Many people will have seen the big publicity campaign for `chip and PIN' authorisation for credit and debit card transactions. This is advertised through a website for the whole scheme, numerous lesser websites from individual banks, adverts in the windows of shops which have installed the new equipment, and occasional breathless articles in the press about how `chip and PIN' will stop fraud using the POWER OF TECHNOLOGY!
(John Band has already covered some of this stuff.)
For those who haven't encountered this spectacular innovation yet, the idea is that, rather than signing a slip when you make a transaction, you type in the same four-digit code you use to withdraw money from a cash machine. (You might imagine this change being motivated by the observation that even trained staff get comparisons of signatures wrong in about 40% of cases, and anyway staff at shops usually don't bother to check the signature on a credit card counterfoil.)
The `chip' part refers to the fact that the scheme can only be used with new `smart' credit cards, which have both a magnetic strip bearing your account number and various other details, and a silicon chip with the same data and some other stuff. The `other stuff' includes the ability to check whether a PIN entered by a user is correct, and to shut down the card if an incorrect PIN is entered three times. It is supposed to be impossible to copy the data off the card's chip, and anyway it is protected by the magic of cryptography. Of course, none of this matters a bit, because the magnetic strip is easy to copy and is the only thing read by a cash machine. So if you want to embark on a lucrative career in cash-card fraud, all you need to do is to get a job in a shop, install a little bit of electronics to record the PINs which customers enter into the `chip and PIN' terminal, and surreptitiously swipe their cards through a magnetic stripe reader. Copy the cards, find a cash machine, and plunder their accounts. (Note how this is much more efficient than traditional credit card fraud which requires the crook to buy goods or services; with `chip and PIN' the dishonest shop assistant can nick actual cash.) Now, criminals are already doing this with auto-tellers, but it'll be even easier with `chip and PIN', since, (as the `chip and PIN' people helpfully point out)
Point-of-sale PIN terminals will be of various shapes and sizes like tills are now.
and so there'll be no way to tell whether the contraption into which you're asked to enter a PIN is a real `chip and PIN' terminal or something cobbled together by a criminal.
Oddly enough, the consumer-oriented propaganda from the `chip and PIN' people doesn't mention any of this. Instead it claims that,
Chip and PIN is the new, more secure way to pay with credit or debit cards in the UK.
Instead of using your signature to verify payments, you will be asked to enter a four-digit Personal Identification Number (PIN) known only to you.
You might be wondering how this scheme will make you `more secure', as the above quotation suggests. If so, you need to read it more closely. It's not claiming that `chip and PIN' will make you more secure, as that's not the point of the system. The intention is to reduce losses from banks and merchants resulting from fraud. (It is frequently said that the implementation of `chip and PIN' in France reduced losses resulting from card fraud by 80%.) There are two ways that losses to fraud can be reduced:
- by reducing the amount of fraud which takes place; and,
- by not paying compensation to people who are defrauded.
I haven't seen any discussion of the French figures in this light (and, of course, the second sort of reduction is pretty hard to measure).
From the point of view of a cardholder, the reason that it's safe to pay for things using credit or debit cards is nothing to do with PINs or chips or cryptography; the reason is that you're insured by your bank against losses. `Chip and PIN' ostensibly doesn't change this; if a criminal obtains your PIN and card number and robs you via an ATM (or obtains your PIN and nicks your card, then uses it to pay for items in a credit card transaction), then you should be insured against the loss. On this theory, `chip and PIN' is a nuisance, but not a financial risk.
Unfortunately, this theory is wrong, not for any technical reason but because banks in the UK have historically been very effective at pretending that their computer systems are secure when they aren't. There are several examples mentioned in Ross Anderson's paper, Why Cryptosystems Fail, (and numerous others in his book, which is well worth reading); sometimes victims are refunded, but often the pattern followed looks like this:
- Customer looks at bank statement, finds suspicious withdrawals from ATMs, complains to bank.
- Bank explains to customer that they are mistaken, that the bank's computer systems are secure and make fraud impossible, and that customer should fuck off.
- Either customer fucks off as advised, or customer continues with complaint. In the second case:
- Bank has customer prosecuted for trying to obtain money through fraudulent complaint; customer goes to jail or bank sues customer over losses (or, very occasionally, bank pays up).
- Sometimes, customer appeals against conviction/unfavourable judgment, bank's story is shown to be a pack of lies, and customer is released/compensated after having their life turned upside-down by judicial system.
