... with careful planning, it can last for the whole of the rest of your life. As a break from bloody ID cards, I'll draw your attention to yet more dreadful stuff in the media about Chip and PIN. Yesterday's Telegraph reported Ross Anderson's refusal to use a PIN for credit card transactions, on the familiar grounds that doing so doesn't offer the customer any protection from credit card fraud and leaves them more vulnerable to cash machine fraud. In the Telegraph piece he also notes an elegant attack which can be used by criminals to avoid having to use the (difficult-to-copy) smart chips on the cards to steal money from banks:
... He said that smart cards from Britain would end up in America, which does not use them, while stolen American cards without smart chips would appear in Britain, where readers would still be able to process old-fashioned cards.
Ross was interviewed on PM yesterday evening on this topic, and the BBC, as ever using balance as a proxy for impartiality, followed this interview with an opportunity for response by Chip and PIN, a propaganda outfit set up by the banks. The spokesperson, one Sandra Quinn, was interviewed (confusingly) by the BBC's Carolyn Quinn: (errors in transcription are mine, but I've tried faithfully to reproduce the errors of diction, grammar, logic etc. of the interviewee)
CQ: Well, let's hear now from Sandra Quinn, who's spokesperson for Chip and PIN, that's an organisation that's acting for the retail and banking industries. Um, Sandra Quinn, what about those concerns raised by Professor Anderson? People are already feeling a bit wary of having to tap in their PIN numbers in front of other people; isn't this just going to increase their concerns?
SQ: I'm very surprised that somebody of Ross Anderson's capabilities and reputation is saying such a load of tosh, to be honest. The equipment....
I thought it was nice of Sandra to get her personal attack in early in the piece. Start as you mean to go on, that's what I say.
SQ: The equipment that we're using for chip and PIN has gone through a... a very severe accreditation process. It's extremely robust. The equipment that has been used in supermarkets; the equipments [sic.] that have been made at... used at small independent retailers... all those independent retailers are getting their equipment direct from their banks....
Banks, after all, never screw up security-wise, so obviously the equipment they supply will be completely immune to any type of fraud.
CQ: Well, weren't the same things said about cashpoint machines, and, err... we hear tales now about how they can be defrauded: cameras, and pictures taken, and people slotting things in. So, the, uh, professor's point was that smaller retailers, perhaps, could... could use fake machines or could find some way of getting hold of PIN numbers.
SQ: No, we don't think they can use fake machines, because the machines themselves are engineered to read the chip, so they... must be reading the chip very carefully, and that's... makes the... transaction itself extremely secure. What you will find is that this is an additional level of security to what we already have. As you said in the report yourself earlier, this is much safer than signature, because at the moment all somebody needs to do is to find our... card, learn our signature a couple of times, and start using it. You're not going to be able to have that in the new Chip and PIN environment at all.
I am glad to see that we are protected by the sophisticated security measure of, err, reading the chip very carefully. There was I thinking that we were protected by the Magic of Cryptography.
Possibly what she was trying to say was that only certified equipment may be used with the Chip and PIN cards and that (presumably) a thief's fake machine would not be so certified. Even if true this would be irrelevant, of course, because certified equipment can always be modified; or a dishonest employee could surreptitiously swipe your card through a separate reader -- to copy the magnetic stripe -- while watching what you type into the keypad, with no fakes or modifications required.
Sandra Quinn's answer here is an illustration of a useful technique. While Carolyn Quinn asked about vulnerabilities of the PIN-entry process in general, she also made the mistake of naming a specific example against which her interviewee was able to argue in detail -- perhaps not convincingly, but more easily than arguing against the proposition that crooks might find, ``some way of getting hold of PIN numbers.''
You can see something similar at work in the second part of her statement. It is true that a thief who takes a Chip and PIN card is unlikely to know the PIN for it and therefore would not be able to use it as easily as they would a card with a signature. (As I've remarked before, this isn't what matters from the cardholder's point of view, since they are insured against loss by the issuing bank. But obviously the bank cares how much it has to pay out, and it can limit this amount either by reducing the number of frauds which occur, or by refusing to pay out the compensation.) What I don't know is how much card fraud follows this pattern. It's certainly not the only way that a crook can steal money using a stolen credit card, and I'd be surprised if it were the predominant way. Yes, Chip and PIN does stop this attack. But there are lots of others it doesn't stop, and new ones it creates. Ms. Quinn mentions this case only because it is easy to argue.
CQ: But won't criminals still be able to clone cards, send them to the United States or other countries perhaps, where they still use magnetic-strip cards?
SQ: They will still be able to do that, there's in moderation. [sic. -- I have no idea what that bit was supposed to mean, actually] But what countries who are not going to be using Chip and PIN in the first moment are saying, well, they don't have card fraud.... [ cut various like waffle ]
I'm not really sure whether Sandra Quinn is really claiming that the countries which have not yet adopted Chip and PIN do not suffer from card fraud, but obviously they do. (The rest of the piece was so feeble I couldn't face transcribing it, so you'll have to trust that I haven't quoted the above out of context.)
Actually the whole interview was extremely poor; Carolyn Quinn made a good stab at asking the right questions, but as ever the interviewee wriggles off the hook, though is made to look rather silly. If you listen to the Today Programme you'll hear much the same thing from Cabinet ministers, and I suppose spokesperson for an industry lobby group is much the same sort of job. (As an aside, the interviewee's full glorious incoherence was only made fully obvious once her words were transcribed and written out in full; doing so is a little time-consuming, but a useful exercise. Mark often does much the same on his Spy Blog. No doubt your or my conversation would look just as ill-structured if written down and presented in this format, but hey, I'm not paid to be spokesperson for the government or for a cartel of financial institutions -- and neither, I suspect, are you.)
