been used for fraud. See our press release and FAQ for basic points and the technical report where we discuss the work in detail.

Update 1 (2008-03-09): The segment of Newsnight featuring our contribution has been posted to Google Video.

Update 2 (2008-03-21): If the link above doesn’t work try YouTube: part1 and part 2.

23 thoughts on “Chip & PIN terminals vulnerable to simple attacks

  1. This is normal behaviour. When I was breaking security software back in the 1980s, the suppliers’ standard responses were (a) that I was cleverer than any possible hacker, so there was no threat, (b) that I had broken my own copy of the software and that all other copies were unaffected, or (c) that encryption was “only part of” the security offered by the package concerned. If it amuses you then you can read the story here.

    It is interesting to speculate what would happen if suppliers invested as much money in security as they do in public relations.

  2. I found that just popping the Chip out slightly on the card stops it being able to be read in a PED and then you can revert back to magnetic strip verification.

  3. The real fraud is why are we still using untraceable cash when billions of Euros or Dollars or whatever are going through the black economy rather than legitimate businesses that we at least have a chance of taxing even though governments often don’t. A few tens of millions nicked here and there at street level around the world is nothing compared to the hundreds of Billions in unpaid taxes from fraudsters in the city of London or NY at one end to the guy who tiles your bathroom at the other end. Let’s sort the big criminals out first before we worry about the small ones.

  4. > I found that just popping the Chip out slightly on the card stops it
    > being able to be read in a PED and then you can revert back to
    > magnetic strip verification.

    A trick used in the restaurant at my place if the customer forgets his PIN. They actually put the card in backwards, the terminal complains, then you are free to go.

  5. I watched the Newsnight report of this and the interview with Paxman and Susan Quinn Director of Communications of APACS.
    Susan was shockingly bad in her communications, in so far as she failed to correctly answer many of Paxman’s questions. She totally failed to agree that these cards are vulnerable. She kept smiling as I expect she was trying to “communicate the visual message “if I look happy and smile viewers will think all is OK with the APACS card system”. “It’s not what I say but what I look like saying it”.

    Stupid woman and in my view, she is a crap communications director and should be fired.

  6. “Susan was shockingly bad in her communications, in so far as she failed to correctly answer many of Paxman’s questions. She totally failed to agree that these cards are vulnerable.”

    This makes her a bad PR does it?

  7. I think you might have muddled up Sandra Quinn with Susan Watts (the science editor of newsnight). Yes, assessing Sandra’s ability in PR could only be done with knowledge of her brief (which likely included a particular message to communicate regardless of the questioning, but is obviously not public).

    Whilst I’m sure Sandra is a very competent spokesperson (she has been speaking on behalf of APACS I think for more than five years), the more interesting question to me is whether APACS’ overall strategy for dealing with negative publicity for banks and banking security is being effective at reassuring customers or not. It an interesting question, which I remain undecided on. Furthermore, it’s easy to criticise, but can one invent a better strategy than what they are already pursuing?

    Mike.

  8. I think this segment was very well produced (even if a bit theatrical with a dark room and a projection screen 😉 managing to get the main point across that is, as I understand it, no security measures should be used to put the liability on the customer as none of them are 100%.

    You can still watch it in full on the BBC IPlayer site (for another 5 days): http://www.bbc.co.uk/iplayer/page/item/b00943gy.shtml

  9. It’s ok to put liability on the customer in an environment of imperfect security, so long as there is a healthy market of products competing for security, and switching costs remain acceptable. But even in internet banking (where the variety of security measures deployed by different banks is much wider than point-of-sale), there isn’t direct competition between banks on security.

    But I’m not the “uber-economist” on this blog, so forgive me if that analysis is being a little simplistic 😉

    Mike

  10. As I understand it, the majority of card fraud is now committed overseas using cards which have been cloned using information captured in the UK. So why don’t APACS insist that all their members follow a simple manual procedure of insisting:

    a) That any card which is to be used overseas has to be pre-authorised with the bank issue for a set period

    b) That there is a strict limit on any overseas transaction value beyond which the retailer has to make a phone request for an authorisation code or bear the loss.

    c) There is a strict and small daily limit on any ATM withdrawals.