(There's a list of some of these cases on Mike Bond's web pages about `Phantom Withdrawals', including references to the shocking Munden case and various other miscarriages of justice. It's worth noting that in Bond's list, a case is marked as `resolved' if the courts have reached a decision either way, so `resolved' cases include ones where banks have screwed over customers for thousands of pounds lost because of crap security, and the courts have stood by and done nothing about it.)
In one case Anderson mentions, the bank's defence rested in part on the laughable claim that their computer system could not suffer from bugs because its software ``was all written in assembly language''. With friends like these, who needs enemies? The only mystery is how they've kept card fraud down to only £400 million per year.
And, despite twenty years of ATM fraud, banks are still trying to pull off the `PINs can't be forged' stunt to avoid (a) compensating customers for fraud, and (b) being exposed as completely hopeless. (This doesn't work in the United States, where the courts decided that banks were liable for such losses unless there was actual evidence that the complaining customer was trying to defraud them; see this paper for more on the situation there and here.)
Of course, nobody would try to claim that forging someone's signature is impossible, and if the bank tried to use that as an argument against compensating you for losses from fraud, they'd be laughed out of court. So one consequence of `chip and PIN' is that it will be easier for banks to avoid paying out for losses from fraud, thereby cutting their losses. (I was astonished to hear from a friend that their signature was frequently questioned when they paid for items with a card. Often cashiers draw attention to the fact that my signature written in the large space available on a credit card slip looks completely different to my signature written in the tiny little box on the back of a credit card, but none of them have ever suggested that I'm forging someone else's scribble....)
You'd expect that retailers wouldn't be very happy with a system designed to let banks screw over their customers (who are, as you will recall, `always right'), so the banks have decided to shift liability for fraud onto retailers, in cases where `PIN [sic.] could have prevented fraud' to encourage them to sign up to the new scheme. Since most businesses have lots of customers but only one bank, it's probably rational for them to let a few of their customers get shafted by the banks just to avoid making any trouble.
There is a solution to this problem, in fact: you can ask to be issued a `PIN-suppressed' or `chip and signature' card by your bank; when you use the card in a `chip and PIN' terminal, the terminal will prompt you to sign the slip as usual rather than entering a PIN. When I rang my bank to ask about this, they explained that it was only available to disabled people. While it's nice to see a company offering, in one small way, better service to disadvantaged members of society than to others, this is scant reassurance for those of us who want a good chance of recovering our losses when we become victims of fraud. (Current figures suggest that about one in four bank customers will be victims of ATM fraud at some point in their lives.) So, I've written to my bank (Barclays) to ask for a `PIN-suppressed' card. I'll report on the response, but so far I am not hopeful.
Comments
Posted by Paul Warren, Sunday, 11 July 2004 19:39 (link):
The advent of cash-back has meant that anyone who has your debit card can get Real Cash, not just goods, and I understand that this is now a popular form of fraud. I would guess that physical theft of cards is a bigger problem that PIN-theft through devices left at cash machines and chip-and-PIN terminals, and chip-and-PIN does address this. Or rather, it will address it once signing is not an option. I have a card with a chip on it, but the PIN was never activated for use in chip-and-PIN terminals, and the terminals report "PIN blocked". This surprises some cashiers, but never so much that they won't let me sign for it instead.
Another suggested side-effect of chip-and-PIN cards is that muggers may now attempt to extract a PIN number from you, as well as stealing your card, leading to more violent and distressing incidents. I don't know of any evidence to support this theory, so on balance I'd still prefer to have a chip-and-PIN card.
A more interesting question is why a 4 digit PIN is sufficient to extract untraceable hard cash from an ATM, yet to access my on-line bank account I was required to remember an 8 digit, alpha-numeric account number (different from my real account number, and allocated by the bank), a password of reasonable strength and a separate pass-phrase, also of reasonable strength. This was with Lloyds, and I suspect it is because they are shit. This is one of the many reasons why I no longer trouble them with my banking needs.
In my experience, banks are pretty quick to pay up on fraudulent use, including cases where the customer may be considered at least partially to blame. For example, forwarding a new, unsigned debit card to a country where about 50% of incoming international mail goes AWOL.
Posted by Chris Lightfoot, Sunday, 11 July 2004 20:01 (link):
It's true that the above mentions mostly worst cases of bank behaviour. But then, those are the ones that worry me most....
Posted by Pete Stevens, Monday, 12 July 2004 11:41 (link):
I've never had a problem with fraud. I'm just attempting to get my bank to count.
