Four years ago, about a dozen credit cards equipped with chip-and-PIN technology were stolen in France. In May 2011, a banking group noticed that those stolen cards were being used in Belgium, something that should have been impossible without the card holders inputting their PINs. That's when the police got involved. The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.
Using that information, the police were able to arrest a 25-year-old woman carrying a large number of cigarette packs and scratchers, which were apparently intended for resale on the black market. After her arrest, four more members of the fraud ring were identified and arrested. That number included the engineer who was able to put together the chip card hacking scheme that a group of French researchers call "the most sophisticated smart card fraud encountered to date."
25 stolen cards, specialized equipment, and €5,000 (approximately $5,660) in cash was seized. Ultimately police said about €600,000 (or $680,000) was stolen as a result of the card fraud scheme, spanning 7,000 transactions using 40 cards.
[...] The stolen cards were still considered evidence, so the researchers couldn't do a full tear-down or run any tests that would alter the data on the card, so they used X-ray scans to look at where the chip cards had been tampered with. They also analyzed the way the chips distributed electricity when in use and used read-only programs to see what information the cards sent to a Point of Sale (POS) terminal.
According to the paper, the fraudsters were able to perform a man-in-the-middle attack by programming a second hobbyist chip called a FUN card to accept any PIN entry, and soldering that chip onto the card's original chip. This increased the thickness of the chip from 0.4mm to 0.7mm, "making insertion into a PoS somewhat uneasy but perfectly feasible," the researchers write. The hackers took advantage of the fact that PIN authentication was, at least at the time, decoupled from transaction verification on EMV cards in Europe.
[...] In their paper, the researchers note that the forged chip cards looked similar to a scheme put forward in 2010 by researchers at Cambridge University. At the time, the Cambridge researchers were able to show that they could complete a transaction using a similar man-in-the-middle attack, but they weren't able to get the form factor down to credit card size. The French researchers who did the forensic analysis of the cards noted that "producing the forgery required patience, skill and craftsmanship."
(Score: 5, Insightful) by MichaelDavidCrawford on Thursday October 22 2015, @02:00AM
and routes around it.
Consider the original meaning of the Underwriter's Laboratoratories rating: it was how many hours an experienced safecracker would require to bust open a safe.
Yes I Have No Bananas. [gofundme.com]
(Score: 4, Insightful) by Runaway1956 on Thursday October 22 2015, @02:11AM
Something you know,
Something you have,
Something you are.
As for PIN's - that is some stupid nonsense. 4-digit security numbers? Really? No alphas, no special characters, only 4 digits? WTF? The banking and credit card industries simply aren't all that interested in security, or they would start all over, and throw out their current "security" schemes. Today's "security" relies on a combination of insurance for recovery of loss, and relying on state assets to punish the odd careless bad guy who gets caught.
Build a robust, secure system, then make repairs to it as exploits are discovered. Credit card fraud should be an almost unheard of crime by this time.
We're gonna be able to vacation in Gaza, Cuba, Venezuela, Iran and maybe Minnesota soon. Incredible times.
(Score: 2, Insightful) by Anonymous Coward on Thursday October 22 2015, @02:38AM
The number one goal of credit cards is to replace cash. The more complicated they make it to use the cards, the less likely they are to achieve that goal.
That is why the merchant rules for visa, mastercard and the others all forbid merchants from requiring ID to complete a transaction except in extenuating circumstances - you don't need ID to pay with cash so you don't need ID to pay with a credit card.
(Score: 2) by Anal Pumpernickel on Thursday October 22 2015, @04:19AM
The number one goal of credit cards is to replace cash. The more complicated they make it to use the cards, the less likely they are to achieve that goal.
I hope they fail. People should use cash, as credit cards make it too easy to track what you purchase.
(Score: 2) by mhajicek on Thursday October 22 2015, @04:30AM
Too late.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 3, Insightful) by LoRdTAW on Thursday October 22 2015, @01:05PM
What infuriates me about this is a cashless society would be solely in the hands of the banks and not the people/government like cash. This gives the few credit card companies a monopoly on the control of money. It also gives them free reign to charge merchants for transactions on EVERY monetary transaction. It's legislated infinite profits for banks. Capitalism at its finest!
(Score: 2) by Snow on Thursday October 22 2015, @03:51PM
You know... There is an open source alternative - Bitcoin. Unfortunately, just like linux on the desktop, it's not that popular (yet?).
