Chip-and-PIN cards let nearby fraudsters steal $1M at a time


#1

[Permalink]


#2

Chip and PIN, that’s the future!


#3

Not chip n pin. This is to do with contactless payments. If you have not got a contactless card, you have nothing to worry about to do with this issue.


#4

The “pin” part should basically protect against this.

In India, we’re basically phasing out the magnetic strip, and to date, all POS devices require you to insert the card fully and then key in your pin. This attack would only work if you had both a contactless card and the target’s pin. Also, I get an SMS with each transaction, no matter how small, and I can call up and dispute it if necessary…

Pretty misleading article!


#6

I have tried the contactless payment option on my bank cards and I cannot for the life of me figure out how it is more secure.

With Chip and PIN, if someone had my card they would still need my PIN. Now, if someone swipes my wallet, they get a Tappy Tappy spending spree one dime. It was so easy I was dumbstruck. I thought for sure there would be more to it.

I still am excited by Apple Pay, as I like the way they require a password, biometrics, and they anonymize the transaction with a random string.

I really want to deactivate it in my physical bank cards, though.


#7

Did someone tell you that contactless payments are more secure? Than mag-stripe maybe. Than normal chip-and-pin? no way.

Anyway, when looking at this and considering the relative security of chip-and-pin vs. mag stripe, remember:

  1. This is an implementation flaw, rather than a fundamental design flaw. This can be fixed while there is no way to keep magstripe data secure.
  2. This is a flaw in a feature that deliberately bypasses the PIN part of chip-and-pin. We should be careful about bypassing security checks for convenience.
  3. You still can’t skim the card info and reuse it later. This flaw requires the card be present at the time of the transaction. This makes fraud easier to detect and easier to catch.
  4. When we make simple devices like credit cards “smart” they can and will have software bugs. chip-and-pin reduces the risk of buggy POS and payment processing software, but adds complexity to the card itself.

#8

Flashlight and a nail/punch to disable/remove the chip, if you don’t mind a small hole in your card. There’s youtube vids on how to find it. Shouldn’t affect the magnetic strip or the contact chip.


#9

There’s so much confusion on this issue.

Chip and PIN, as pointed out by others, is not “paywave” or “contactless” payment. Chip and PIN refers to that little gold chip on the card and the PIN you use to authenticate yourself. Contactless, in Australia anyway, cannot be used for transactions over $100 so this whole post is moot. I’d be blown away if it’s not a similar situation in the UK because it’s the simplest workaround solution ever. Cards with chip & PIN usually have contactless functions which is the basis of most of the confusion. Chip & PIN - Contactless - they’re two different things put in the same card.

Also I believe you are able to ask your bank for cards without contactless payment features.

Chip and PIN is much better than the mag strip it’s replacing because it’s far far harder, if not next to impossible, to forge cards with a chip. It’s not the triviality that writing others’ CC details to a blank mag strip is.


#10

From the article quote it sounds like the primary issue is that they found that in the UK, the security implementation fails to recognize non-UK foreign currencies, allowing the $100 (or whatever the setting is there) limit to be bypassed.


#11

This was exactly my understanding of the issue.

New Zealand (where I am) is mostly run by Aussie banks, and we have the $100 no-pin limit (also, cash-out with the transaction triggers a PIN request). It’s a system that works quite well, allowing the benefits of tap-and-go (which is a godsend when you have to deal with the elderly trying to pay for groceries but are frail and bewildered by the pin pad), while limiting it to a “won’t bankrupt someone” fraud risk.

This does seem like an hilarious oversight though. The cards can’t be reprogrammed once they’re issued, I hope, meaning the only option if the issuing banks are serious about addressing this is to cancel each card and reissue them. And the volume of cards they’d probably have to cancel would cause so much bad will/press I just can’t see that happening.


#12

That is what the article is about. Transactions are supposed to be capped at GBP 20, but the check for that is done in the chip, and has a bug where it doesn’t check transactions denominated in foreign currencies correctly. So yes, it is the simplest work around ever, and they already screwed it up once.


#13

Er, no, it’s not misleading.

In the UK, contactless chip-and-pin cards do not require you to enter a pin when used contactlessly, as long as the transaction amount is small enough (under £20).

But, according to the researchers quoted in the article, this limit is ignored if the transaction is in a currency other than sterling.

I’m guessing this is because of the difficulty of maintaining exchange rates, even approximate ones, for an arbitrary number of currencies. Of course, in that case, the sensible thing would have been to require a PIN for all foreign-currency transactions, regardless of amount.


#14

a lot of people not reading the article today! :smile:

[quote]But EMV cards don’t have to make contact with a reader to be used. They can also be used for contactless transactions for speed. The EMV system in the UK limits the maximum value for a contactless transaction to £20, requiring a PIN for anything more than this.