Unintelligent Finance
Posted by Paul Warren, Monday, 12 July 2004 12:30 (link):
I spent some time doing this with Lloyds to correct a bank-error-in-their-favour problem. The net result was a double correction and a bank-error-in-my-favour. Whilst I was disturbed that their system is apparently capable of violating the fundamental principle of conservation of money, I did not feel the need to chase them on this.
Posted by Alex Hayward, Saturday, 17 July 2004 22:00 (link):
Oh, banks create money all the time (assuming you're happy to call bank deposits 'money'). Think what happens when you put 100 pounds in cash in your account and the bank lends 95 of them to someone else. Your balance: 100. The borrowers balance: 95. That's 95 more in total than we started with.
Of course, if the borrower goes on to spend it some of it ends up in bank accounts and is lent out again. The creation of a little bit of new cash can result in the creation of several times that amount in bank deposits. In fact, IIRC, the vast majority of money has been created this way rather than being printed as cash by the Bank of England.
Posted by alex, Monday, 12 July 2004 17:45 (link):
I had an experience in which my card was 'cloned' and used to withdraw 3000 pounds (in spain, while I continued to reside in clapham) (1000 pounds of mortgage and 2000 pounds of not-agreed overdraft - something I shouldn't have been able to do myself!) - all in the space of 48 hours.
needless to say this came to my attention very quickly - but on a saturday. there is one branch of barclays in all of london that is open after 1pm on a sturday - and only then until 4, in some godforsaken bit of town to which I travelled using borrowed bus-fare change. (the branch said they couldn't help).
after a nasty weekend of panic, and borrowing cash from friends, I suffered some absolutely terrible service from the banks: 'you must have stolen the money, credit card fraud as you describe it is impossible' (despite the fact that I've never been to spain and there were transactions concurrently running in the uk and spain), 'you must have given your pin number away', 'but you didn't lose your card so what card are they using in spain then?' then when all of that didn't work 'why didn't you notice sooner?' IT WAS A SODDING WEEKEND YOU *&*(!"@@@ (I now get weekly statements, and hear its sometimes possible to arrange a daily text, but even that wouldn't have been fast enough to prevent the majority of the damage) and then 'we will only refund you with a valid police crime number thingamy' and then from the police 'it isnt our problem you have to phone the spanish police' to which the answer is clearly F**K THAT. All the legwork had to be done by me, repeatedly the attitude was one of 'guilty until you prove yourself innocent'.
I eventually found a suitably sympathetic employee of barclays who 'pushed it through' without all the required boxes filled in; I was eventually refunded (without interest) and was so relieved to have got my money back (and pay my mortgage, one 'bounce' late) that I didn't have the energy to send nasty letters to all involved. It was just frightening that the only reason I got my money back was a combination of ulcer inducing stress and a good dash of luck. to get vaguely back on topic, if what chris says is right, then the already appalling attitude of the banks is just set to get worse. I can't wait.
Posted by Pete Stevens, Monday, 12 July 2004 20:10 (link):
I closed a savings account with Britannia by walking into the branch with the passbook and asking them to close it. They asked for some ID - my Passport and Driving Licence were both with the DVLA so I used my barclaycard. They then asked me some 'security' questions - my address [printed in the front of the passbook], my date of birth [probably not hard to find out] and then gave me a cheque payable to me for roughly £3.5k.
I was relieved at the time because I needed the money quickly but it didn't fill me with confidence.
Posted by Martin Keegan, Monday, 12 July 2004 21:13 (link):
I didn't like the Chip'n'PIN scheme when I heard about it, as it seemed to make it easier for the retailer to defraud me. When I dispute a transaction, the card issuer contacts the retailer and asks for the till receipt. If it doesn't have my signature on it, the retailer doesn't have a leg to stand on, and the people at the card issuer make life unpleasant for them on my behalf, whilst suspending my liability to them until the matter is resolved.
The PIN system seems to remove this basic protection. If I dispute the transaction, then it boils down to some tedious technological issue, not "is the chit even signed, let alone by me?".
I have two VISA cards, credit and debit, and essentially never use the latter for purchases. I ignored the missive informing me of the PIN for the former. This turned out to be a mistake when I got to Holland, whose train system's ticket machines constitute the second greatest restriction on the free movement of workers about the European Community I have ever seen: these automatic ticket machines do not accept Euro notes or VISA card! If you want to buy a train ticket, you'll need a Maestro card, a Mastercard or the Euro coins you left on the dresser back in the UK. So I stuck in my credit card, which happens to double as a Mastercard, and of course it asked for the sodding PIN. The issuer would only send a new one to my home address, in five working days, by which time the train would probably have left.
