Chip & Pin Weakness Smoke Screen for Real UK Card Fraud

The Chip & Pin man-in-the-middle weakness highlighted by the Cambridge academics last week is important to raise and to have addressed, but I’m afraid to say this weakness in Chip & Pin is nothing new, this vulnerability has been known about for years, the Cambridge boffins are right in that Chip & Pin isn't as secure as it should be. However no system ever gives 100% security, the aim of the game is about reducing risk. Chip & Pin reduces card fraud risk significantly when compared to other non-cash payment methods, such as payments by just signing and payments bycheques, even with this vulnerability. The fact is Chip & Pin drastically cut cardholder present fraud in the UK when it was introduced in 2005.

The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.

Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.

So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.

Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.

Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.

To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.

Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"

My final point is the majority of payment card fraud committed in the UK, is card not present transactions, such as payments made over the Internet or by phone. This type of fraud does not require that the fraudster has physical possession of the plastic card. Often payment card details not the physical plastic card are stolen, often on mass from poorly secured retailer. These stolen card details are then brokered up and sold online to individual fraudsters, who go on to commit the actual fraudulent transactions againt them. Typically fraudulent transactions with UK cards are made against websites which don't have the 3D secure (online password required), typical websites at the moment tend to be online gambling websites, which are an easy way for an international card fraudster to cash out against a stolen UK card.

I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.

If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.
http://blog.itsecurityexpert.co.uk/2009/10/how-payment-card-industry-could-stop.html

How the Payment Card Industry could stop Card Fraud

If the payment card industry, the card schemes such as Visa and MasterCard, and merchants really desired to dramatically reduce payment card fraud, it can be simply done.

Today, by far the biggest problem with payment card security (credit and debit cards), is the little black magnetic stripe on the back. This magnetic stripe holds the full card details unprotected. This information is referred to as “track 2 data” within the payment card industry. The problem is this magnetic stripe track 2 data can be easily read with a "cheap to buy" magnetic stripe reader (see picture above), allowing fraudsters to “skim” card details quickly in a variety of ways, for instance placing covert magnetic stripe readers on ATMs (see picture below).

Track 2 data is also held in plain text on some payment devices and payment processing applications which store this information. Once track 2 data falls into the hands of card fraudsters, they simply create clone cards by replicating the magnetic stripe, and then use the cloned card in the same way as the original card holder uses the original card, of course only at those places which accept magnetic stripe swiping. Making card payment using the magnetic stripe reading is increasingly rare in Europe, however elsewhere in the world it is still used, and sometimes even without a signature.

Using a magnetic stripe to store card data on our plastic is an out dated technology, in Europe where "Chip and Pin" has now been widely adopted, using a chip to read the card data instead of the magnetic stripe increases security. The chip is difficult to clone and holds card information encrypted, so making it difficult for the bad guys to “swipe skim” the card data, and it is extremely difficult to create a clone working "chip" on a card. The issue is there are places like the United States where they haven’t adopted the securer chip technology and are intent on continuing to use the insecure magnetic stripe for the foreseeable future, meaning all payment cards around the world still need to keep the magnetic stripe on the back to be used globally accepted. As a result UK payment cards which still have their magnetic stripe track 2 data stolen, are still being cloned but used in places like the Thailand, where card magnetic stripe swiping is still the way to pay.

One of the arguments for the non-full adoption of chip technology in places like the US, is merchants don’t want to front the cost of replacing their card readers, well that doesn’t wash with me, most merchants in Europe managed to adopt chip reading technology fairly rapidly without any major hassles, and in general merchants continue to replace their card readers over a period of time anyway. So I don’t see why a “phased in” approach wouldn’t be acceptable on a world wide basis. During my recent trips to the United States I have encountered a general shift in the type of payment card readers to touch screen card devices, but they are still using magnetic stripe swiping to read the card. But this demonstrates there is always a continued evolution of card reading devices being deployed by merchants.

I don't want to even muddy the water by talking about the extra security using a PIN with the chip to provide two factor authentication at the cash register, that’s great for increasing security too, but my main point is about using a chip to read the card instead of a magnetic stripe.

I believe removing the magnetic stripe from all payment cards and card processing terminals would result in a drastic reduction in card fraud, which specifically targets “card holder present” transactions. A “card holder present” transaction is where the card holder and payment card are both physically present when making payment, for instance making a payment at the cash register.

What about card holder not present transactions? These transactions are where it is impossible to tell whether the cardholder is present and in actual possession of card when making a payment, for instance an internet transaction or a telephone payments, where it is impossible for the merchant or payment processor to know whether the buyer is typing his card details in from the actual card or it's a frauder using skimmed card information. Sure the 3 digit security code helps with this, but the bad guys have ways around this.

In the UK following the introduction of Chip and Pin in 2005, there was a dramatic shift in the types of payment card fraud, in that the card fraud dramatically swung to “card holder not present” fraud, mainly internet transactions opposed to fraud at the cash register, mainly because cloning cards and their magnetic stripe became a waste of time for the fraudsters, as merchants moved to using chip only payment transaction processing.

There is an answer to securing “card holder not present” transactions which is simple and just requires an update in the card technology used. This technology has been available for quite a while now and involves the addition of a digital authentication system to the actual payment card.

I have seen many proto-types of this technology, such as the EMUE card (featured in the pictures), which displays a uniquely generated LCD number on the card, which is then typed in by card holder when making a “card holder no present” transaction, such as an internet payment. The system checks the number is valid and if it is, this proves the card is actually present as the payment is made. In addition there is a PIN entry on the card which is used to create the generated number, proving the actual card holder is also present. This type of card effectively would turn all “card holder not present” transactions into “card holder present” transactions. This card is not more bulker than a normal card, so still works in ATMs.

If the payment card industry took these steps, not only would this dramatically reduce card fraud by vast amounts in my view, but it would remove the security burden of protecting card holder data. Payment processors and merchants must  comply with the 260 security requirements of the Payment Card Industry Data Security Standard (PCI DSS), I question whether PCI DSS would even be required to oversee the protection of card holder data if the measures I have talked about was globally adopted, because the bad guys wouldn’t be able to commit much fraud with payment card information anymore, meaning card holder data would no longer require to be protected.

I don’t believe I’m saying anything radical here, or indeed anything new, as always any thoughts and comments on this is always appreciated. I can say I have raised these points with leaders in the global payment card industry, as yet no one has given me good reason why this wouldn’t work. The excuse I tend to be given is the fraud rates aren’t at a sufficient rate to bring about these sorts of changes in security. Some might say the payment industry are happy taking the fraud hit, and passing on the fraud costs on to merchants and ultimately consumers through PCI DSS related costs and fines, while the inconvenience to customers who actually get hit with fraudulent transactions on their credit card and bank statements, mainly due to no fault of their own, is of little conscience.

Information Security is often a game of cat and mouse, with the good guys introducing security measures and bad guys finding ways around the security measures, then the good guy’s introduction new security measures and so on. The question is, has the payment card industry stopped playing the security game of cat and mouse? The answer is within the magnetic stripe on the back of your payment card.