(Score: 2) by LoRdTAW on Thursday October 22 2015, @04:50PM
My beef isn't with the alternatives. It's the shifting of control over a nation's currency from public to private proving the benefactors with free welfare.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @08:34PM
it's not that popular
WRT Linux, it depends on where you look.
(Robert Pogson has repeatedly found that islands in particular are fertile ground for Linux adoption.)
It also depends on what you call a "desktop".
(Most folks only use handheld thingies these days.)
...and StatCounter--by sloth or by design--has difficulty identifying Android devices as Android devices.
Pogson's latest discovery is the Caribbean island of Dominica [mrpogson.com] with some interesting numbers.
The peak at 38 percent will raise some eyebrows.
-- gewg_
(Score: 2) by HiThere on Thursday October 22 2015, @10:27PM
There are some real problems with scaling up bitcoin. The design inherently causes each succeeding bitcoin to be harder to mine...and the scale isn't merely linear.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 4, Insightful) by frojack on Thursday October 22 2015, @02:44AM
Chip and Pin (EMV) standard was initially written in 1993 and 1994. This is the first serious hack of these cards, which is why its news.
Prior to this hack, the only way chip and pin cards have been compromised is by theft WITH the pin, (usually because some users write the pin on the card). Until the advent of this additional chip soldered onto the standard chip nobody had cracked chip and pin terminals. And it seems likely that a longer pin code than 4 digits would have fallen to the same tactic.
So it hardly seems like its all THAT deserving of your rant.
Obviously, these credit card numbers can be stolen for on-line purchases, and they are every bit as at risk for that as are old fashion cards, as they become non-chip cards for that purpose. However even this problem is being worked on by having more smarts in the card with a small screen to generate a number where the generated number [itpro.co.uk] replaces the code printed on the back of standard cards.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @03:36AM
> This is the first serious hack of these cards, which is why its news.
Remember that this happened in 2011, EMV had a staggered roll-out in Europe that started in 2006.
This is the first serious acknowledged hack. There are plenty of unexplained cases too.
(Score: 5, Informative) by simonInOz on Thursday October 22 2015, @03:36AM
As an ex-bank employee I might be able to offer some balance.
It's a balance of risk against convenience.
Originally, the 4 digit PIN was determined by asking someone (could it have been the developer's partner?) how many digits they thought they could remember - and thus we have 4. Not very scientific, nor very secure. But definitely convenient.
Customers don't find security convenient - the mere idea of having to remember a long sequence, especially when you have to type it into a machine, is horrible. So banks don't try. I can assure you they are all fully aware of the actual facts of security, but this is not negotiable - you can't drive your customer base away.
So it's a balance, and a war. The bad guys try stuff, and the banks fight back. It's all about risk. As long as the losses remain low, the banks will not change. And I would argue that is a sensible response.
Fortunately, people are pretty good at hanging on to stuff. So the "thing that you have' is tightly held.
And as a backup, if the bank notices "odd" stuff going on, they will react very quickly. A lot of research goes into a proper definition of "odd".
4 digits is a pretty crappy password, we all know. Especially if you allow the user to set it (then 50% of them will start with one) - so I recommend not allowing that, though most banks do, unfortunately!
But a 4 digit PIN is decent way to stop stupid crime - if you drop your card, and someone picks it up, they know they are not going to get any money with it. Good enough.
Balance, it's all about balance ... and balances.
-- cats like plain crisps --
(Score: 3, Interesting) by FatPhil on Thursday October 22 2015, @08:55AM
Your 50% stat is scary, and as far as I can tell, true, but explainable. 19xx is very popular with xx>~50 - birth years, as are 10yy, 11yy, and 12yy with yy<=31 likewise - birth dates (and 0zyy similarly). abab is incredibly common. The best analysis I've seen of human-chosen PINs is here: http://www.datagenetics.com/blog/september32012/
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by Snow on Thursday October 22 2015, @05:33PM
Hmm... I run a system that uses pins for verification. I queried the DB for Pin numbers and sorted by number of occurrences. Surprisingly, the distribution of pins is pretty good. The most popular pin (1234 - classic) is associated with under 0.1% of cards (1 in 1000).
Of the top 10 pin numbers, 6 of them start with a 1, and 12 of the top 20 start with a 1.
(Score: 2) by cafebabe on Tuesday October 27 2015, @01:59PM
Unless you allow PINs with more than four digits, I call shenanigans.
1702845791×2
(Score: 2) by Snow on Tuesday October 27 2015, @03:13PM
Nope, just 4 digits. One thing that might make a difference is that these are private fleet cards, so most of them are managed by a fleet manager that might be smart enough to know that 1234 is a bad pin number.