Of course, media idiocy on this subject isn't confined to interviews. Consider this absurd press release reprinted by Silcon.com, in which we are reassured that there is no risk of robbers `shoulder-surfing' (that is, watching customers typing in their PINs and memorising them) and then mugging those same customers to obtain their cards:
``Someone who sits in their bedroom counterfeiting cards is not going to go out into the streets mugging old ladies,'' [Gary Hocking, `director of chip and PIN implementation at APACS'] said.
I think all I can do here is to express surprise that the credit-card-fraudster demographic has been so exactly characterised. Probably next week they'll be hailed as the new hope for a Tory revival.
Comments
Posted by Roy Badami, Sunday, 19 December 2004 20:48 (link):
Hmm, it really seems that Ross Anderson is addressing the wrong issue here...
Replacing the current authentication which is effectively single-factor (possession of the card) with a two-factor authentication system (possession of the card plus knowledge of the PIN) is clearly an improvement.
There is a security problem during the transition, which could have been solved by issuing two PINs: one for use in old ATMs and one for chip-and-PIN. But that clearly wouldn't fly with the public: we all have too many PINs to remember as it is.
This seems a perfectly valid security trade-off for the banks to make: put up with an increased level of fraud during the transition, in order to achieve a reduced level of fraud in the long term, once ATMs have been upgraded to chip-and-PIN.
The real problem here is the banks' attempts to avoid compensating customers for fraud, despite the fact that they are legally obliged to do so. Surely this is where the effort needs to be made to fix things...?
-roy
Posted by Chris Lightfoot, Monday, 20 December 2004 00:41 (link):
Yeah. Most of the security issues arise, as you say, from the coexistence of the chip and magnetic stripe (though this will persist for a good long time, especially if the Americans don't adopt, or adopt a different smart card technology). But telling people about the security issues -- especially by drawing attention to ATM `phantom withdrawals' -- is definitely worthwhile, even though it's actually the banks and the law not the security that's the big problem here. Who knows -- if more people are aware of the security problems, perhaps there will be fewer miscarriages of justice.
I seem to be feeling more optimistic than usual. Perhaps it's the festive season?
Posted by Stephen White, Monday, 20 December 2004 13:41 (link):
It would be nice to see informed comments on Chip and Pin sometimes. The idea is a good way to make it harder to commit card fraud, although shifting the blame for fraud onto the consumer is definately bad and the presence of the old-style magnetic strip opens up so many interesting ways to subvert the system it's untrue.
What amazes me is the total inability of the C&P supporters to answer questions such as: How do I spot a real vs. fake C&P machine? I don't care if it can or cannot read the chip: it can record the pin number I type in while believing it to be the real thing. Attaching a fake C&P machine to a real one such that all the signals from the card are passed to the real one while the fake one merrily mis-represnts the amount I'm agreeing to have deducted from my card also seems plausible. These things don't concern me as much as the C&P supporters instance that such things can't happen, and the concern that if (when?) they do the lack of understanding will result in wrongly apportioned blame.
As an aside: does anyone know why is it so often stated that blind people should use signatures? Even the RNIB "strongly advises any blind or partially sighted people who think that they will find using the keypad or PIN number difficult to contact their bank or credit card company as soon as possible. Let them know that you will need a ‘Chip & Signature’ card". Is it only me that is wonders how signing a bit of paper they can't read with a signature they can't see (or ever personally verify) is so much better than them typing a pin number into a machine which should have helpful raised areas on some of the keys to help them locate them correctly?
Posted by Tom Lynn, Tuesday, 21 December 2004 18:52 (link):
No fake machine is needed -- people can just use cameras or dust/grease the keypad if they want your PIN. Grease or oil-based spray is probably best, since that also affords good "plausible deniability" in a restaurant.
Posted by Pete Stevens, Thursday, 23 December 2004 13:12 (link):
A conversation in the pub last night paying a tab :-
"Take my card over and bring the slip back for me to sign" (boyfriend dutifully wanders over to the bar, shoves card in)
"IT'S CHIP AND PIN, YOU'LL HAVE TO WALK OVER"
"MY PIN IS **** - TYPE IT IN FOR ME"
"OK"
I suspect that your average criminal might not bother going so far as to trojan the device.
Posted by Lorna Coupland, Saturday, 8 January 2005 22:51 (link):
Consider this absurd press release reprinted by Silcon.com, in which we are reassured that there is no risk of robbers `shoulder-surfing' (that is, watching customers typing in their PINs and memorising them) and then mugging those same customers to obtain their cards
Unless my experience in Holland and Barrett today was an isolated case, you don't have to be 'shoulder-surfing' with malicious intent for those things to be very easy to read. I could see the keypad of the woman in front of me in the queue from a good four feet away, and since I wasn't actually planning to mug her for her card, I wasn't particularly looking. Okay, the keypad had those little guards at the sides that are meant to stop you seeing it, but since I'm slightly more than two feet tall, they didn't actually do anything. Stupid design...
Posted by Steve, Tuesday, 11 January 2005 18:25 (link):
It is indeed so easy it seems rude not to steal a few cards and cash in.
Post a new comment.
Comments copyright (c) contributors and available under a Creative Commons License. See also the comments policy.