I have to admit that I thought this thread was going to be about cookies.
Woe upon the card reader which hasn’t opened a secure SSH tunnel.
I think you’re misunderstanding me here. With the magnetic strips, the crooks can stick a skimming device on top of the card slot on a legitimate device(here in Sweden there has been several incidents with ATMs, and in the last year or so, at gas stations) and clone the cards that way. Are there devices that allow you to do this with the chip cards?
I’m well aware that it is possible to get around the PIN once you have the card, but how easy/hard is it to clone the card?
Now, I only work with smart cards (the proper name for chipped cards) in a periphery capacity as I work in the security industry. I have no idea what standards individual credit card companies and banks choose to implement, but I will presume that they all have an ISO that they follow.
The thing is this, the difference between a smart card and a stripe is that a stripe is just pure data. You can never ask it anything, because there is no circuitry involved. A smart card, on the other hand, contains among other things a cryptoprocessor, which allows you to ask it a question. I’ll illustrate how this works through this creative dialogue:
*Card: Hi there!
Reader: I see that you’re claiming to be kombatminipig’s card. If I were to say a number to you, and this number was 4711, what would you reply?
Card: Oh, if you said 4711, I would reply 1337. 1337 is of course just a result of a crypto algorithm, and is derived from the information stored within me. I derived it in a mathematically secure fasion where you can never derive my sercret number by knowing the numbers 1337 and 4711.
Reader: Alright, hang on a sec.
<Reader calls up my bank via a secure SSH tunnel, which means that all communication is encrypted and impossible to snap up along the way>
Reader: Hey, Bank! I’ve got some dude here claiming to be kombatminipig. I said 4711 to him, and he replied 1337. Is that cool?
**Bank: *Yeah, cool.
<Reader hangs up>
Reader: You’re cool.
Card: Why, thank you.
So to summarize, no: copying a smart card is not trivial, because whatever you read from it at a certain point of time won’t necessarily be the correct answer the next time. Hence hijacking the pin isn’t secure enough, you need the physical card as well. Now, you have to vulnerabilities left. The first is that the card isn’t secure from somebody actually picking it apart and examining all the circuitry while it’s running, back-engineering whatever algorithms and numbers contained within. The second is that as long as magnetic stripe readers exist, you’re still fucked if somebody copies the stripe on your card.
Increasingly here, retailers no longer accept cards without the chip-and-pin (not that there can be many left now).
Not misunderstanding. SSH (various versions, to varying extents) are vulnerable to all kinds of attack. Here’s a man in the middle attack that was discussed earlier this year:
It’s also rather foolhardy to assume that merchants are universally using robust authentication (most current versions of SSH, not using ssh-agent, and/or disabling rhost, rlogin, not authenticating the client device/chip as a superuser, etc). The vast majority of PCI-DSS-subject merchants don’t receive annual Reports on Compliance (RoCs), and aren’t audited beyond answering a self-assessment. Only high-volume merchants have to do that (and no, your gas station isn’t one of them in most cases).
So you’re basically saying that any security can be foiled if employed improperly? Gotcha.
But what about those oh-so-lucrative tourism dollars (err, um, pounds)?
If I’m reading that link correctly it’s bypassing the PIN on a card that is already in your possession. I’m talking about how the crooks get their hands on the card in the first place.
I don’t think that’s true. Modern card readers can also accept swipe cards, this type of card is usually supplied to people with impaired eyesight who are unable to key in a PIN. Also the card details can be entered via a keypad on the machine. This is especially useful for “card-holder not present” transactions. I work in a bookshop and we have few of this type of sale.
Am I correct in assuming that the strip also contains information that my card has a chip which should be used instead (if the reader can use both)?
No, **stars **and stripes. Forever. (For cite, refer to Sousa, John P.)
Pardon me for not getting it, but couldn’t this be duplicated as well? Pretend that instead of a stripe-reader-skimmer they have a chip-reader-skimmer. Then they have the physical card for the same amount of time as the authentic-chip-reader so why couldn’t they store the ask and response for later collection and misuse?
We have them here - ‘contactless technology’, they’re calling it, but it’s just RFID by another name. It’s been launched as a way to pay quickly for low-value transactions such as cups of coffee and newspapers.
We have them here too. Chase and Amex offer them, probably others. As a matter of fact, if you do a Google search for “RFID credit card” you’ll find more retuns on how to hack them using RFID readers than you will for the cards themselves.
Your local McDonald’s probably has an RFID reader at the cash register “for your convenience.” (Mine does.)
This is better than the stripe, but there are at least one vulnerability in this example. The reader gets to choose the challenge. A compromised reader could record the challenge and the response, and then an attacker could execute a replay attack:
*Fake Reader: Hey, Bank! I’ve got some dude here claiming to be kombatminipig. I said 4711 to him, and he replied 1337. Is that cool?
**Bank: **Yeah, cool.
Fake Reader: Okay, he told me to transfer his life savings into this account.
*Bank: ** Ok, the money is all yours
Actually, **Rysto,**that quote was kombatminipig but your idea of the compromised reader is basically what I’m wondering about.
Ack, sorry, I started responding to you and then started composing my response to kombatminipig and evidently messed up the quote blocks brutally.
Anyway, there are ways to ensure that nobody but the chip and the bank see the challenge and response. I’m not sure if current smart cards implement it properly.
Well, my “local” McDonald’s is 25 km(16 miles) away so I wouldn’t know what they have, but I had never even heard of credit/debit cards with RFID chips in them before this thread(the local bus company does use them in their passes) and I can find nothing that suggests that my bank offer them.
My last credit card came with one. I Googled on how to disable it and found I could request a card without one.
Here’s a link announcing they would do it, and here’s a link about getting one without it.
Lare, I believe you when you say you have them, I’m just on other side of the pond so I don’t have much reason to keep track of what the American banks are offering their customers.