(Score: 2) by FatPhil on Thursday October 22 2015, @08:25AM
This particular fraud, which was the most sophisticated of its type known, could have been avoided if staff at the PoS handled and inspected the card before they inserted it into the terminal. They got away with it because the perpetrators never showed the card to a human, only a machine. Of course, that simply pushes up the mechanical hurdle that needs to be overcome.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Funny) by inertnet on Thursday October 22 2015, @09:50AM
Even worse, this site has your PIN code too: http://www.positiveatheism.org/crt/pin.htm [positiveatheism.org]
(Score: 1) by Noldir on Thursday October 22 2015, @10:13AM
In the Netherlands at least the 4 digit pin is plenty secure: after three failed tries your card get's blocked and you have to go to the bank with and ID to get it unblocked again.
I don't know what the chances are on correctly guessing the PIN but they're low enough to be secure enough.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @09:20PM
That's what gets me about all these "cracking" episodes.
I keep hearing that there is no penalty for entering incorrect information.
An escalating (wait) time interval should be a minimum penalty for entering a password wrong.
your card [gets] blocked
Yeah. Who are these nitwits that think it's a good idea to allow an obvious bad guy to keep hammering on the door after X number of tries?
-- gewg_
(Score: 2) by ledow on Thursday October 22 2015, @11:30AM
4 is not the limit.
My girlfriend has ordinary Italian credit and debit cards. They have 6 or sometimes 8 digit PINs and work in other European and UK ATM's and chip-and-PIN machines too.
Nobody ever said "You can only use four with this technology". They've stuck with four because you what you know, expect and (presumably) can remember. It's not a technical limit, it's an option.
(Score: 1) by Webweasel on Thursday October 22 2015, @02:53PM
I was in Rome a few weeks back.
Grandfather took the family to McDonalds to get some icecream.
The automated order machines confused us a lot, as when you got to payment there was no language option.
To authorise the card? Use your finger to sign on the pad (it was a chip and pin pad with touch screen)
Of course we couldn't read the Italian, so entered the pin number.
So, chip and pin... whats the point when vendors don't use it? I could have stolen anyones card, bought goods and "signed" with a finger swipe.
Priyom.org Number stations, Russian Military radio. "You are a bad, bad man. Do you have any other virtues?"-Runaway1956
(Score: 1) by pipedwho on Thursday October 22 2015, @11:14PM
In Australia, my cards have all had 12 digit PINs for as long as they've had EFTPOS (well before the current EMV Chip & PIN thing). You have to ask the bank specifically to let you put in the longer PIN, and the maximum was 12 digits as specified by the EFTPOS (and now EMV) standards.
[RANT]
The only annoying thing is that the keypad debounce logic in most of the recent ATMs made over the last 10 years seem to have been programmed by incompetent idiots. I used to be able to put my 12 digits in faster than most people could type in their first digit. But, these days, the audible feedback comes in so late that you can't tell if you've hit the button. And, worse, the debounce lockout is on the order of >500ms. So if you go a little too quick, it drops a digit somewhere in the middle and you get a PIN error at the end of the transaction and have to start all over again. This is painful, and the people that signed off on this being OK (and the imbeciles that programmed it) need to be flogged old school style for the pain they've inflicted on billions of users around the world.
Doubly annoying is all the recent ATMs take forever before the UI becomes active. You have to wait an eternity before it even lets you put your card in after the previous person. If you try to put it in too early, it just rejects it. Then you have to wait way too long before you can start putting in your PIN. If you're lucky enough to get this far, they hit you with a painfully slow PIN entry, followed by a bunch more delays. I can live with real delays, like waiting for the bank to approve the transaction - but that seems to be fastest part. Even the dispensers are quick by comparison. But, the UIs are ALL just painful.
It used to be embedded firmware/hardware engineers would do that level of interface implementation, but now it seems to be done by a work experience kid in the 'web dev' department. (IBM, NCR, Diebold - I'm looking at you.)
[/RANT]
(Score: 3, Interesting) by MrGuy on Thursday October 22 2015, @02:48AM
It's good to know that well after the fact, without need for any witnesses, real-time recording, or stingray devices, as long as we know that a person was in certain approximate known locations at certain known times, we can use the fact that they had their cell phone on to unambiguously identify that person.
(Score: 2) by frojack on Thursday October 22 2015, @03:05AM
The police obtained the international mobile subscriber identity (IMSI) numbers present at the locations where the cards were used and at the times they were used, and then they correlated those IMSI numbers to SIM cards.
