SoylentNews is people
SoylentNews
Four years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That's when the police got involved. The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.
Using that information, the police were able to arrest a 25-year-old woman carrying a large number of cigarette packs and scratchers, which were apparently intended for resale on the black market. After her arrest, four more members of the fraud ring were identified and arrested. That number included the engineer who was able to put together the chip card hacking scheme that a group of French researchers call "the most sophisticated smart card fraud encountered to date."
25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. Ultimately police said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.
[...] The stolen cards were still considered evidence, so the researchers couldn't do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.
According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write. The hackers took advantage of the fact that PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe.
[...] In their paper, the researchers note that the forged chip cards looked similar to a scheme put forward in 2010 by researchers at Cambridge University. At the time, the Cambridge researchers were able to show that they could complete a transaction using a similar man-in-the-middle attack, but they weren't able to get the form factor down to credit card size. The French researchers who did the forensic analysis of the cards noted that "producing the forgery required patience, skill and craftsmanship."
(Score: 5, Informative) by simonInOz on Thursday October 22 2015, @03:36AM
As an ex-bank employee I might be able to offer some balance.
It's a balance of risk against convenience.
Originally, the 4 digit PIN was determined by asking someone (could it have been the developer's partner?) how many digits they thought they could remember - and thus we have 4. Not very scientific, nor very secure. But definitely convenient.
Customers don't find security convenient - the mere idea of having to remember a long sequence, especially when you have to type it into a machine, is horrible. So banks don't try. I can assure you they are all fully aware of the actual facts of security, but this is not negotiable - you can't drive your customer base away.
So it's a balance, and a war. The bad guys try stuff, and the banks fight back. It's all about risk. As long as the losses remain low, the banks will not change. And I would argue that is a sensible response.
Fortunately, people are pretty good at hanging on to stuff. So the "thing that you have' is tightly held.
And as a backup, if the bank notices "odd" stuff going on, they will react very quickly. A lot of research goes into a proper definition of "odd".
4 digits is a pretty crappy password, we all know. Especially if you allow the user to set it (then 50% of them will start with one) - so I recommend not allowing that, though most banks do, unfortunately!
But a 4 digit PIN is decent way to stop stupid crime - if you drop your card, and someone picks it up, they know they are not going to get any money with it. Good enough.
Balance, it's all about balance ... and balances.
-- cats like plain crisps --
(Score: 3, Interesting) by FatPhil on Thursday October 22 2015, @08:55AM
Your 50% stat is scary, and as far as I can tell, true, but explainable. 19xx is very popular with xx>~50 - birth years, as are 10yy, 11yy, and 12yy with yy<=31 likewise - birth dates (and 0zyy similarly). abab is incredibly common. The best analysis I've seen of human-chosen PINs is here: http://www.datagenetics.com/blog/september32012/
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Snow on Thursday October 22 2015, @05:33PM
Hmm... I run a system that uses pins for verification. I queried the DB for Pin numbers and sorted by number of occurrences. Surprisingly, the distribution of pins is pretty good. The most popular pin (1234 - classic) is associated with under 0.1% of cards (1 in 1000).
Of the top 10 pin numbers, 6 of them start with a 1, and 12 of the top 20 start with a 1.
(Score: 2) by cafebabe on Tuesday October 27 2015, @01:59PM
Unless you allow PINs with more than four digits, I call shenanigans.
1702845791×2
(Score: 2) by Snow on Tuesday October 27 2015, @03:13PM
Nope, just 4 digits. One thing that might make a difference is that these are private fleet cards, so most of them are managed by a fleet manager that might be smart enough to know that 1234 is a bad pin number.