Posted by Chris Lightfoot, Monday, 12 July 2004 21:16 (link):
See, if you'd been back in good old Britain, the same problem wouldn't have arisen. Another reason to be grateful for the sorry state of our public services....
Posted by Geoff, Monday, 12 July 2004 22:16 (link):
My understanding is that the security comes about because the cards are much harder to copy due to the integrated circuit on the card. Whereas the simple magneticstrip is easy to replicate.
Personally I'm in favour if only for the reason that restaurants can't now get you to add a random tip amount onto the bill. In France no mega tip is now expected you just punch in your 4 digit code.
Posted by Chris Lightfoot, Monday, 12 July 2004 23:58 (link):
You're correct that the chip is (at the moment, anyway) difficult to copy. But it doesn't matter, because the PIN you use for a credit card transaction is the same as the PIN used for an ATM transaction, and most ATMs only read the easily-copied magnetic strip. So there really is no extra security.
(The banks could have required customers to have two PINs. But they've judged that the convenience of having only one PIN outweighs this. Because they're pretty talentless, they don't even allow the option of having two PINs, so customers who actually care about whether their money is stolen don't get the extra security which otherwise would be on offer.)
Posted by Pete Stevens, Tuesday, 13 July 2004 00:15 (link):
Maybe we should form a new company?
Dear Chip and Pin Consortium,
I represent a leading supplier of fradulent point of sale equipment. Our patented technology 'FraudoTerm' has previously incorporated elaborate scanning and printing technology in order to allow our customers to forge receipts accepted by the banking establishment and thereby add serveral hundreds of millions of pounds to the British economy that would otherwise have languished in your customers bank accounts, preventing them from paying you unauthorised overdraft charges.
Having previewed your new Chip 'n' Pin technology we believe we may be able to drastically reduce the cost of our FraudoTerm system, now your banking system will now trust our devices to withdraw as much money as we feel like in the form of secure additional authorised transactions. Your new terms and conditions guarantee our customers will never again be hit by a chargeback.
We see a win-win-win situation here and would like to discuss this further, we can offer
Vastly more overdrawn bank customers netting your clients further income. Increased income and security for our customers who buy FraudoTerm products. Increased sales and lower costs for us.
We would like to discuss options for further enhancement of this system. With a bi-directional link up we could allow the banks to directly pick customers who they would like to be overdrawn. Concerned you have to give good loan rates to customers? No more, we can offer instant credit rating destruction services by making the clients more overdrawn than they thought possible.
Yours Sincerely,
Joe Bloggs
FraudoTerm inc.
Posted by Martin Keegan, Wednesday, 14 July 2004 17:40 (link):
Is the PIN for my chip compromised by its being somehow recorded on the magnetic strip, even if I never use the magnetic strip?
Posted by Chris Lightfoot, Wednesday, 14 July 2004 19:11 (link):
There's a discussion of how the PIN stuff works in the Ross Anderson paper I link to above.
Basically, validation of the PIN from the magnetic strip is done by secret-key cryptography. (Some of) the information on the magnetic strip is ciphered (using DES) with a key known only to the bank (the `PIN key') to produce a 4-digit number, which is called the `natural PIN'. The card also stores a (plaintext) offset which is added to the natural PIN modulo 10,000, so that customers are able to choose their own PINs.
This is all fine, so long as nobody gets hold of the PIN key, or access to any device which lets you test a PIN without it being able to record multiple failures to supply the correct PIN. Banks haven't always been good at meeting those two requirements, but there's nothing to stop them from doing so.
I don't know the exact design of the `chip and PIN' system (i.e. I'm too lazy to look it up) but the idea is that the chip on the card is itself responsible for verification of the PIN. That is, the keypad into which you type your PIN is connected to the chip on the card, and when presented with a valid PIN the chip authorises the transaction (presumably by signing some statement fed into the chip from the terminal using a key which is itself signed by the card issuer). The nice thing about this approach is that it is almost as secure in offline operation as in online operation, unlike the magnetic strip scheme where only devices with the secret PIN key are able to verify that a PIN is correctly given. The chip on the card is supposed to (a) be impossible to copy, and (b) able to shut itself down if it's given an incorrect PIN too many times.