    These simple controls would limit the value at risk and reduce the number of cards at risk because the majority would not have a current authorisation for overseas use.

    My bank operates controls (b) and (c). My mobile phone company operates control (a).
    Implemented properly, simple controls approaches can be harder to get around than all the tecnology in the world. Put the two together and you can build a business process that actually works.

  11. Reply to Anon | February 28th, 2008

    You asked “This makes her a bad PR does it?”

    Yes I think it does. PR directors (or otherwise) who lie in the face of the clearly presented evidence are either thick or are so caught up in their own webs of spin and deceit that they have been in the job too long. I almost feel sorry for her. She came across as so deceitful. Full on fallacious testimony.

    We the public are getting so tired of lies and spin. The days of spin are numbered. Spin no longer washes out sins as it once did.

    We haven’t heard the last of these weakness of these PED machines.

    I stand by what I said. I think Sandra Quinn should be fired or resign.

  12. 2 Old Fart: banks are already doing a, b and c to one degree or another.

    – As a user I find it unacceptable even at the step of requiring me to make a call for _each_ card I am planning to use abroad.

    – This system does not scale well as handling these holiday notification/abroad tx auth calls for _all_ customers will be expensive.

  13. The problems with Chip and Pin has been raised many times before. Sandra Quinn waffling crap etc… has been going on for years.

    Read this, to get a good idea.
    “19 December, 2004: Remember, a bad idea isn’t just for Christmas”

    http://www.ex-parrot.com/~chris/wwwitter/20041219-remember_a_bad_idea_isnt_just_for_christmas.html

    I suppose Sandra Quinn would refuse to appear in a interview situation with Ross Anderson. She would only allow herself to be interviewed either before or after him, without him also being present.

  14. I’m an ex-pat Brit living in NZ so missed the program but the written hints about tapping the PED data stream seem clear enough to me. You’ve picked up on some fundamental design flaws. Interesting that it sounds like the flaws may affect the whole UK chip-and-pin system.

    I wonder if the recent news about cooling EEPROMs or DRAMs (presumably) using a freezer spray to capture volatile keys would be another way to defeat the tamper-resistance on smartcards? If I drop a card in liquid nitrogen, will I be able to get the lid off and probe it, or even slice it an pop it straight in a handy electron microscope maybe? It’s just conjecture on my part since I no longer have access to liquid N2 or a handy electron microscope.

    Kind regards,
    Gary

    PS Removing the magstripe facility worldwide would do more for card security than the other measures suggested.

  15. What amazes me, is that the boards inside these devices aren’t even potted. I’d have thought that there would have been some kind of requirement in place, when Chip and PIN was introduced, for PEDs to conform to something akin to FIPS 140-2 Level 3…

  16. These attacks seem to be increasing in frequency. Our local paper said that over 700 people had lost money from an attack which appeared to have taken place at a filling station near Markyate, Bedfordshire. The problem is that it takes typically a month for people to get credit card statements; by the time the banks and police detected the common element to these frauds, but the thieves had vanished.

    One obvious way to stop it would be to make it harder to extract cash from the world-wide credit card system. I assume that if I wanted to set up in business I would have to provide my bank with lots of references before it would allow me to take customer’s orders via credit card. But overseas it seems that fraudsters can easily get such facilities. Maybe they can here too. But if money obtained from a customer’s credit card transaction had to be held in a bank’s escrow account for a full month after the debit, then it would allow enough time for most fraud to be detected and traced back to the receiving account. Provided banks gave a reasonable rate of interest on these amounts in escrow, the merchants could hardly object. It only needs the networks such as Visa or Mastercard to insist on such measures for all their agent banks worldwide for this, and many similar types of fraud to be suppressed.

  17. Another great way of exploting the week banking testing. Banks should have done extensive black box, white box and custom attacking scenario testing, however it has failed again.

    Keep it up lads 😉

Leave a Reply

Your email address will not be published. Required fields are marked *