Yes, towers keep records of cell phones associating with them. That's well known.
The tricky bit is finding that one cell number in the vicinity of the fraudulent transactions that might have been responsible.
At any given cash machine in a modern city there are probably hundreds, if not thousands of cell phones in the area at any give time. Some are always near that site (owners live or work there), so you would have to analyse widely dispersed fraud sites.
Finding those one or two that phones that appeared at more than one fraud site would take require a great deal of luck.
I still can't figure out what the cigarette packs and scratchers have to do with it. (Or what a scratcher is).
No, you are mistaken. I've always had this sig.
(Score: 2) by jmorris on Thursday October 22 2015, @04:56AM
Finding those one or two that phones that appeared at more than one fraud site would take require a great deal of luck.
Not really. Get a list of phones near site #1, compare to the list near site #2. Odds are only one will be in common, if you get really unlucky and get a couple of matches use a third and any that are still in common are almost certainly owned by a group of people involved in the crime. Nothing you couldn't reduce down at a UNIX command line in seconds. Given lists of unique ids of handsets seen near two sites in site1.txt and site2.txt, "cat site[12].txt | sort | uniq --repeated" would do the trick.
And yes, everybody who knows how cell tech works knows the towers must know where each handset is to within a few hundred feet and that carriers never delete that valuable, oh so marketable 'big data.' We are all lojacked and we pay for it. If I didn't need to be reachable for work I would have mine in airplane mode most of the time. The takeaway from this story is if you want to do naughty deeds, turn off the danged phone!
(Score: 2) by frojack on Thursday October 22 2015, @06:20AM
I've never seen any evidence of any cell company marketing me or to me based on which tower I was connected to.
I Wager you haven't either.
Police seem to use this data far more than marketeers.
No, you are mistaken. I've always had this sig.
(Score: 1) by Osamabobama on Thursday October 22 2015, @05:21PM
Have you ever noticed that there are more ads where there are more people?
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by frojack on Thursday October 22 2015, @09:47PM
In a word, No.
No, you are mistaken. I've always had this sig.
(Score: 1) by pipedwho on Thursday October 22 2015, @11:20PM
This was true before the dawn of first cell-phone. And I expect also true for the very first advertisement in the history of mankind.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @03:20PM
Tower data is certain, but I would be surprised if the TLAs didn't have some GPS logs as well.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @09:49AM
cigarette packs & scratchers: low weight/low volume, high value (and legal) items.
Scratchers being those "gambling notes" you buy at the newsstands and so on. Scratch to win...
(Score: 3, Insightful) by jmorris on Thursday October 22 2015, @03:07AM
That is a pretty obvious exploit. The three phases, card authentication, cardholder verification, and then transaction authorization are treated as independent instead of dependent which is how the exploit worked, pass the first and last through to the real chip while handling the cardholder verification in the fake. A correct implementation would require each section to incorporate hashes of each of the earlier ones such that the final transaction would 'seal' both the random unique transaction identifiers, keys of the card, merchant terminal and issuing bank and the purchase amount and unit in the final record, all cross signed by all parties.
Good for late 20th Century tech but sorely in need to a rethink and a 2.0 rollout. In another couple of years, as Moore's Law provides a little more, 3.0 can include moving the pinpad and a fingerprint reader onto the card itself. And no, putting this stuff in phones is dumb. Phones have hundreds of apps, multi-gigabyte operating systems developed in the fastest 'Agile' process possible and will never be close to as secure as what can be embedded into ROM on a card.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @03:29AM
"And no, putting this stuff in phones is dumb. Phones have hundreds of apps, multi-gigabyte operating systems developed in the fastest 'Agile' process possible and will never be close to as secure as what can be embedded into ROM on a card."
Most CPUs in smartphones have a "secure mode" that is not available from applications or even the OS. It's kind of like TPM.
(Score: 2) by jmorris on Thursday October 22 2015, @04:36AM
Who cares? There is far too much running on a phone. Who can assure the path between the merchant terminal and the secure chip, between the secure chip and what displays on the screen, etc? Yes I know that my 2012 vintage phone has a poorly documented direct connection between the SIM and the NFC hardware for example. It isn't explained anywhere but there it is on the schematics. But it is still putting far too many moving parts, most of which are hackable, into what should be an entirely sealed system.
I'm almost 100% RMS Pure but this is no place for Free Software. The credit card should always be property of the issuing bank and have absolutely zero capability for modification in the field and while the internals should be public knowledge (security by obscurity never works) there has to be secrets in the card that must be kept. This is exactly the opposite from what I want in a phone, making a phone secure enough to do this stuff on makes for a locked down phone I would never be caught dead with. A phone I don't have root on isn't going in my pocket, while a credit card I can hack is worthless.
(Score: 1, Funny) by Anonymous Coward on Thursday October 22 2015, @06:33AM
I'm almost 100% RMS Pure but this is no place for Free Software.
What does this have to do with Free Software? All software should be Free Software, so if you mean that this software shouldn't be, then I disagree entirely.
(Score: 2) by pendorbound on Thursday October 22 2015, @02:26PM
It's about being relatively more secure.
I guarantee a bug in all of that stuff going on in your phone is less likely to result in a financial loss to you than dropping a $100 note or your magstripe only credit card on the ground. Nothing is perfect. Better than status quo is a reasonable goal.
(Score: 2, Disagree) by frojack on Thursday October 22 2015, @06:35AM
Obvious exploit?
Steal a dozen high limit credit cards with nobody knowing about it?
Weld a super thin chip on top of an existing chip and still have it fit in a reader?
And do this so quickly on a stolen card that you can get that card out in the field before the rightful owner notices that it is missing?
"the most sophisticated smart card fraud encountered to date." According to the investors.
But hey, this guy posting on the internet said it was an obvious exploit.
You really are full of yourself aren't you, jmorris!
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @07:42AM
He means the protocol error. He's right there.
Still from a tech point this a very fine hack.
Funny thing is: they 'only' stole 600.000 euro. My guess is the skills shown by whoever created this are worth more in gainful employment over a few years without any of the risks of crime.
(Score: 2) by jmorris on Thursday October 22 2015, @05:02PM
Yup, that is what I'm getting at. As soon as I read the article the first thought was "WTF? Who designed the protocol with such an obvious exploit?" Then I read on and saw that the PIN step was designed to be optional. So defective by design. The are going to need a 2.0, backward compatible only for a limited time update. At a bare minimum the chip must include the presence/absence of the PIN in the final authorization. Then if the chip says it was never asked to validate a PIN and the terminal says it send one detection is easy. And all the way up to both the card issuer and merchant financial institution the lack of PIN will be recorded permanently.
(Score: 2) by frojack on Thursday October 22 2015, @09:51PM
Because its very hard to steal a card, modify it with an additional chip, and get it into the field fast enough to milk it for lots of money before the owner notices it missing, and calls in, and the card gets canceled.
No, you are mistaken. I've always had this sig.
(Score: 1) by pTamok on Thursday October 22 2015, @10:31AM
Steal a dozen high limit credit cards with nobody knowing about it?
This is quite possible.
Any competent pick-pocket can steal a wallet without you knowing about it.
A good pick-pocket can put it back without you knowing.
So (1) borrow* wallet (2) remove the least-used card from the selection of cards in the wallet (it'll be at the bottom of the stack, or in the most inaccessible slot, and will be least worn) (3) replace wallet.
You do not notice the wallet was not in your possession for a short period, so have no reason to check if all your cards are still in it. Thieves have some time before you notice the card is missing and being used.
Given the investment in technical nous for this operation, it is likely that good pickpockets were used. Or people like hotel cleaners and cloakroom attendants who have unsupervised access to wallets, although that is more risky as the location where the credit cards went missing can be determined by reviewing the travel history of the victims and looking for commonalities. Public random pick-pocketing of high-value marks is better.
*borrow, not steal. Steal requires intent to deprive permanently, which is obviously not the case here.
(Score: 2) by wonkey_monkey on Thursday October 22 2015, @08:41AM
carrying a large number of cigarette packs and scratchers
You kids and your slang. What's a scratcher?
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @09:54AM
Hope this helps... https://soylentnews.org/comments.pl?sid=10193&cid=253142 [soylentnews.org]
(Score: 1) by caffeinated bacon on Thursday October 22 2015, @10:06AM
You know when you have an itch in the middle of your back, and you need something like a miniature rake to reach it? That's a scratcher or a back scratcher.
You generally only need one though, so she probably had a stack of these http://www.calottery.com/play/scratchers-games/$5-scratchers [calottery.com] scratchers, scratchies, instant lottery tickets.
(Score: 2) by ledow on Thursday October 22 2015, @11:32AM
ScratchCARDS in the UK.
(Score: 0) by Anonymous Coward on Thursday October 22 2015, @07:45PM
ScratchIES in AU