Observe that these two mechanisms are completely different, and there's no technical reason for the PINs for the two to be the same. (This is a nice example of the security/convenience trade-off.)
So, to Martin's question:
One way to interpret this is, `can I get the PIN out of the magnetic strip more easily than I could from the chip?'
From the point of view of the attacker, the magnetic strip is quite an attractive target because its contents can be copied and investigated without access to the card. Can the PIN be obtained from a copy of this data? Well, to do that you'd need to get the bank's PIN key. Suppose that you have another card whose PIN is known and which is associated with the same key, and can test all possible 56-bit DES keys in an attempt to discover the PIN (the EFF built a DES-cracking machine for $250,000 in 1998; it would be cheaper now). DES operates on 64-bit blocks, and the PIN is derived (by `decimalisation') from 16 of those bits. If the ciphertexts are uniformly distributed over the 64-bit space of output blocks, then there are 2**48 or approximately 300 trillion possible keys which will match the known PIN. Your odds of getting the right one in the three attempts you get to enter the guessed PIN at the auto-teller are remote, to say the least.
Another way of putting this is that there is a one in 65,536 chance that any given key you test will give you a PIN that matches your own. But (assuming i.i.d. output bits), if you add a second card, the probability of a key being compatible with both becomes one in 65,536², or one in four billion. With three cards, one in 65,536³, and so forth. With four cards you'd expect to be able to recover the PIN key, presumably.
(That all relies on the assumption that the banks still use 56-bit DES in this application. If my above speculation is right, let's hope they don't! But upgrading all those old ATMs isn't a trivial task....)
So, is this easier than recovering the PIN from the chip on the card? It depends on how easy it is to get the PIN out of the card, obviously. This is supposed to be difficult, especially since all practical attacks have to be done with the card (and therefore the cardholder) present. One you might think of is trying all 10,000 possible PINs in turn (perhaps trying common ones like 1234, the current calendar year, and so forth first). The chip is supposed to count the number of failed attempts and stop testing them after three failed tries or whatever. People have tried to attack similar smartcard devices by testing the PIN, and then very quickly switching off the power to stop the chip from recording the attempt, but presumably the people designing these things have learned the rather simple countermeasure (increment country, test PIN, decrement counter only if PIN matched) for this attack by now.
On the face of it, it should be pretty hard to get the PIN out of the card (and therefore sticking the same PIN on the magnetic strip is a practical loss of security), but that -- dangerously -- supposes that the crooks won't apply their considerable ingenuity to the problem. Expect an arms race between smartcard manufacturers and credit-card fraudsters.
Since in a little while all these devices will be connected to the Internet (or a GSM network) anyway, I'm not sure why it's worth spending all this effort on off-line authentication anyway. But banks will be banks, I suppose.
Posted by Morse, Wednesday, 27 October 2004 19:06 (link):
Having had my credit and debit cards stolen and used at ATM's can anyone tell me how they managed it as the PIN numbers were NOT recorded anywhere? original pin's from issuing companies not changed.should they have been? would that have made any difference? Both bank and credit card comany are refusing to repay. Letters meet the same blanket response;'your fault, you must have given them the number' How many times can you say 'no I didn't '
Posted by Chris Lightfoot, Wednesday, 27 October 2004 22:33 (link):
Could the thieves have observed you typing in your PIN? Is it possible that somebody separately obtained your card details and PIN (for instance, using a `skimmer' or a fake auto-teller)? (I.e., in the latter case, the fact that the card was stolen at the same time that money was withdrawn from your account was coincidental.)
Otherwise... getting the PIN from the card requires either a lot of technical effort (presumably not likely to be put in by an average burglar or mugger -- see my previous comment) and may not be practical at all; or collusion by an insider in the bank, using an attack such as this one:
I have no idea how probable the last of these possibilities is.
Posted by Pete Stevens, Tuesday, 12 July 2005 11:58 (link):
It turns out to be very simple to get a pin blocked Barclaycard.
Upon recipt of my new shiny card this morning I telephoned them to register receipt of the card, and to ask for a new pin number so I can actually use it. Upon pointing out that I was about to go away for a week and would not receive my new pin before I left, they helpfully changed my card from Chip & Pin to a Pin Blocked card, in order that I could spend money and pay them interest.
They've asked if I will telephone them on receipt of my PIN number to get my card reenabled, this is something I may not bother with.
Post a new comment.
Comments copyright (c) contributors and available under a Creative Commons License. See also the comments policy.