U.K. researchers devise smart-card hack
By Tom Espiner, ZDNet.UK, February 07, 2007
Two Cambridge researchers have created a scenario in which hackers can bypass the latest bank-card security measures.
Saar Drimer and Steven Murdoch, members of the Cambridge University Computer Laboratory, demonstrated last month how they could modify a supposedly tamper-proof chip-and-PIN payment terminal to play Tetris.
They have now extended the hack to demonstrate how they can compromise the system by relaying card information between a genuine card and a fake one.
Chip and PIN, a government-backed initiative introduced last year in England, is a security measure in which a customer must enter a four-digit code when they use a credit or debit card for face-to-face transactions. The measure replaces the magnetic strip with a chip and the use of a four-digit PIN number. The card is placed in a device that authenticates the chip, and then a PIN is entered. Chip and PIN uses the EMV standard for smart cards. Similar but incompatible EMV systems are in use in other countries as well.
The Cambridge researchers argue that the system is not as secure as the banking industry claims.
"Chip and PIN currently does not defend against this attack, despite assertions from the banking community that customers must be liable for frauds in which the PIN was used," the researchers said in an as-yet-unpublished paper.
"When customers pay with a chip and PIN card, they have no choice but to trust the terminal when it displays the amount of the transaction. The terminal, however, could be replaced with a malicious one, without showing any outward traces," the researchers warned in their paper.
Details of the prototype attack were released Monday. In it, Drimer and Murdoch demonstrate how a chip and PIN system could be compromised to steal diamonds.
How the scam works. In the scenario, a customer attempts to pay a restaurant bill. He enters the card details into a terminal that looks real, but has actually been tampered with. It is not connected to a bank, but instead to a laptop in the restaurant.
The terminal is completely under the control of a criminal, who has modified the hardware to relay the card information to an accomplice's laptop, for example in a jewelry shop across town. The accomplice's laptop can receive the information relayed from the legitimate card in the restaurant, and is connected to a modified bank card.
In the prototype system built by Drimer and Murdoch, the chip has been removed from the modified card, and wires to the card run up the sleeve of an attacker and connect to the laptop in a backpack. Such a setup could arouse suspicion, but the researchers believe it is possible to make the card more difficult to detect by using an RFID chip that could communicate wirelessly with the laptop.
The laptop is linked to the other laptop back in the restaurant by a GSM connection. Wi-Fi could potentially be used instead, the researchers said.
The victim places his card into the modified terminal and enters the PIN, and the criminal texts the accomplice at a jeweler's shop to start the heist. The accomplice enters the fake card into the jeweler's terminal. All transactions from the jeweler's terminal are relayed via the fake card, laptops, and fake terminal to the legitimate card.
This links the jeweler's terminal to the victim's bank. As the criminal controls the terminal in the restaurant, they can make it display that the victim will pay $40, when in reality the victim is being charged $4,000 at the jeweler's for a diamond ring.
During this relay attack the criminal doesn't need to hack into any systems or run any decryption because data is simply being relayed from one terminal to another.
The researchers were unwilling to reveal too much of the technology behind the attack because they don't want their methods falling into the wrong hands. But they did say that they used a Field Programmable Gate Array--a semiconductor device containing programmable logic components and programmable interconnects--in the fake card.
Drimer claimed the fraud would be difficult for police to trace, as the victim might only notice once they received a bank statement. They would need to remember where they were when the fraud occurred, as the transaction would show from the jewelry shop, not the restaurant.
"A criminal could have a fast turnaround from this type of attack--most likely it would not be detected," said Drimer.
Now compare this to what I wrote in here in October
http://angrysince1967.blogspot.com/search?q=chip+and+pinched
I've actually been thinking about this whole chip and pin thing. We've been told by the people who know (they must be experts as I saw one of them being interviewed by Declan Curry on BBC Breakfast) that chip and pin is more secure than the old signature system as it's more difficult to forge. Er? Picture the scene. You're at a restaurant / bar etc and the bill comes. Without thinking they present you with one of those portable chip and pin devices. You happily pop in your number (leaving a tip as well). Do you see the problem? No? How do you know that this device is what it proports to be? Still not concerned? Okay let me put it another way. The smart chip in credit cards is (broadly at least) the same technology used in SIM cards. Did you know you can buy SIM card copiers. And it's not as if they hard things to get. They even sell them in the local supermarket up from my parents house. It doesn't take a massive leap of imagination to see where this is going does it? If SIM cards can be copied them the smart chips in credit cards can be copied as well. All it takes is for someone to disguise this as a portable chip and pin machine and Bob's your uncle, a device which copies the data from your chip, captures the pin number. If they wanted to be really smart they could also incorporate on of those pinhole cameras (like the ones we're always warned about being attached to cash machines) to take a photo of the security number on the back of the signature strip. Of course it will also copy the data on the magnetic strip as well. All it's cost the crooks is a meal, and while your scoffing the cheap sweeties they've given you with the receipt, your bank account is being emptied.
I just like to take this opportunity to say "I told you so". Angry Since 1967 always at least 3 months ahead of the game....
