Chip & Pin Weakness Smoke Screen for Real UK Card Fraud

The Chip & Pin man-in-the-middle weakness highlighted by the Cambridge academics last week is important to raise and to have addressed, but I’m afraid to say this weakness in Chip & Pin is nothing new, this vulnerability has been known about for years, the Cambridge boffins are right in that Chip & Pin isn't as secure as it should be. However no system ever gives 100% security, the aim of the game is about reducing risk. Chip & Pin reduces card fraud risk significantly when compared to other non-cash payment methods, such as payments by just signing and payments bycheques, even with this vulnerability. The fact is Chip & Pin drastically cut cardholder present fraud in the UK when it was introduced in 2005.

The real important thing to understand here, is for the Cambridge Chip & Pin fraud to work, the fraudster needs to have possession of the original debit/credit card (which has yet to be cancelled), and seemingly a laptop.

Now I have researched card fraudsters for years, and I can tell you they always tend to go with simplest methods of committing card fraud with poses the least risk of being caught, and as any security professional knows, bad guys always tend to go for the lowest hanging fruit.

So here's my main point, why would a card fraudster who is in possession of stolen card bother with the sophisticated technique as highlighted by the Cambridge boffins, when it is far easier and less risky to just damage the chip on card, forcing a magnetic swipe and signature payment, perhaps if needed requiring a bit social engineering against the cashier. Still it would be far easier and less risky to the card fraudster to use the stolen card with online transactions or even get away with small contactless payments which also don’t require any PIN knowledge.

Secondly I find card fraudsters tend to use stolen card details where the actual cardholder has no awareness of their card details being compromised. When the physical card is stolen, it tends to be reported by cardholder, so it quickly is cancelled preventing transactions from working on it, remember the Cambridge attack is all about the physical possession of the stolen plastic card, not stolen payment card details, which is where the bulk of card fraud occurs.

Just to prove how easy it is to get around Chip and Pin without having a PHD, I performed a demonstration yesterday at a “birthday card” retailer in a UK City. I used one of my own credit cards as opposed to a stolen credit card, the credit card I used just happened to have a damaged chip.

To be crystal clear, I did nothing illegal and unethical, and I certainly didn’t perform any social engineering or anything dodgy like that. All I did was place my credit card in the card reader as instructed by cashier, the card reader displayed invalid, and the cashier said this happens now and again and took my credit card out, swiped through a magnetic reader, then asked me to sign, I followed the cashier's instructions, so completing a transacton without using a PIN number.

Here's the receipt, note "Date" and transaction type "Swiped" and "Signature Verifed"

My final point is the majority of payment card fraud committed in the UK, is card not present transactions, such as payments made over the Internet or by phone. This type of fraud does not require that the fraudster has physical possession of the plastic card. Often payment card details not the physical plastic card are stolen, often on mass from poorly secured retailer. These stolen card details are then brokered up and sold online to individual fraudsters, who go on to commit the actual fraudulent transactions againt them. Typically fraudulent transactions with UK cards are made against websites which don't have the 3D secure (online password required), typical websites at the moment tend to be online gambling websites, which are an easy way for an international card fraudster to cash out against a stolen UK card.

I personally reckon at least £1 Billion is stolen on British payment cards every year, and to my knowledge on how UK card fraudsters operate, I would say the Cambridge Chip & Pin attack could be responsible for just few percent of that fraud spend presently. I have not come across any fraudsters nor have I heard of any fraudulent incidents using this technique, however you can never rule out that the bad guys aren’t taking advantage of a known vulnerability (a golden rule in security). But I am very confident the vast majority of payment card fraud in the UK is not being made against this particular vulnerability at present, and I don’t see that changing in the future, as there are still far easier methods to commit fraud against UK payment cards.

If the payment card industry was serious about preventing payment card fraud, they should be looking into the types of things I mentioned in this blog posting.
http://blog.itsecurityexpert.co.uk/2009/10/how-payment-card-industry-could-stop.html