But the researchers found that the system doesn’t recognize foreign currency transactions and therefore doesn’t require a PIN for these.[/quote]

These cards and the chip are universal, which is why you can pay when you travel, and most aspects are the same everywhere. they do have per country rules and per bank rules programed onto the chip by the bank though and apparently so far as we know this flaw only affects the UK rules programed onto the chip.

  1. This flaw only affects card programmed for the UK that we know of so far.
  2. Chip-and-Pin (EMV) cards have contactless payments built into the card (tap and go), whether or not your bank has enabled it and in the UK it has a £20 limit…BUT
  3. This flaw bypasses the pin by using contactless payments.
  4. This flaw bypasses the £20 limit by charging in other currencies.

So basically it gets around the typical security measures…and can charge up to $1million to your card, the max the chip allows for regardless of localized programing. (Note: this doesn’t mean that banks aren’t going to be able to track where the money is going or that this is a smart idea, just that the security of the card is bollocks.)

It’s okay i’ve not read the article before commenting before as well… :smile:

You are correct, the tap-and-go or contactless feature never requires a pin in any country, and is a part of the EMV standard, and EMV chips.


#15

I suppose, instead of re-issuing cards so early, they could issue those little faraday cage wallets to every active user. They could even spin it up - “Here’s your little aluminium card condom, because we care”.

EDIT: What am I talking little. I mean sturdy of course.


#16

a lot of people not reading the article today!

I’d welcome you, Mr Grin-face, to point out where anything I said contradicted the article or demonstrated a lack of knowledge about the issue at hand, please.

You are correct, the tap-and-go or contactless feature never requires a
pin in any country, and is a part of the EMV standard, and EMV chips.

You got that you directly contradicted yourself there right? You replied to someone saying “a pin is required if the transaction is >20” with “a pin is never required”. Which is it? (a rhetorical question - several of us already provided examples of when a PIN is required). Maybe you just didn’t realise that the security measure the University researchers were talking about circumventing was the necessity to input a PIN? Because that’s exactly what the issue here is - use a foreign currency on some UK issued VISA cards, contactlessly, and it won’t require any authorisation from a terminal. That authorisation is provided by… a PIN.

For clarity, this is the direct quote from the Wired article: “But the researchers found that the system doesn’t recognize foreign currency transactions and therefore doesn’t
require a PIN for these.”


#17

My security measure to keep my EMV’d cards safe is… carry two of them next to each other, so any machine I’ve tried so far to just hold my wallet over reports “Too many cards detected” and makes me remove one.
Exactly the same thing happened with Snapper cards (the New Zealand version of Oyster cards, developed by the same guy-with-a-seafood-naming-fetish) when my university started putting RFID on their Student ID’s. Suddenly everyone had to fish out their bus cards, where as previously we’d been able to hold up our wallets etc. to the bus terminal. Security through Technological Limitation I suppose.


#18

The UK has all those EXACT same things with lower no-pin limits…and it doesn’t work very well due to the flaw because the flaw circumvents those exact things. So I read your comment to mean that either a) you didn’t read the article, b) you didn’t understand that the flaw circumvents those exact things, or c) you just wanted to share that this works the same where you live as just about everywhere else.

I apologize for incorrectly assuming option A, my mistake. The Mr. Smiley was simply so that you’d know it was meant to a light hearted ribbing and you didn’t have to be Mr. Super Defensive…geeze…apparently you bypased the smiley security measures and withdrew maximum offense. :smile: <= see that means a joke/humor

Except that is a feature the machine implements…and was added to machines precisely because having more then one card together can make both get charged or the wrong one get charged by a machine. Any nefarious reader would charge both cards. Keeping more then one card together doesn’t offer any protection at all it just triggers a failsafe recently added to the legitimate machines. It adds zero actual security or protection.


#19

Even if you did read it, that’s wrong. It’s not $1 million- it’s 999,999.99 units of any foreign currency. 999,999.99 Euros is 1.25 million dollars. 999,999 Bahraini dinars is 2.65 million dollars.


#20

Just hope they steal 999,999 Iranian Rial from you instead. It’s worth about 23 quid (37 USD, 43AUD). :laughing:


#21

The wired article that is the one linked to was titled:

[quote]http://www.wired.com/2014/11/chip-n-pin-foreign-currency-vulnerability/
Flaw in New ‘Secure’ Credit Cards Would Let Hackers Steal $1M Per Card[/quote]
the BB post states:

i was just going off of what i read in the linked to material.

the article you link to states:

up to that amount in a foreign currency, doesn’t necessarily mean that number of units OF each currency, it could be read either way really, it seems just as likely that wired’s and bb’s interpretation is the correct one, that this visa system as a $1M USD hard limit, as USD is the base international currency for visa coding, but you could be correct that it is that many units in whichever currency.

@Beanolini Do you have any additional information on this, that actually clarifies one way or another??? I’m curious which it is now…

@doctorow Cory, do you know if this limit is $1M USD, £1M, or 999,999.99 units of any currency? Thanks!!!