To our U.S. readers, paying with a credit card means swiping a magnetic strip. But for people in much of Europe and other countries, it means inserting your chip card into a reader and entering your PIN. This so-called chip and PIN solution has long been touted as far superior to the American swipe, and in most ways it is. But there are some serious issues with how the scheme has been implemented.
Ross Anderson laid out his team's history of investigating chip and PIN cards at Black Hat this year. For a system designed to be harder to cheat, Anderson had a surprising amount to say.
A Cavalcade of Flaws
A quick refresher on chip and PIN: consumers insert their cards when making purchases. They then enter their PIN, which is confirmed by the card on the device--when it works, the PIN should never leave the reader. The card then talks with the bank to authroize the transaction, and the sale is made. On paper, it all sounds great.
A quick refresher on chip and PIN: consumers insert their cards when making purchases. They then enter their PIN, which is confirmed by the card on the device--when it works, the PIN should never leave the reader. The card then talks with the bank to authroize the transaction, and the sale is made. On paper, it all sounds great.
Anderson walked through several unqiue vulnerabilities found by him and his team, and others that were first observed in the wild and then reverse engineered by security experts.
Many attacks focused on the devices that merchants used to carry out transactions, and ATMs. His team found that several devices were not, in fact, made to the security specifications they claimed to follow. With a minimum of effort, he said they could wiretap the devices and extract the PIN during a sale.
Other attacks involved installing what Anderson called "wicked electronics" onto readers to capture transaction data. In one case, scammers installed their evil wares into card readers before they were even delievered to merchants.
But there were many other attacks, like embedding electornics directly onto chip and PIN cards, connecting cards to hidden devices that allowed a thief to authorize the card with any random code, and even attacks that "replayed" transactions at different locations.
Technically Superior, Practically Problematic
I asked Anderson if, after all the flaws he's found with chip and pin, he still thought it was superior to swipe cards. He was unequivocal: chip and PIN cards are technically superior simply because it they are much more difficult to clone than swipe cards.
I asked Anderson if, after all the flaws he's found with chip and pin, he still thought it was superior to swipe cards. He was unequivocal: chip and PIN cards are technically superior simply because it they are much more difficult to clone than swipe cards.
The bigger problem is in how chip and PIN was rolled out in Europe. Anderson explained that in order to get European merchants to switch, the banks promised merchants that they would be responsible for fraudulent charges. With swipe cards, a fraudulent charge is simply reversed to the merchant. Anderson called this "shifting the liability."
Sounds like a good plan but the reality was quite cruel. Anderson said that victims of fraud were frequently blamed by the banks, who accused them of exposing their PINs somehow. In other cases, the banks simply changed their minds and reversed charges to the merchants. In extreme cases, banks and credit card companies declined to press charges against known scammers, apparently out of embarrassment.
No one, it seemed, wanted to take responsibility for chip and PIN fraud. Anderson asked, "if the bank's not paying for the fraud, why would they bust a gut to keep it secure?"
Anderson also criticized the authors of the chip and PIN documentation for not having a clear vision, and letting the documentation spiral out of control. He called it a tragedy of the commons, and noted that no one has stepped forward to author an updated version that could actually make the necessary security changes to the standard.
Coming to America
Our U.S. readers, content with their swipe cards, may be wondering why this should matter to them at all. There's one simple reason: chip and PIN cards are poised to be introduced into this country. Anderson said that banks are set to make the transition by 2015.
Our U.S. readers, content with their swipe cards, may be wondering why this should matter to them at all. There's one simple reason: chip and PIN cards are poised to be introduced into this country. Anderson said that banks are set to make the transition by 2015.
Things may not go so poorly in this country. For one thing, only some banks are opting for chip and PIN schemes, while other banks will roll out chip and signature cards. This authentication plan has been used in Singapore, and is designed to give greater consumer protection. Anderson also noted that the Federal Reserve's role in U.S. banking also offers greater consumer protection--assuming it's not drastically eroded in the near future.
There was also a role, he said, that the Black Hat audience could play. "[Chip and PIN] isn't a single protocol; it's a big, random, crafty toolkit to build payment protocols," he said. "You can either come up with something that is really secure, or something that is really bloody awful."
Link:Pcmag
Link:Pcmag
0 comments:
Post a Comment