Hacking Chip-and-PIN

2010-02-15

in Geek stuff, Security

Apparently, the authentication system on Chip-and-PIN bank cards is fundamentally flawed. You can manipulate the system to accept any PIN, by taking advantage of the negotiation system used between the merchant and the bank’s authorisation system. This post and this technical paper provide more details on the vulnerability. These cards are common in Europe, and being increasingly rolled out in North America for security reasons. Perhaps the banks doing so should rethink that.

This seems like another example of how serious breaches in electronic security systems are rarely caused by attacks against encryption algorithms directly. Much more often, it is some other component of the system that is weak.

Report a typo or inaccuracy

{ 6 comments… read them below or add one }

R.K. February 15, 2010 at 10:15 pm

Any indication whether a software patch could fix this? Or will they have to replace lots of expensive gear?

coyote February 16, 2010 at 7:44 am

I’ve been wondering if the mindset of bankers is such that they keep looking for a technological bandaid that will allow them to continue to avoid developing best practices around card security.

I’ve also been wondering whether the introduction of chip-and-pin is more about security theatre than an actual attempt to improve security. Banks certainly appear to clam up about how often mag-stripe cards have been compromised, in hopes of reassuring their customers that all is well, and there’s nothing to see…

Milan February 16, 2010 at 8:05 am

Because it uses a challenge-response protocol, Chip-and-PIN should theoretically be more robust than a magnetic strip.

What this situation seems to show is that implementing good security ideas can be hard, and can easily generate unexpected vulnerabilities.

Milan February 16, 2010 at 8:25 am

It also shows why quantum cryptography is less important than sometimes suggested.

BuddyRich February 16, 2010 at 10:30 am

The other thing that the CHIP allows is the downloading of fraud responsibility to the end user. The old cards had the banks on the hook for fraud, but the new cards come with new agreements that limits their liability and puts the onus on the card holder for fraudulant charges,

Milan February 16, 2010 at 10:32 am

So they do improve security, only it’s for the banks, not for the customers.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Previous post:

Next post: