New flaws in chip and pin system revealed
Most of us do not think twice about paying for something in a high street shop by keying in our pin. It is easy, fast and in most cases it works.
But scratch a little under the surface and there are persistent reports of people who say they have been the subject of fraud of one kind or another on their credit or debit card.
Now a team of computer scientists at Cambridge University has found a flaw in chip and pin so serious they think it shows that the whole system needs a re-write.
Over the past few years, the Cambridge team has uncovered a series of weaknesses in the system, which has been running since 2004.
Shockingly simple
Two years ago, we featured one on Newsnight showing that criminals could tap into the communications between a pin terminal and a customer's card, and read off sufficient information to create a cloned card.
Now, the same team has found a way round the chip and pin system that is so simple it has shocked even them:
"We think this is one of the biggest flaws that we've uncovered - that has ever been uncovered - against payment systems, and I've been in this business for 25 years," Professor Ross Anderson from the Cambridge University Computer Laboratory said.
"This is a flaw in a system that's used by hundreds of millions of people, by tens of thousands of banks by millions of merchants," he added.
In essence the Cambridge researchers have discovered a way to carry out transactions without needing to know a card's pin.
Small kit
So how does the attack work?
We obviously do not want to give out too much detail, but in simple terms, a stolen card sits in an off-the-shelf card reader, inside a backpack.
This allows it to communicate with a chip, running software written by the team and controlled from a laptop.
All of this is hooked up to a fake card, which slots into the actual shop terminal.
The kit would not have to be big - the Cambridge team is already working on miniaturising it all into a unit the size of a remote control.
It is called a "man in the middle" attack because the software is tricking the terminal into thinking the pin has been verified.
"Essentially what it does is to exploit a flaw in the chip and pin system. It makes the terminal think the correct pin has been entered, and the card think the transaction was authorised with a signature," Dr Saar Drimer, one of the Cambridge team, explained.
"At the end the receipt says 'verified by pin' so the bank is going to think the pin is entered directly, but the criminal actually did not know the pin."
Credit and debit cards attacked
We got permission from Cambridge University to try out the attack in one of their cafeterias.
The team tried out four common cards - two credit cards, issued by HSBC and John Lewis, and two debit cards, issued by Barclays and the Co-operative Bank.
There was no particular reason for choosing these cards, they just happened to be the ones in the Newsnight team's wallets.
Using the cards, Dr Drimer keyed in 0000 as the pin. Since there is no need for the criminal to know the actual pin associated with the card, any combination should work.
It did work, and the printout stated that the purchase had been "verified by pin".
Following the attack we approached the Co-Operative Bank, Barclays and HSBC - which also administers the John Lewis card - for comment.
All three stressed that this was an industry-wide issue, not specific to any particular to any provider, that their cards were no different to those offered by any other provider or bank, and each referred us to the banking trade association for further comment.
Low sophistication
The Cambridge researchers have a standard approach when they uncover this kind of flaw. They tell the authorities straight away, suggest fixes, and then publish.
In the last few weeks, they have told the relevant official bodies.
In reality, though, how easy would it be for someone without a PhD in computer science to carry out this attack?
"Even small scale criminal systems have better equipment than what we have. The amount of technical sophistication needed to carry out this attack is really quite low," Dr Steven Murdoch, one of the team, told Newsnight.
"In practice how this attack would work is that one reasonably technically skilled person would build a device that carries out the attack and then sell this equipment on the internet just like criminals already do," he added.
So is this kind of attack already happening in the real world?
According to Phil Jones of the Consumers Association, chip and pin has helped to bring down instances of card crime, but many cases remain unexplained.
"It's very difficult to quantify exactly how big this problem is," he said. "What we do know from our investigations is that say around 14% of consumers on a representative basis have said they have suffered some kind of financial loss which they believe is through fraud.
"The percentage of that which is actually from this type of potential problem with chip and pin is something that is a lot less clear. What we do know is that we do have cases that are brought forward from individuals which seem quite persuasive."
Onus on banks
So whose job is it to sort this out?
In November last year the law changed, placing the onus firmly on the banks to prove that a customer has been negligent in any dispute.
In the UK, it is the Financial Services Authority (FSA), which has responsibility for overseeing how that new law works into practice, though they say it is up to the industry itself to decide how best to comply.
Newsnight understands that behind the scenes some of the banks are already working on fixing this flaw.
But they obviously have not all fixed it yet, because the banks did not alert any of us to the purchases we made using the Cambridge attack, our cards and a PIN of 0000.
Data trail
Every time you use a card, data on the transaction is generated along the way.
The Cambridge team thinks that customers would be better protected if banks were forced to produce this entire audit trail in disputed transactions.
However, in practice, banks often ask customers to destroy their card, and therefore its chip, as soon as they report a problem.
Stephen Mason, a lawyer who has represented consumers in cases involving banks and disputed card transactions, told Newsnight that digital evidence is increasingly important:
"Just because 'verified by pin' is printed on a piece of paper that comes out of a machine, it proves nothing.
It's for the bank to prove that it was verified by pin - and that statement is actually totally irrelevant."
The chip and pin system has a 700-odd page manual, but the Cambridge team says it has so many holes in it, the whole thing should be re-written.
"The first thing that banks should do is fix this vulnerability. There are ways they could upgrade the chip and pin system that would prevent this attack working for most of all the transactions that happen in the UK, not all but most," Dr Murdoch said.
They should also look back at previous transactions where the customer said their pin had not been used and the bank record showed it has, and consider refunding these customers because it could be they are victim of this type of fraud," he added.
Watch Susan Watts' full report on Newsnight on Thursday at 10.30pm on BBC Two, then afterwards on the BBC iPlayer and Newsnight website.
Resource/Kaynak: news.bbc.co.uk
No comments:
Post a Comment