Saturday 20 February 2010

Chip & Pin Weakness Smoke Screen for Real UK Card Fraud

The Chip & Pin man-in-the-middle weakness highlighted by the Cambridge academics last week is important to raise and to have addressed, but I’m afraid to say this weakness in Chip & Pin is nothing new, this vulnerability has been known about for years, the Cambridge boffins are right in that Chip & Pin isn't as secure as it should be. However no system ever gives 100% security, the aim of the game is about reducing risk. Chip & Pin reduces card fraud risk significantly when compared to other non-cash payment methods, such as payments by just signing and payments bycheques, even with this vulnerability. The fact is Chip & Pin drastically cut cardholder present fraud in the UK when it was introduced in 2005.
The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.

Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.

So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.

Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.

Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.

To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.

Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"

My final point is the majority of payment card fraud committed in the UK, is card not present transactions, such as payments made over the Internet or by phone. This type of fraud does not require that the fraudster has physical possession of the plastic card. Often payment card details not the physical plastic card are stolen, often on mass from poorly secured retailer. These stolen card details are then brokered up and sold online to individual fraudsters, who go on to commit the actual fraudulent transactions againt them. Typically fraudulent transactions with UK cards are made against websites which don't have the 3D secure (online password required), typical websites at the moment tend to be online gambling websites, which are an easy way for an international card fraudster to cash out against a stolen UK card.

I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.

If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.
http://blog.itsecurityexpert.co.uk/2009/10/how-payment-card-industry-could-stop.html

12 comments:

John Hardie said...

Can't help but think that quick propagation of detailed data re: how to exploit vulnerabilities is making prompt action to plug issues more important. The "low hanging fruit" principle is a particularly poignant one. Lag behind the latest vulnerabilities at your peril!

research help said...

Many institutions limit access to their online information. Making this information available will be an asset to all.

Home Mortgage said...

The blog was absolutely fantastic! Lots of great information and inspiration, both of which we all need!

Masters Dissertation Writers said...

Chip & Pin Weakness Smoke Screen for Real UK Card Fraud <-- that's what i was looking for
Uk Dissertation Writers

website maintenance said...

This is really a good blog.I would like to recommended to my friend.

Dissertation said...

hi, nice post.I have been pondering this topic,so thanks for sharing
probably be coming back to your blog.

Dissertation Proposal said...

I am very thankful to you for posting such stuff.This really help me lot.

dissertation proposal said...

I am just catching up but holy crapoly, that sounds like an awesome tailgate! I have to say - they aren't all that amazing. Deep fried Prime Rib? My god. Thank you for providing this information.

Online Clothes Shopping in Australia said...

Well, best of lot of money to that guy. I'm sure that most of those people in colleges are so out of get in touch with that they don't have any sign as to what this guy is up in arms. Remember: The earnings tell us that there is a lack of attorneys.

Unknown said...

Yes its all over for your money safety that there are too many fraud cases are registered in police station so you are eligible to change the mode of payment. write my dissertation proposal || finish my dissertation proposal || quality nursing dissertation || get law dissertation || quality dissertation methodology || write my computer science dissertation

cara membuat blog baru said...

its good to have..it seems nice share i want to have it cara membuat blog praktis

Fury Brad Pitt Jacket said...

In the world of crime, the robberies are increasing day by day so we always choose the safest place, safest decision, safest things, this security mechanism is really working at all & although it is very safe.